Cryptocurrency hacks and crashes

In this article, I will describe three “crashes” and hacks of a number of cryptocurrencies. A crash is an event where the value of a coin or token suddenly evaporates. A hack is an event where coins or tokens disappear. Undoubtedly, more than three have occurred (this Guardian article from 2014 lists quite a few more, for starters – https://www.theguardian.com/technology/2014/mar/18/history-of-bitcoin-hacks-alternative-currency) and it is quite safe to assume that more will follow. For Bitcoin alone, an estimated 980.000 BTC was allegedly stolen from exchanges around the globe.

In this first part, I will focus on Mt. GoxEthereum (DAO) and Tether

1 Mt. Gox

Mt. Gox was at one time the largest Bitcoin exchange in the world, handling over 75% of all Bitcoin traffic shortly before its demise. The website, which originally was created by entrepreneur Jed McCaleb as a trading place for Magic: The Gathering cards (hence its name: Magic the Gathering Online Exhange) was converted to a Bitcoin exchange shortly after the cryptocurrency took off and then sold to current CEO Mark Karpelès in 2011. On February the 28th 2014, Japanese based Bitcoin exchange Mt. Gox shut down trading and filed for bankruptcy.  

What went wrong

Even though Mt. Gox was instrumental in the rise of Bitcoin, it was not without problems. When Karpelès took over, solvability of the exchange was uncertain and it had already endured a number of hacks, in the largest of which 80.000 Bitcoins disappeared. In June 2011, 2.000 Bitcoins were stolen by abusing a ‘Bitcoin Bug’ called transaction malleability, where the identifier of a transaction is changed before it is confirmed on the blockchain, effectively opening up the possibility to perform a transaction twice. As a response to this, Mt. Gox moved a large portion of its Bitcoin balance offline. But in September 2011, another large hack occurred. Over a period of several years in total more than 850.000 Bitcoins were stolen. The theft, however, was not discovered until 2014 and ironically most of the Bitcoins in the exchange were already gone long before it went bankrupt. Also, it is not entirely clear how the hacker(s) got access to the offline Bitcoins. In 2013, United States federal agents seized nearly 5 Million US Dollars from an American bank account that was used to trade with American citizens, but was not licensed to do so. This, combined with the heightened sense of awareness on Mt. Gox’s operations (former employees publicly stated that it was chaotic and uncontrolled) ultimately led to its demise.

How much was lost

At the time of the bankruptcy, Mt. Gox held only 20.000 Bitcoins. About 850.000 Bitcoins were lost (744.408 of customers and 100.000 of the exchange itself, combined about 7% of the entire Bitcoin supply), of which approximately 200.000 were since recovered. The value back then was $470 Million. Also, $27 Million in cash disappeared from the Mt. Gox bank account.

Lesson learned

First of all, the hacker(s) were unable to exchange the Bitcoins swiftly because of a $1.000 per day withdrawal limit, which leads to the conclusion that such a limit has its merits. Then, transaction malleability – which was abused in one of the first hacks – should not really be an issue if unconfirmed transactions are not processed, something which Mt. Gox did not enforce. Manual verification on the blockchain could have played a role in preventing hacks like this – even though such checks become cumbersome to implement as Bitcoin continues to grow. Finally, a proposed extension of the Bitcoin standard (called SegWit) could have fixed (transaction) malleability, but this extension was not implemented. However, most of the malleability hacks are already fixed (https://eklitzke.org/bitcoin-transaction-malleability).

2 DAO disaster

The Decentralized Autonomous Organization (DAO) was a leaderless organization consisting of a series of smart contracts (machine readable contracts which describe and automatically enforce rules of engagement between contracting parties), created to support the development of applications on top of the Ethereum blockchain. With Ethereum, DAO tokens could be bought for which the buyer received voting rights, to be used to decide upon the progress of specific projects or applications on the blockchain. The DAO resembles a venture capital firm whereas people buying the tokens resemble investors, but a token does not necessarily equal a monetary share: a token could also be the right to use an application. In other words: a token yields a return, just not necessarily a monetary one. The Initial Coin Offering (the blockchain counterparty of an initial public offering) raised $150 Million in Ethereum and was participated in by over 11.000 people.

What went wrong

On the 7th of June 2016, a hacker used the so-called “recursive Ethereum send exploit” to withdraw 3.6 Million ETH, or $60 Million worth of Ethereum from the DAO. With this exploit, the hacker proposes a DAO split (usually done to withdraw funds) but found a loophole to call the split function over and over again, effectively transferring a lot of Ethereum to a child DAO. There, it was stuck – as a security measure, transferred funds could not be withdrawn within a 27-day time frame. Three possible solutions existed for the exploit: a soft fork (freeze the funds of the attacker), a hard fork (go back to a point in time where the exploit had not occurred) and an option to do nothing. The Ethereum community choose the soft fork, which was found to contain bugs at the last minute. This meant the hard fork was the only option left. Over 98% of the community voted for the hard fork in the end, but the remaining 2% did not agree and split into a new currency: Ethereum Classic (ETC). The actual hack is described in a lot of detail here: http://hackingdistributed.com/2016/06/18/analysis-of-the-dao-exploit/

How much was lost

Even though nearly half of all DAO based Ethereum was transferred to the child node (in total about $78 Million) and a note supposedly written by the hacker(s) (https://pastebin.com/CcGUBgDG) claimed the 3.641.694 ETH is legally theirs, the hard fork effectively isolated the Ethereum. For a short while, the cryptocurrency markets were in a state of panic and Ethereum value dropped from $21,50 to $15 (at the time of writing it is at $445). The split in Ethereum, however, meant that the stolen Ethereum remained active on Ethereum Classic (at the time of writing trading at $28). According to Gastracker (https://gastracker.io/addr/0x5e8f0e63e7614c47079a41ad4c37be7def06df5a), an Ethereum block explorer, about 3.4 Million ETC remain in the hacker’s address.

