Bitfinex's socialisation of losses is unacceptable

Tuesday 09 August 2016

The hacked exchange has responded to one theft with another.

News of the Bitfinex hack is now almost a week old and has circulated not only the crypto world but the mainstream media (bad news travels fast). Almost 120,000 BTC were stolen from the exchange, with a value of over $60 million.

It goes without saying that the hack should never have happened, but in this case, that statement takes on a new edge. It’s not just that we’re in a post-Gox era where lessons have been - or should have been - learnt. It’s not just that the sector as a whole has become steadily more professional over the last two years. It’s that Bitfinex had implemented security measures that should have been enough to protect customers.


Rather than pool funds in a hot or cold wallet, Bitfinex opted for individual customer wallets protected by two-of-three multisig, provided by leading wallet company BitGo. One key was held by BitGo, two by Bitfinex, of which one was supposed to be offline. One way or another - BitGo has claimed its software is not to blame - the hacker or hackers were able to access two keys for a large number of customer wallets, which they drained of funds over the course of three hours. Bitfinex is a huge exchange, and in total the sum represents around 0.75% of all bitcoins in existence. The situation is particularly shocking, since Bitfinex experienced a hack of around 1,500 BTC last year. Once bitten was not enough.

An unconscionable solution

Faced with tens of millions of dollars of customer funds gone, Bitfinex has opted to share the losses amongst everyone. Rather than those individual customer wallets remaining empty, whilst the unhacked ones are left intact, Bitfinex is unilaterally imposing a 36% haircut on all its users.

On the surface of it, this may seem to make sense, but it is an appalling breach of trust. Bitfinex was hacked. Individual customers had their BTC stolen. This is bad enough. But Bitfinex’s solution is to steal funds from the remaining two-thirds of customers who were not directly affected. It is a lazy response, a denial of responsibility and an admission that they have acted unprofessionally.

Language of ‘socialised losses’ is misleading. This is a further theft, pure and simple. In doing this, Bitfinex are demonstrating that they are no better than the hackers.

comments powered by Disqus