Exchange be Hacked. The recent hack of Bithumb, the 6th largest cryptographic asset exchange, continues the worrying trend of hackers finding ways around the security of these platforms, and siphoning funds stored in exchange hot wallets.
Following the attack, In a quickly deleted tweet on the official Bithumb twitter, it was announced that “cryptocurrencies valued about $30,000,000 was stolen” and “Those stolen cryptocurrencies will be covered from Bithumb and all of assets are being transferring to cold wallet.” The following tweet was then released, detailing an exchange lock-down and a ‘we’ll have to get back to you on that’ message as regards to a restart date.
Who provides exchange liquidity?
The tweets, on top of the hack, raise concerns about the liquidity management techniques used by Bithumb and other exchanges. Typically, an exchange will take a percentage of customer funds and place them in an asset pool that is used to facilitate transactions. The analogy in a bricks and mortar retail store context would be the placing of a cash ‘float’ in the cash register at the start of the day to provide change for customer transactions.
With the value of daily crypto trades typically sitting somewhere in the US$6-10 billion range, there will always be significant funds in these floats, which must be held in a ‘hot’ wallet so they can be used to facilitate transactions.
The fact that the first tweet that Bithumb made about its hack included a statement that “all assets are being transferred to [a] cold wallet” indicates that overexposure in terms of funds in Bithumb’s hot wallet was top-of-mind for the exchange’s management — which wanted to reassure its customers that at least the safe door was been locked after the thieves had left.
The extent to which customer funds were being used for transactions at Bithumb, and how long it will take to provide refunds is unknown.
From a customer perspective a best case scenario is an exchange that uses its own money to provide the float. Coinbase, for example, states that 98% of customer funds are always in cold storage, but how much Bithumb, and other smaller exchanges are exposing their customer’s funds to hacking risks, remains both unknown and concerning.
Uninsured exchanges
It is understood that most exchanges cover their exposures with some form of self-insurance. This is generally done by maintaining a fund of safe investments, that is accessed in situations where emergency liquidity is required. Exchanges are somewhat forced into using this option because of a lack of formal third party insurance options available to them. This looks to be changing with insurers like AIG, Sumitomo and XL Catlin, beginning to offer policies related to crypto theft.
The continued fleet-footedness of hackers to stay ahead of security protocols set up by exchanges, is also worrying. Only a week before the attack on Korea-based Bithumb, security at another Korean exchange, Coinrail, was also breached for$40 million of held assets.
Many in the crypto space have lost faith in the ability of these exchanges to ever protect themselves from attackers, and are hoping that decentralized exchange (DEX) models will be a market saviour. Decentralized exchanges have assets secured across multiple storage points secured on the blockchain, and in this sense, are more shielded against large-scale attacks than centralized, clearing-house style exchanges. Examples of the model include Omisego andIDEX.
IDEX, is currently the most used Dapp in the world. Even so, it still only has a few thousand users. This may indicate an interest in DEX’s, but not wider commitment or belief in their current capabilities to provide exchange solutions.
Market Reaction
In the hours following the hack there was an immediate disgruntled reaction from markets, evidenced by the sharp dip in the price of BTC to under $6,600. However, BTC, and the wider market has since seen a price recovery. Indicating faith that Bithumb will reimburse customers, or belief that any wider risk created by the hack, is not systemic.
Crypto exchanges in Korea, interestingly, operate under a very light regulatory touch as they are categorized as ‘communication vendors’ and do not fall under the jurisdictional watch of Korea’s Financial Supervisory Service. Although more regulatory oversight is now being considered due the latest run of hacks, CCN has reported that the Korean government has steered clear of crypto regulations to date, for the curious reason that it thought the imposition of regulations would be viewed as a government endorsement of the sector — and encourage more retail investors@BPI