Finance Law Institute: Derivatives 2019-05-13¢ 15 Aug 2016 Bitfinex: could greater...
Embed Size (px)
Transcript of Finance Law Institute: Derivatives 2019-05-13¢ 15 Aug 2016 Bitfinex: could greater...
The LGBT Bar: 2017 Lavender Law Conference
Finance Law Institute: Derivatives Panel
CLE Course Materials Presented by Greg Todd, Peter Malyshev, David Lucking and Darek De Freece
August 4, 2017
“Bitfinex: Could Greater Regulation Have Prevented Its Hack?” David Lucking and Conor O’Hanlon (Aug. 15, 2016)
“CFTC Staff Advisory Clarifying Chief Compliance Officer Reporting Line Requirements,” David Lucking and Deborah North (July 27, 2016)
“Derivatives and Pension Funds: Key Collateralisation Deadline Approaching,” Emma Dwyer, Maria Stimson, Däna Burstow, Neil Bowden, Jane Higgins, Helen Powell and Emma Lancelott (Feb. 15, 2017)
“EMIR Under the Knife: EC Proposal to Amend Key Derivatives Regulation,” Emma Dwyer, Richard Tredgett, Tom Roberts, Franz Ranero, Damian Carolan, Nick Bradbury, Nicole Rhodes and Emma Lancelott (May 9, 2017)
“U.S. CFTC Enforcement: Key Compliance Takeaways from 2016,” Jennifer Achilles, Jill Ottenberg, Peter Malyshev and Michael Selig (January 2017)
“U.S. CFTC Enforcement Considerations for 2017,” Peter Malyshev, Jennifer Achilles, Jill Ottenberg and Michael Selig (February 2017)
“NFA Update for Commodity Pool Operators and Commodity Trading Advisors,” Nicolle Snyder Bagnell and Lucas Liben (February 2017)
“An Overview of the CFTC’s Modernized Recordkeeping Requirements,” Peter Malyshev, Kari Larsen and Michael Selig (June 2017)
Panelist Profiles Page 51
15 Aug 2016
Bitfinex: could greater regulation have prevented its hack? Introduction
"In response to these constructive discussions with the CFTC’s Division of Enforcement, BFXNA has made significant changes to the way in which U.S. customers engage in financed trading on Bitfinex."
– Bitfinex Announcement, June 2, 2016
In their engagement to date with the emerging cryptocurrency sector, the United States Commodity Futures Trading Commission (the CFTC), and many other regulatory bodies, have broadly adopted a "wait and see" approach to adapting their regulatory frameworks, seeking where necessary to apply existing regulations to this nascent space in as coherent a manner as possible. This approach has so far been largely successful, with enforcement actions by regulators taken against dangerous Ponzi schemes and unlicensed exchanges. However, this approach has come under scrutiny, as just two months prior to the August 2, 2016 hack of Bitfinex the CFTC had issued an order, following the conclusion of an investigation into the Hong Kong-based cryptocurrency exchange.
Bitfinex is a cryptocurrency trading platform that permits the exchange of cryptocurrencies including bitcoin, litecoin and ether. It also provides a margin trading and lending service for users. Through its margin trading and lending service, users are able to lend funds as margin to other traders to enable them to open leveraged positions. Bitfinex permitted a maximum leverage of 3.33 to 1. On August 2, 2016 Bitfinex's security was compromised, leading to a theft of 119, 756 bitcoin, worth approximately USD$72 million on August 2. The exact details of how the hacker managed to effect the heist is unclear, although there is speculation that the attack may have been a combination of Bitfinex's private keys being compromised, as well as unauthorized access to the API instructing BitGo to counter sign the transactions. On August 7, 2016 Bitfinex announced that losses arising from the August 2 hack will be socialized, with
Page 1 of 6Bitfinex: could greater regulation have prevented its hack? - Allen & Overy aohub
users accounts being haircut by approximately 36%. In return, users have been issued a new 'BFX' token, which represent a debt claim (or potential redemption of iFinex Inc. stock) at some point in the future. This represents the first ever issuance of a digital token in place of a company's debt obligation. How this novel insolvency solution will be received by users, regulators, and insolvency officials remains to be seen.
