Five questions surrounding the BitGrail ‘hack’
The Italian exchange BitGrail collapsed on Friday, citing the loss of 15m Nano (aka XRB and formerly known as RaiBlocks). That the exchange has failed is sadly less of a surprise than it is an inevitability. It has been mired by issues and complaints over the past months but saw rapidly increasing volumes as a result of it being one of just two exchanges to support Nano.
Nano had a meteoric rise in the same time frame but the loss of 15m Nano, worth c. $170m as of Friday, makes it one of the larger exchange hacks relative to a cryptoassets circulating supply. Roughly 12% of the supply is now missing and the details remain murky.
Negligent or nefarious?
Francesco Firano, the proprietor of BitGrail, claims that the site was hacked and that Nano were stolen from the BitGrail ‘cold’ wallet and withdrawn without authorisation and without noticing as far back as the 19th of October (when the price of XRB was just $0.1, a far cry from the c. $35 it would top out at shortly thereafter).
However, there had been a number of users posting about a bug on BitGrail that allowed for the exploitation of deposits. Through this, users were able to double or triple their deposited funds. This was not specific to XRB, but rather affected all cryptoassets on the site such as ETH and BTC. Some users, therefore, had balances well in excess of what they had actually deposited – and therefore there was nothing backing these up. What is unknown, however, is how many people exploited this, how much they were able to take out and how long it was going on for.
This also doesn’t explain how millions of XRB were able to be transferred between BitGrail and a 2nd exchange, Mercatox, when BitGrail had suspended XRB withdrawals in January. This is perhaps the most telling piece of evidence that someone either had high level access in the BitGrail system through working there or was otherwise able to obtain it.
At present there is no way to know what exactly happened. Firano is co-operating with Italian police and it will likely be years before the truth is uncovered. If I was to guess, it would be that BitGrail held less assets than users had deposited on the site thanks to the deposit exploit. In this position, it would be reasonable to assume that it was tempting to try and recoup losses in a bid to stay solvent (as at this stage the amount lost was still quite low even if we assume 15m XRB was missing then).
Given XRB was one of the few cryptoassets on the platform that was barely traded elsewhere and starting to rise in price, it would have theoretically given BitGrail management greater control to manipulate the price and trade it themselves to restore user balances. However, the price moved against them, widening the losses day by day to such an extent that BitGrail were forced to close withdrawals as they would not have been able to redeem them. This bought them additional weeks, but in the end it would have become clear that there was no way to recover their losses – especially once KuCoin and then Binance opened up XRB trading and therefore removed their greatest cash cow.
Why do people have such a low bar?
The warning signs had been there about BitGrail for a long time. The customer service was awful, even by crypto standards, there were numerous site issues and Firano had the following as his Twitter bio in what now appears an ominously foreshadowing message:
You either die a developer, or live long enough to see yourself become the scammer
They also acted in an unprofessional manner, having numerous twitter spats with users and the Nano team alike, notably in a row over performance in which Firano threatened to delist XRB.
Even by crypto standards, BitGrail was a poorly run exchange. However, it highlights an issue which is that people don’t care. If a particular cryptoasset is only available on that exchange, then that exchange is where they will go. Potential profits trumps risk of being scammed – which works well, until it doesn’t.
Why did the Nano team vouch for Firano?
I am not for one second suggesting that the Nano team had anything to do with creating this situation. But they made a misstep in publicly attesting to his character and to the safety of BitGrail. There is no reason why they should have allied themselves with a third party business, particularly one of the nature of BitGrail, when they could not have had a good enough sight of the business to do so.
These reflect errors of judgement. At best it is naïve, at worst it is trying to bolster confidence in an untrustworthy exchange to prop up prices of an asset the team will hold a considerable amount of. Neither are a good look.
What impact has it had on Nano prices to date?
Some have suggested that the Nano price has been suppressed to date, given that a large amount of Nano has been stolen and sold. It may also have been potentially a driver of the large gains it saw, owing to large buy pressure initially that gave it momentum – there has rarely been a cryptoasset that has moved so quickly, going 100x in a matter of weeks. If it was an inside job and the funds stolen from artificial balances to give a cost basis of 0, then it makes it more believable that someone would simply buy up XRB regardless of price. This theory only works if, for some reason, it was only XRB being bought - which, again, only seems likely if it was an inside job.
Users have argued the suppression started in January, but to date it seems like a substantial amount of the stolen tokens have not been sold, thus removing a significant proportion of the supply from active circulation.
As with the whole situation, it is hard to know what impact this has had.
What will happen to Nano?
The cryptoasset community is sadly used to exchange hacks now and as such the temptation is to write this off as just another Mt Gox/Dao hack. But there are two important differences to those. Firstly, the amount stolen as a proportion of total supply is actually higher than the amount stolen in the Mt Gox crash. Mt Gox lost 650,000 BTC, equal to c. 4% of the supply. Nano now sees nearly 3x that amount (if this is indeed the true figure – it is only BitGrail’s word that we have on this to date) potentially in the hands of a hacker or scammer.
The Dao hack was solved through a hard fork. Whilst contentious, this allowed Ethereum to move on from the matter swiftly. Nano has no such recourse owing to the design of its block lattice. It is a troubling position for the cryptoasset to be in.