How the Bitfinex Heist Could Have Been Avoided

In Context

Some people have claimed that this is the first big Bitcoin theft in a year and a half. That's totally false. Earlier this year, Shapeshift was hacked, and slightly earlier than that, Cryptsy. And of course, Mt. Gox before that. And Poloniex and countless others. The list of major Bitcoin heists is far too long to recount here.

Clearly, the default, low-energy state of any Bitcoin exchange is a drained, deflated shell, a graveyard of dreams, a sad reminder to the fallibility and insecurity of our computing infrastructure. It's not that there is anything special about Bitcoin -- we've seen that banks, even central banks, are just as hackable. But whereas regular banks can trace the funds and undo transactions, the irreversibility of Bitcoin makes Bitcoin exchanges lucrative, soft targets. The resulting stories, such as this one from an individual who lost his entire life savings for the last 12 years, are heart breaking.

Root Cause

It's too early for a coherent story to emerge from the smoldering ashes of the Bitfinex disaster. There will undoubtedly be some people who will blame government regulations, because the US government did interfere with, fine, and modify the operations of Bitfinex. But as far as I can tell, the government's touch was incredibly gentle. First, they fined Bitfinex only $75K, a slap on the wrist, three months' salary for a valley dev, for not having spent the three months of a developer's time on some needed key management structure. Second, they made sure that Bitfinex kept its funds not in a master omnibus account, but in multisig accounts for each individual registered with bitfinex. Essentially, the regulators wanted to see that the coins were delivered to individuals, as opposed to held in one giant pool. This little accounting twist was all that was required to satisfy the regulators, who generally seem clueless and out of the picture as far as security measures go. All the relevant decisions about protecting the private keys, then, rest with Bitfinex.

To their credit, Bitfinex did move to multisig accounts protected by BitGo, where they hold their users' private keys, and require confirmation (a second signature) from BitGo to move the funds.

If one had to take a blind guess, one would suspect that the hacker obtained the private keys held by Bitfinex, coupled with API access to BitGo to instruct BitGo to sign the withdrawals. Additional trickery would probably be required to circumvent BitGo's daily withdrawal limits.

The nice thing about robbing a Bitcoin exchange is that it is fairly clean. You don't need to look stupid in a pair of stockings on your head, carry a gun, or furnish a burlap sack to rob these modern fancy banks. And you do not need to take hostages, shoot guards, or jump out of an airplane over Western Washington in a business suit. The gig is so easy, script kiddies can keep tabs on new attacks on security mailing lists as they emerge, and simply launch the latest attack from a dorm room. And of course, the groups of hackers employed by state-level actors (of which, there are thousands, operating with a License to Hack) can do this on their lunch break just to keep warm, if not to finance wild parties.

What Can Be Done

It almost seems as if something should be done.

The fact that Bitcoin is irreversible is absolutely crucial for its target use case: merchants you do not trust, engaged in non-state-sanctioned commerce. So Bitcoin cannot ever ever ever fork, lest it lose its special, hard-earned reputation for facilitating the Dark Web.

One option, suggested by a Bitcoin developer, is to try a soft-fork, wherein miners block the thief from moving the funds and allow Bitfinex to double-spend the coins, reorganizing the blockchain to make the heist not happen. This is contemplatable solely because Bitcoin mining is so centralized right now. But the idea doesn't hold water, as the math favors the thief by a long shot. Yes, it's true that Bitcoin miners control which transactions make it onto the blockchain, and yes, one can bribe them to reorganize the chain. But the thief can bribe the miners more, as he does not need to pay for retroactive reorganization of the blockchain. In the limit, the funds from the heist would be split between the miners and the thief. It's a big-stakes version of that experiment psychologists love to play with college students, where they give someone $20 and let her keep her portion if she makes an offer to her partner that he will accept.

Another option is to bargain with the hacker. This conversation necessarily has to take place in public, over social media, leading to an embarassing, cringeworthy discussion that seems like the third stage of grief. If nothing else, it's bad optics. It's silly to try to negotiate with someone when you have absolutely no power at all. And the last time a hacker was offered a deal like this, he was ultimately prosecuted anyway. As with the psychology experiment, if the hacker offers you $1, you should take it, otherwise, you're getting nothing.

A Real Solution

Perhaps what is needed here is a scheme that does not break Bitcoin's all-too-critical irreversibility when dealing with strangers, but allows someone to take back his funds in the event of a hack.

How might such a scheme work? It seems almost in fundamental conflict. There is no definition for a "hack," so an unrestricted undo mechanism will certainly break irreversibility.

But there is actually a solution. Here is what it might look like.

Suppose I designate some of my funds as being in a specially-marked cold storage account, or, let's call them vaults. To pay for things, I need to move them out of my vault to a regular wallet, a process which takes, say, a day. Merchants never accept payments directly from vaults; they use regular Bitcoin addresses, and payments work in the regular, irreversible fashion. But the special thing about vaults is that they come with two keys. One key is used to unlock the vault and move your funds to a regular wallet. The other one, called a recovery key, is used when you notice that your funds were hacked and moved out of the vault by a hacker. You can then use your recovery key to undo the hack -- you have 24 hours to notice and launch the recovery and get back all the funds.

Notice that you cannot fool a merchant with this trick and revert a real transaction. All you can do is take back your own money from someone who is trying to steal it. If I may say so myself, it's a pretty ingenious scheme. It's almost like someone ought to work on it.

It turns out that someone did. That someone is Malte Moeser, Ittay Eyal and myself. Our paper appeared in the peer reviewed Bitcoin workshop last February, and we discussed it here and expanded on it here.

But the Bitcoin world was so caught up in the neverending blocksize debate that there was almost no discussion around the vault idea. The various roadmaps from different groups focused solely on scaling, the perceived Achilles heel of Bitcoin. Well, little known fact is that Achilles had two heels, and so does Bitcoin: scaling and security. The vaults address the latter, and they do so in a way that's pretty definitive, and congruent with the use cases for Bitcoin.

Further, the nice thing about vaults, of course, is that they work even if the theft resulted from an exit scam or insider attack. In fact, they make them less likely.

So, I wish the best to the folks who lost their funds at Bitfinex. Hope we do not have to see another major Bitcoin exchange failure before we see security measures deployed for Bitcoin.