Lesson learned

A lot was learned from the DAO attack. First of all, several ideological clashes between Ethereum (ETH) and Ethereum Classic (ETC) occurred. For example, ETC is convinced that code is law, the blockchain is immutable and should not be tempered with. ETH believes, however, that no hacker should be allowed to profit. In the latter view, implementing complete automation (of smart contracts) is potentially dangerous and filled with uncertainty – when abused by hackers. The attack showed that security is paramount.

The DAO code was audited. On the Github page (https://github.com/slockit/DAO), it says “This code been reviewed by hundreds of pairs of eyes from our community and by one of the most respected auditing companies in the world, Deja Vu.” Or, as the website of Slock.it (https://blog.slock.it/deja-vu-dao-smart-contracts-audit-results-d26bc088e32e), creators of the DAO, bragged: “To say the quality of their work is top notch is an understatement”. In hindsight, this possibly was not the wisest of remarks. This raises the question on whether due to its decentralized nature, all participants in the DAO are to blame, or that because only the funding of the DAO was decentralized, its original creators bear the blame.

In the aftermath of the disaster, the American Security and Exchange Commission (SEC) ruled on July the 25th of 2017 that DAO tokens are securities and offers and sales of tokens are subject to the federal securities laws. (https://www.sec.gov/news/press-release/2017-131). It states: “In light of the facts and circumstances, the agency has decided not to bring charges in this instance, or make findings of violations in the Report, but rather to caution the industry and market participants: the federal securities laws apply to those who offer and sell securities in the United States, regardless whether the issuing entity is a traditional company or a decentralized autonomous organization, regardless whether those securities are purchased using U.S. dollars or virtual currencies, and regardless whether they are distributed in certificated form or through distributed ledger technology”. The effects of the regulation are as of yet unknown: on a positive note, the ruling might bring a higher sense of legitimacy to Ethereum initiatives and scare off malicious people. On a negative note, it could stifle innovation as smaller initiatives will not be able to comply with the SEC rules.

3 Tether hack

Tether (symbol: USDT), currently at the number 21 position in Coinmarketcap, is a token that is connected to the US Dollar (or Euro). According to Tether, there is a one-to-one reserve ratio between an USDT and real world, fiat currency in Tether’s bank account.

In the recently published Paradise Papers, it was revealed that there is a link between Tether and Bitfinex, currently the largest cryptocurrency exchange – one of the Tether directors (Phil Potter) is also chief strategy officer at Bitfinex, while another is responsible for PR for both companies and has a shady reputation. Bitfinex itself is not without problems either – it lost 1.500 Bitcoins in 2015 and another 120.000 in 2016, both to hackers. The New York Times recently ran an in-depth story on this (https://www.nytimes.com/2017/11/21/technology/bitcoin-bitfinex-tether.html).

What went wrong

On November the 19th, 2017 Tether announced (https://tether.to/tether-critical-announcement/) that nearly $31 Million USDT was removed from the Tether Treasury Wallet and sent to an unauthorized bitcoin address. Tether issues a new version of its software which effectively creates a hard fork, undoing the hack – not unlike the Ethereum hard fork.

How the hacker got access to the tokens is still unknown – Tether has not published any information on this yet. This, again, led to a lot of speculation (for example in this Reddit thread: https://www.reddit.com/r/Bitcoin/comments/7ehseb/tether_was_hacked_by_the_same_person_who_hacked/)

How much was lost

According to a consulting report by auditor Friedman LLP (https://tether.to/wp-content/uploads/2017/09/Final-Tether-Consulting-Report-9-15-17_Redacted.pdf), Tether has a balance of roughly $442 Million, whereas the current assets according to Tether’s own transparency page (https://wallet.tether.to/transparency) is $764 Million. This means the hack was able to syphon away somewhere between 3 to 7% of the total Tether value. The hacker stored the funds in a specific address, which was consequently blocked by Tether implementing the hard fork – meaning the funds are not redeemable. Bitcoin responded by dropping nearly $500, but recovered within a few hours.

Lesson learned

The Tether hack shows how resilient current cryptocurrency implementations are (even though Tether technically is not a cryptocurrency). A lot of eyebrows were raised, a lot of questions by the community were asked (and not answered by Tether), but there was no major disruption in the value of the currency and trade continues to grow (currently Tether shows a 24h volume of roughly $850 Million).

Then again, this hack and the response of Tether also shows that even though trust and transparency should go hand in hand, this certainly is not always the case in the world of cryptocurrencies.