$170 Million Mistake: BitGrail May Have Been Aware of Bug that Led to Hack

Some users of the BitGrail exchange are still reeling from the loss of millions of dollars' worth of Nano tokens (XRB). Details of the hack remain unclear, and the lack of clarity has resulted in independent investigations and the formation of theories as to what caused the hack by various voices in the crypto sphere.

Some crypto users have happened upon evidence that would suggest that BitGrail may have known about the hack for at least several weeks. However, there are many pieces to this puzzle--in order to understand what happened, we have to take a look at the complete picture.

The Hack

On Friday, February 16, the Italian crypto exchange known as ‘BitGrail’ posted a notice addressed to all users informing them that hackers had infiltrated the exchange and walked away with 17 million Nano tokens (XRB) in hand.

Since late November, the price of XRB has soared from around $0.20 to its valuation of nearly $10 last week (down from its height of over $30 in early January), making the stolen tokens worth approximately $170 million at the time of the hack.

In Friday’s notice, Bitgrail stated that “a charge about those fraudulent activities has been submitted to the competent authorities and now is under police investigation” (translated quote). The exchange also declared that all transactions would be halted while the incident is being investigated.

Even before the hack, users have reported troubles with withdrawing their funds from BitGrail for several months. TechCrunch reported that a user who lost $1.4 million in XRB during the attack had been trying to withdraw their Nano tokens for a month, but was limited by a withdrawal limit that started 10 BTC per day and was eventually lowered to just 1 BTC per day.

Francesco Firano, the founder of BitGrail, has posted on Twitter that Bitgrail currently has no way to pay back affected users at 100 percent of their losses.

NANO on BitGrail have been stolen.

Unfortunately there is no way to give it back to you at 100% (we only got 4 MLN XRN right now). The devs, as you have guessed, dont want to collaborate — Francesco The Bomber (@bomberfrancy) February 9, 2018

Firano’s claim that the devs “don’t want to collaborate” is a reference to his controversial request to the Nano development team that they modify the XRB ledger in order to render the stolen tokens useless and restore the balance to refill BitGrail’s emptied wallet.

Crypto enthusiast Shay Priel believes that its unlikely that users who lost their funds in the hack will receive any restoration anytime soon: “First of all, In such cases as seen with other hacked exchanges (like Mt Gox), the investigation could take a lot of time to finish… Even if users eventually see some money back, it will take a lot of time, and the amount they will receive is unknown.”

Priel explained that some confusing messages on the part of the exchange are leaving users in the dark as to what took place and what is to come: “The exact amount of missing Nano has not given. The first time Bitgrail reported this issue, they claimed 15 million [XRB are] missing; the next day 17 million. Now they claim that 20% is remaining, which would be 16 million [XRB] lost. They did announce that there was a recovery plan, and the 20% of Nano remains that does not belong to them.”

Hackers May Have Exploited Vulnerabilities in BitGrail’s Code

While the details of what allowed the hack to happen on a technical level are still unknown, Shay Priel believes that a couple of major flaws in BitGrail’s code led to the breach:

“As far as I understand, Bitgrail had issues with validating users’ balances and allowing insufficient withdrawals [from] the system. Some users in the community and security researchers claim that Bitgrail had two main vulnerabilities.

The first one was a client-side bad practice and vulnerability which allowed the hacker to bypass the javascript validation code locally, and trick the exchange to let the client withdraw more fund than the hacker owns. The second one reported was a permission bug where one user can request a withdraw to his wallet address but use another account balance which ended in a Negative Balance Negative Balance In its most basic form, a negative balance represents an account balance in which debits exceed credits. A negative balance indicates that the account holder owes money. A negative balance on a loan indicates that the loan has not been repaid in full, while a negative bank balance indicates that the account holder has overspent.In the retail brokerage space, this phenomenon occurs when a position’s losses in an account exceeds the available margin on hand from a given trader. When a trader place In its most basic form, a negative balance represents an account balance in which debits exceed credits. A negative balance indicates that the account holder owes money. A negative balance on a loan indicates that the loan has not been repaid in full, while a negative bank balance indicates that the account holder has overspent.In the retail brokerage space, this phenomenon occurs when a position’s losses in an account exceeds the available margin on hand from a given trader. When a trader place Read this Term on the victim account.”

Essentially, it seems that at least one user who was using BitGrail for arbitrage trading discovered at some point that it was possible to run BitGrail’s javascript manually to withdraw a greater amount of XRB than what was in any given user's balance.

