Thursday, August 18, 2016

The 120K BTC Heist

Based on my experience of P2P systems in the LOCKSS Program, I've been writing skeptically about Bitcoin and the application of blockchain technology to other applications for nearly three years. In that time there have been a number of major incidents warning that skepticism is essential, including:
Despite these warnings, enthusiasm for the future of blockchain technology is still rampant. Below the fold, the latest hype and some recent responses from less credulous sources.

Last Friday Nathaniel Popper at the New York Times wrote in Envisioning Bitcoin’s Technology at the Heart of Global Finance:
A new report from the World Economic Forum predicts that the underlying technology introduced by the virtual currency Bitcoin will come to occupy a central place in the global financial system.

A report released Friday morning by the forum, a convening organization for the global elite, is one of the strongest endorsements yet for a new technology — the blockchain — that has become the talk of the financial industry, despite the shadowy origins of Bitcoin.
The 130-page report from the forum is the product of a year of research and five gatherings of executives from several major institutions, including JPMorgan Chase, Visa, MasterCard and BlackRock.

The report estimates that 80 percent of banks around the world could start distributed ledger projects by next year. Large central banks are also studying how the blockchain will alter the way money moves around the globe.
What could possibly go wrong? The idea that institutions like these would take insane risks, crash the world economy, and blackmail governments into bailing them out is ridiculous. But Popper notes:
But few real-world uses of the blockchain have come to fruition, other than Bitcoin itself. That has led to some questions about whether the blockchain is the proverbial solution looking for a problem, rather than an innovation that will be used widely.

Existing virtual currencies have continued to struggle with security problems. One of the largest Bitcoin exchanges, Bitfinex, recently lost more than $60 million worth of Bitcoin in a hacking — the latest of several such incidents.

The World Economic Forum report suggests that it will take some time for such problems to be worked out. In addition to the technology issues, the report says that the industry will have to work with governments to create standard rules and laws to govern transactions.
So that's OK then. They aren't going to rush into deploying new technology without understanding all the implications, or at least making sure that they aren't left holding the bag when something does go wrong.

Does anyone remember the last time the banks tried to replace old, shopworn record-keeping technology with spiffy new computerized systems? It was a company called MERS, a shell company owned by the banks. Replacing the paper system for recording mortgages with an electronic system saved the banks billions, led to rampant fraud by the banks, cost innocent people their homes, and enabled the derivatives that crashed the economy in 2008.

Lets look at some of the implications of global distributed ledger systems. The day before the nearly $70M theft from Bitfinex Izabella Kaminska at the Financial Times, whose work in the area has been consistently and appropriately skeptical, posted Bitcoin’s panopticon problem pointing out that because the average Bitcoin user needs intermediary services such as Coinbase:
the average customer needs to give up as much if not more personal data, often by more dubious means (online upload mechanisms, email or the post) to much less experienced organisations. Once in the system, meanwhile, customer transactions can be linked on a much broader and more publicly intrusive level than anything in the standing banking system. Moreover, there are no associated par value or liquidity guarantees for the customer if and when things go wrong.
So cryptocurrencies are mostly:
a giant privacy bait and switch. There are simply no money transmitter institutions of Coinbase’s size that can afford to operate in defiance of the law of the land, unless they care to be based in the sort of jurisdictions most other banking institutions won’t care to do business with.

Meanwhile, if the cost in the banking system is indeed mostly related to the cost credit checking, due diligence and policing non-compliance, it’s worth considering how exactly the likes of Coinbase improve on these processes vis-a-vis traditional institutions?
Once the Bitfinex theft hit the headlines, Kaminska was off and running, first with Time to reevaluate blockchain hype:
The mark-to-market value of the stolen coins is roughly $70m, but again who can really tell their true worth. Bitcoin is an asset class where the liquidation of 119,756 (approximately 0.8 per cent of the total bitcoin circulation) can move the market more than 20 per cent, suggesting a certain fantastical element to the valuation.
We probably won’t know what really happened at Bitfinex for a while. But what is clear is that thus far the technology which was supposed to be revolutionising finance and making it more secure (oddly, by skirting regulations) is looking awfully like the old technology which ran the system into the ground.

Either way it’s unlikely to be good news for Bitfinex. If the failing was down to a problem with the multi-signature mechanism, then the affair potentially stands to undermine many of the blockchain systems and companies which have come to rely on the system for security. On the same basis it also stands to undermine the side-chain and escrow-based solutions bitcoin developers are working on to overcome the bitcoin network’s scaling constraint.

