“Modern abstract sculpture of metal net structure against white background, San Francisco Museum of Modern Art” by William Bout on Unsplash

A Massive Theft

Just within the last week, a theft of ~$195 million USD was revealed. The funds were stolen from the BitGrail exchange, apparently from their Nano wallet. This places BitGrail alongside notorious Cryptocoin Exchange thefts like the ones at Bitfinex, Cryptsy, Coincheck, and Mt. Gox. Just like the Cryptsy and Mt. Gox thefts, the time leading up to the disclosure of the theft was filled with suspicious behavior on the part of the exchange — limiting withdrawals, delayed response to support requests. There’s also lots of reports describing other (likely independent) security issues on BitGrail which would have caused additional losses. But the majority of the funds taken were due to what the site operator describes as “unauthorized transactions” from their Nano wallet.

The timing of the theft may have occurred as far back as October through December 2017. Bitcoin went through some explosive growth during this period and altcoins like Nano saw some corresponding changes. Many coins use mining of a “proof-of-work” algorithm as a way to secure transactions and provide an equitable distribution or minting of the coin. Nano instead uses something called “delegated proof-of-stake” for securing transactions. Nano’s distribution was via a CAPTCHA-limited faucet and the distribution period had completed in October. Folks who wanted to invest in Nano had to purchase coins from an exchange and BitGrail was one of very few exchanges carrying Nano at that time (it was then called “RaiBlocks”).

Some exchanges have operated for years without encountering thefts like this. What’s the difference between the successful ones and the failures? I believe that the successful ones have a very different security posture from the failed ones. They take security more seriously and as a result, attacks against their systems fail.

If reports are to be believed, BitGrail used exclusively client-side constraints for controlling some critical user operations on the exchange. This is an astonishing security failure, though perhaps not the one that led up to the major losses. Would anyone have put a deposit in the exchange if they had known about this issue? I like to think that they wouldn’t.

Creating a new exchange is “easy” in the sense that the skills required to create a website and an order engine are not very unique. There are certain security shibboleths like “two-factor authentication” which anyone who’s used an exchange would know to include. But unfortunately merely including these features do not make the exchange “secure.” Creating a secure exchange is not easy. Securing an exchange requires special attention to both the exchange’s design and its operations.

Let’s make it better

Many people lost a great deal of money with this theft. Amazingly, BitGrail’s management claims to have a plan that involves re-opening the exchange!

How can we make it more obvious to users and exchange operators how big the gap is between the worst and the best exchanges?

If we could rate the exchanges according to some simple security criteria, it could help everyone understand the landscape better. I’ve created a Gitlab repo to author just such a rating system. I invite security professionals to collaborate on the rating system and help improve the situation for us all!