Priel added that BitGrail could have discovered problems within its security system if it had been more proactive about testing its systems for flaws: “From my point of view, it doesn't look like BitGrail implemented sufficient security layers. And if they were they could stop such vulnerabilities by initiating penetration tests and code reviews, monitoring of abnormal activity in the system, rate limiting on large withdraw requests and much more"

Priel also said that “it is important to note that nothing is approved yet and there is still an ongoing investigation that should reveal what precisely happened in this incident.”

Accusations and Conspiracy Theories

In the wake of the BitGrail hack, angry users who are seeking answers as to what caused the hack and if (and how) their stolen funds will be returned to them have taken to Twitter, making scathing statements about BitGrail.

Some users have even gone so far as to sending death threats to the unlucky Ferano, who some have accused of masterminding the hack for his own benefit.

While there’s certainly not enough evidence to support such a hypothesis, there is some evidence that Ferano may have known that someone was exploiting the BitGrail code before it was reported to the public on Friday. Shay Priel said:

“Bitgrail shared with the nano core team an example of an unauthorized transaction. The Nano team found that this transaction took place in October. Bitgrail only reported it to the nano team on February 8 which raises many question marks. Did they know about it back in October? What took them so much time to report this incident? Maybe it explains their behavior of stopping withdrawals and making it hard for users to take funds out of the system.”

However, as reddit user @ohlookaballoon noted, Hanlon’s razor states that one should “never attribute to malice that which is adequately explained by stupidity.” In other words, Ferano may have discovered the problem as early as December and tried to solve it on his own.

Shay Priel seems to think that in this case, the razor may be true: “Perhaps they tried to save some time to understand what happened and tried to fix these issues by themselves?”

In any case, ignorance is no excuse for the failure to protect users’ funds. Said Priel, “For me, it looks like bad practice by them. They should have immediately reported it to law enforcement.”

A Troubling Trend

The Bitgrail hack is the latest in several high-profile hacks have plagued the cryptosphere in recent months. It seems that as more money flows into the crypto markets, the more hackers seek to find vulnerabilities in exchanges and other crypto entities.

In November and December (respectively), $30 million in USDT were stolen from Bitfinex; $60 million in BTC was stolen from mining marketplace NiceHash. South Korean exchange Youbit also filed for bankruptcy in the month of December following the theft of 17 percent of its assets. In January, a whopping $534 million in NEM tokens were taken from the Japan-based Coincheck exchange.

The rash of large-scale hacks has caused many within and without of the cryptosphere to lose faith in the entities that are supposed to be good stewards of users’ funds, and in the cryptocurrency movement as a whole.

It’s becoming clearer and clearer that the crypto exchange industry as a whole needs a major change in attitude when it comes to cybersecurity. While there is a movement among some exchanges to make their users’ funds as safe as possible (ie Coinbase getting FDIC insurance and Bittrex’s continued efforts to improve security), smaller exchanges may not have the resources to keep on the cutting edge of cybersecurity.

Additionally, smaller exchanges are generally at a greater risk for insolvency. “Most of the time these small exchanges can not cover their losses, and they go bankrupt (like in the Youbit case),” says Priel.

In the worst cases, it’s still possible for small, insolvent exchanges to vanish completely.

The fact that the vast majority of cybercrimes related to the theft of cryptocurrency remain unsolved (and the individuals responsible for the hacks unpunished) certainly doesn’t support the cultural change in cybersecurity culture--for example, virtually no one has faced any real consequences for the infamous Mt Gox hack that took place in 2014.

Shay Priel stated that “as an exchange, you should take users' funds very seriously, and if you don't know how to secure those funds, you should hire someone who knows or don't even take the risk of running one. We are talking about peoples’ money here, and exchanges should think like a bank regarding funds’ security and Risk Management Risk Management One of the most common terms utilized by brokers, risk management refers to the practice of identifying potential risks in advance. Most commonly, this also involves the analysis of risk and the undertaking of precautionary steps to both mitigate and prevent for such risk.Such efforts are essential for brokers and venues in the finance industry, given the potential for fallout in the face of unforeseen events or crises. Given a more tightly regulated environment across nearly every asset class, One of the most common terms utilized by brokers, risk management refers to the practice of identifying potential risks in advance. Most commonly, this also involves the analysis of risk and the undertaking of precautionary steps to both mitigate and prevent for such risk.Such efforts are essential for brokers and venues in the finance industry, given the potential for fallout in the face of unforeseen events or crises. Given a more tightly regulated environment across nearly every asset class, Read this Term. Security is built with layers and focus on three pillars: people, processes, and technology.”