Bitcoin holders were stunned Tuesday when Bitfinex, the highest-volume non-Chinese bitcoin exchange, abruptly halted trading and explained it had fallen victim to a hack in which user funds were stolen. This theft, amounting to nearly 120,000 bitcoin (approximately $70 million), is one of the largest heists in the currency’s short history and the largest since the notorious implosion of Mt. Gox over two years ago. It is an utter failure of custodial protection and a violation of consumer trust. It is also a watershed moment for all leading exchanges and wallets in the digital currency space that had over the past two years managed to gain the trust of a steadily increasing number of consumers while avoiding, for the most part, highly restrictive regulatory action.
While it remains unclear precisely how this hack was executed, its success seems to contradict what we’ve been told and taught about the security virtues of multi-signature transactions. This is a much more concerning development than simply discovering that Bitfinex had implemented bad security protocols, as was the case with Mt. Gox. We expect and hope that the investigation will reveal that this is not a vulnerability that affects all accounts secured by multiple signatures, but it is too early to tell at this point.
There is also evidence that Bitfinex changed its protocols for securing consumer funds as an indirect result of a settlement with the Commodity Futures Trading Commission (CFTC). The $75,000 judgment from the CFTC presented Bitfinex with the choice of migrating from a hot/cold wallet setup (in which a portion of bitcoins are kept in inaccessible wallets) to unique accounts for each customer, or go through the arduous process of registering as a Swap Execution Facility (SEF). Bitfinex chose not to pursue obtaining SEF status, which potentially opened the exchange up to the potential of this attack. If this is the case, it may be the first example of an analog regulation being applied to a digital currency company that had the net effect of making that company’s digital assets more vulnerable.
Less than one month ago, Consumers’ Research convened a group of experts with backgrounds in consumer protection policy, regulation and technology systems for a three-day workshop to begin the process of establishing bitcoin industry principles and standards for how to best serve and protect consumers. Some members of the community with whom we engaged prior to the event, believing that significant consumer protection problems were a thing of bitcoin’s past, questioned whether digital currencies even needed more consumer protection.
In the wake of this latest heist, protecting consumers must again be at the forefront of the digital currency community. Everything from first principles to specific implementation methods needs to be on the table.
A vocal section of the bitcoin community is arguing that the only model for consumer protection in a digital currency ecosystem is “caveat emptor,” or “buyer beware.” Their argument follows from the belief that, since bitcoin is secured with theoretically un-crackable cryptography, consumers can protect their digital assets by memorizing or securing their private keys without depending on third parties.
Both consumer expectations and government regulations exist as impediments to this model. Consumers in developed nations are accustomed, thankfully, to high levels of protection in their financial services. For the most part, consumers do not bear the financial losses from corporate security lapses. When a retailer has tens of millions of credit card details stolen, consumers don’t fear that they will bear responsibility for a thief using their credit cards to make purchases.
As much as libertarian purists would like to return to an era of unregulated markets, it is simply unrealistic to ask consumers to begin storing their hashed private keys securely. If that is the consumer protection model the bitcoin community advocates, it will forever be a small community of highly technical users.
The bitcoin and blockchain communities have spent the past few years asking regulators to allow room for these technologies to grow and mature. If we’re making that ask, we need to take consumer protection seriously. A guaranteed method for attracting the attention of legislators and regulators is responding to hacks like these by saying that it’s the fault of consumers for misplacing their trust.
The community needs security standards, set by its leaders, which account for these realities of the regulatory and cultural environment. Once those tough security standards exist, consumers will then have sufficient information to make informed decisions about which entities in which to place their trust. This is the only way to foster growth and fulfill the promise of this technology.
Consumers’ Research will be engaging with the community over the next few months to ensure that the set of guiding principles and best practices we are developing alongside regulators, policymakers, and industry experts meets this challenge.