If the failing was down to an internal security breach or poor risk management on the other hand (say due to naivety or inexperience), this creates an argument for additional capital provisioning, regulatory scrutiny and macroprudential oversight — taking away much of the cost advantage associated with the network.
Two days later Kaminska was back with Day three post Bitfinex hack: Bitcoin bailouts, liabilities and hard forks, among other interesting observations returning to the panopticon issue:
The first relates to the ongoing legal recourse rights of Bitfinex victims. Even though they may have lost their right to pursue Bitfinex for compensation, they are still going to be entitled to track the funds across the blockchain to seek recourse from whomsoever receives the bitcoins in their accounts. That’s good news for victims, but mostly likely very bad news for bitcoin’s fungible state and thus its status as a medium of exchange.

Just one successful claim by a victim who tracks his funds to an identifiable third party, and the precedent is set. Any exchanges dealing with bitcoin in a legitimate capacity would from then on be inclined to do much stronger due diligence on whether the bitcoins being deposited in their system were connected to ill-gotten gains. This in turn would open the door to the black-listing of funds that can not prove they were originated honestly via legitimate earnings.
This got Tim Worstall at Forbes going with Bitcoin's Latest Economic Problem - Market Ouvert Or Squatters' Rights.
Of course, people should not steal things. And yet for a currency to work it has to be possible to take the currency at its face value. Thus it may well be that the bank robber paid you for his beer with stolen money but you got it fair and square and thus the bank doesn’t get it back as and when they find out. Another way to put this is that the crime dies with the criminal. And yet the blockchain upends all of that. Because every transaction which any one bitcoin has been involved in is traceable.
Three days later, Kaminska returned with Bitfinex and a 36 percent charge from the school of life:
Publicly, the Hong Kong-based bitcoin exchange Bitfinex has lumped its users with a 36 per cent haircut on all balances to cover the $70m hack which it experienced last week.

The haircut applies to all customers irrespective of whether they were holding bitcoin balances or dollar balances or other altcoin balances. ...

Privately and anecdotally, however, customers are reporting some variance with regard to the way the haircut is being imposed. Some US customers, for example, who only had dollar balances are reporting they’ve been able to get all their money back.
Another three days and Kaminska posted How I learned to stop blockchain obsessing and love the Barry Manilow, a sustained analogy between the hype cycle of music and fashion, and the hype cycle of blockchain technology which argues:
there is some commentary emerging to suggest we are indeed in a phase transition and what’s cool isn’t the blockchain anymore but rather the defiant acknowledgement that the old operating system — for all its flaws — is built on the right regulatory, legal and trusted foundations after all and just needs some basic tweaking.
and goes on to point to a number of very interesting such commentaries, starting with Credit Suisse:
The buzz surrounding blockchain is comparable to that surrounding the internet in the late 1980s – some go as far as to suggest that blockchain has the potential to reimagine and reinvent key institutions – for example, the corporation. We are less sanguine, and note eight key challenges that have the potential to limit the utility, and therefore reduce adoption, of blockchain systems.
Every one of the eight is apposite, especially:
8. A forked road, the lesson of the DAO attack… The DAO attack exposed flaws in smart contracts on Ethereum which should act as a reminder that nascent code is susceptible to bugs before it is truly tire-kicked, and even then, complete surety is never guaranteed. The ‘hard fork’ undertaken by the Ethereum community also shows that blockchains are only immutable when consensus wants them to be.
So in practice blockchains are decentralized (not), anonymous (not and not), immutable (not), secure (not), fast (not) and cheap (not). What's (not) to like?


David. said...

More of the hype, as Peter Coy and Olga Kharif at Bloomberg explain how:

"blockchain could reduce the need for businesses to organize as companies, which get work done via command and control. Using blockchain, ..., collaborators will be able to work together as free agents instead of under a hierarchy of bosses."

David. said...

Cory Doctorow notes that 98% of Bitcoin trading volume over the past six months was in Chinese Renminbi:

"China's wealthy are getting their cash out of the country as fast as they can, using any means necessary: suing themselves, spending huge whacks of cash while on vacation, and onverting it to Bitcoin (this is especially urgent now that the Canadian real-estate money laundry is shutting down) -- this is just the latest salvo in the Chinese capital flight story.

David. said...

The noose is slowly tightening on the less-proactive wealthy Chinese. Cory Doctorow reports:

"China's top three Bitcoin exchanges have frozen all withdrawals for 30 days."

Actually, Bitcoin can be sold for renminbi, just not for other currencies, so the target is easy to identify.

David. said...

E. J. Spode's The great cryptocurrency heist uses the Ethereum hard fork as the starting point for an examination of why the claims that the blockchain does away with the need for trust are just hype. It is well worth a read.

David. said...

Catalin Cimpanu at Bleeping Computer reports that A Source Code Typo Allowed an Attacker to Steal 370,000 Zerocoin ($592,000). The attacker was helped by Zerocoin's stronger-than-bitcoin anonymity.

David. said...

Richard Chirgwin at The Register points to Smart Contracts Make Bitcoin Mining Pools Vulnerable, showing how to make the block withholding attack profitable.