Bitfinex claiming the compromise was entirely on their end

in #security8 years ago (edited)

Two crappy locks

We've heard from both Bitfinex and Bitgo that the compromise was entirely on Bitfinex's end and that no Bitgo systems were compromised.

We all love to speculate from incomplete information. It's lots of fun. But, of course, we always have to add the caveat that our reasoning could be perfectly correct and our conclusions entirely wrong because the facts are not as we think they are. So, I'm going to do that.

It seems that Bitfinex's partnership with Bitgo and the design of their multisign setup was primarily to allow Bitfinex to use segregated wallets for each of their customers. Their primary intent was, it seems, to provide continuous proof that they had the funds they claimed to have. They also used this scheme to meet regulatory requirements to legally deliver Bitcoins to their customers.

  • The scheme used was 2 of 3, with Bitfinex holding two keys and Bitgo holding one.
  • Bitfinex would use one key as a hot key to sign transactions which Bitgo would then sign.
  • Bitfinex would store the second key securely for emergency recovery.
  • Bitgo, holding one key, could not provide access to the funds in the event of a catastrophic collapse of Bitfinex.
  • Bitfinex, holding two keys, could transfer the funds without Bitgo's assistance. (So this scheme didn't, in any way, tie Bitfinex's hands.)

So what did Bitgo add over Bitfinex just using a backed up hot key? I can only think of two things:

  • Use of Bitgo's name would create the perception of security whether or not there was any.
  • The requirement that Bitgo sign transactions only signed by Bitfinex's hot key would provide additional security that Bitfinex knew they absolutely had to have.

If Bitgo agreed to a scheme that allowed another company to use their name to create the perception of security while not providing any actual additional security, that would be incredibly reckless. They would know that since there was no actual security, the risk of a theft would not be mitigated. They would risk getting dragged through the mud if there was a theft. I'm willing to rule this possibility out.

That leaves Bitgo as providing additional security by ensuring that even a compromise of Bitfinex's hot key could not result in a bulk compromise of customer's funds.

Yet this is exactly what happened.

If it wasn't Bitgo's responsibility to avoid signing obvious theft transactions, in what way did either Bitgo or this scheme provide any security at all above just storing tens of millions of dollars in a hotwallet?

Now, these are Bitfinex's wallets. They contracted with Bitgo to provide additional security against precisely the attack that occurred. Bitgo failed to provide any additional security.

That is, all the evidence currently available to me suggests that this failure was Bitgo's.

If Bitgo had insurance that covers its relationship with Bitfinex, it should cover this to the extent of the policy. Unless Bitgo bought worthless insurance just to be able to say they were insured, this would be precisely the type of scenario that they would have wanted insurance against. They are signers. They are supposed to only sign things when it is not obviously wrong to sign them. It was obviously wrong to sign these transactions. They signed them. If their insurance doesn't cover that, what does it cover?

I am a huge fan of Bitgo. I do not mean to imply in any way that Bitgo was incompetent or that they are selling snake oil, or anything like that. I know for a fact that they are technically competent people who work tirelessly to provide genuine security in innovative ways. These kinds of things happen even to the best people, even when you try your hardest to do everything right. Innovation is always risky. I am not looking for who to blame but to figure out what went wrong.

I recognize that I am speculating based on incomplete information. But I believe the reasoning is sound. If I am incorrect in any way, please correct me.


Update:

I've been told by a credible source that there are facts that would change my opinion if I were aware of them that cannot be disclosed at this time. I'm certainly willing to withhold judgment until more facts are known. As I said, the reasoning above is based only on the known facts which are, of course, limited.

I have recommended BitGo in the past and continue to recommend them. I have complete confidence in their team and their technology.

And, again, I have no interest whatsoever in placing blame. We are all human. We all make mistakes.

Also, the insurance issue is academic. BitGo stopped offering insurance in January of 2016.

Sort:  

"I've been told by a credible source that there are facts that would change my opinion if I were aware of them that cannot be disclosed at this time. I'm certainly willing to withhold judgment until more facts are known."

Well done @joelkatz ! If your source is not able (or doesn't want to) disclose the information then you have no reason to change your judgement.

Exactly. My judgment stays the same, my confidence in it is just less. We can revisit this when we have more facts. I still have complete confidence in BitGo and continue to recommend them. This kind of thing can happen to anyone.

good job with you post!

Nice @joelkatz
Shot you an Upvote :)

Reading the full story, I am afraid the insurance won't cover it.
Thanks for the post!

If it doesn't cover Bitgo signing a transaction they obviously shouldn't have signed that results in a loss of funds, what does it cover? (That's a serious question. Give me an example of something it would cover.)

I don't understand the whole picture, but as I see BitGo haven't provided any extra security. They automaticly signed every transaction what bitfinex signed.
But it is just my first impression.

If it wasn't BItgo's responsibility to avoid signing obvious theft transactions, in what way did either Bitgo or this scheme provide any security at all above just storing tens of millions of dollars in a hotwallet? (Which I hope neither Bitgo nor Bitfinex would have agreed to.)

And, again, if their insurance didn't cover them signing a transaction they shouldn't have signed that caused a less, what would it cover? Since it was a 2-of-3 scheme, them signing a transaction could not possibly cause a loss unless Bitfinex also signed it.

Are you arguing the insurance covered no losses? If not, give a scenario where there is a loss the insurance would cover.

I am really not sure what to think about the whole thing.
I don't know details about the hack or the services Bitgo provided to Bitfinex. Also I am not a security expert.
I just found it really strange that it could happened without compromising bitgo's system. Let's wait for all of the info and we will see what happened.

I just reread all the facts, yes it was Bitgos responsibility to avoid to sign such a transactions. First I thought they used the backup keys to sign the transactions. So the insurance should cover it. After that I just didn't understand how Bitgo could allow those transactions.
I really want to know more about the whole story, because there are a lot of open questions.

Hi! This post has a Flesch-Kincaid grade level of 7.8 and reading ease of 65%. This puts the writing level on par with Tom Clancy and F. Scott Fitzgerald.