Bitfinex protected its customer funds through a customer segregated wallet system in partnership with BitGo. Prior to August 2015, Bitfinex used an omnibus settlement wallet to store funds, with funds being held in a hot/cold wallet system. A hot/cold wallet system allowed Bitfinex to operate an active online wallet to settle trades (the 'hot' wallet), and separately store a majority of its bitcoins offline (the 'cold' wallet). In August 2015 and January 2016 Bitfinex changed its processes to ensure that each customer's funds were held in their own segregated customer wallet. Bitfinex explained the benefits of this approach in an FAQ following the adoption of the system:
"The use of this model, where each customer has a separate set of keys and wallets, allows for a much greater level of granularity at which multi-institutional security can be provided. Whilst in the past BitGo would have to treat a pooled wallet as a single unit, per-customer policies can now be enforced. Further, since we now enforce multi- institutional second factor authentication (Bitfinex will be the first factor and BitGo the second factor), attackers are required to compromise both institutions before getting funds."
Under this system, BitGo maintained control of one of the private keys, Bitfinex maintained control of another, and the third private key was held by Bitfinex in cold storage "for the off- chance that BitGo was unavailable and BitGo needed to authorize a transaction". Each customer therefore had a BitGo wallet in which their bitcoin is stored, with the keys held by both Bitfinex and BitGo. In the case of U.S. customers subject to a lien (i.e. the lien of a Bitfinex margin financing provider), the third key was held by the customer themselves. Bitfinex did have withdrawal limits in place to protect against attacks draining wallets, but the attacker circumvented these limits.
The CFTC's Bitfinex Order
The CFTC is the regulatory body with the power to regulate commodities in the United States. Following the passage of the Dodd-Frank Act, it is tasked with oversight of leveraged, margined or financed retail commodity transactions. The CFTC has previously asserted its jurisdiction over bitcoin by determining that it is a commodity. Pursuant to this power, the CFTC began investigating Bitfinex in 2015, and ultimately issued an order on June 2, 2016.
The United States Commodity Exchange Act (CEA) provides that any agreement, contract or transaction in any commodity entered into with or offered to a retail customer on a leveraged or margined basis, or financed by an offeror, the counterparty, or a person acting in concert with an offeror or counterparty on a similar basis is to be regulated by the CFTC and subject to the CEA
Page 2 of 6Bitfinex: could greater regulation have prevented its hack? - Allen & Overy aohub
as if it were a contract of sale of a commodity for future delivery. There is however an exception to this, which provides that if the agreement, contract or transaction result in actual delivery within 28 days, it will not be regulated as if it were a transaction of a commodity for future delivery. Such transactions ordinarily have numerous requirements, including that they be traded on a recognized board of trade subject to the CFTC's jurisdiction. Therefore it is of immense importance to cryptocurrency platforms that traded bitcoins are considered to be effectively delivered.
As a result, the CFTC's question became what constituted 'delivery' of a bitcoin. Did Bitfinex 'deliver' bitcoins to their users effectively within the period in question? Ultimately, the CFTC decided that Bitfinex had not done so because Bitfinex retained the private keys to customers' wallets. This distinction has been the subject of much debate, and a recent submission has been made to the CFTC seeking clarification and guidance. In particular, concern has been expressed at the equation of possession of a private key with delivery/control of a wallet's contents, and also how such private key analysis should be considered in respect of multi- signature wallets.
Although the CFTC's Bitfinex Order did not affirmatively compel Bitfinex to alter its custodial structure to the existing structure, it is clear that Bitfinex cooperated and constructively engaged with the CFTC from September 2015 onwards, and made "significant changes to the way in which U.S. customers engage[d]" with the Bitfinex platform. This change involved moving from a hot/cold proprietary wallet system to the existing BitGo multi-signature system.
Although the exact vulnerability of the August 2 hack is currently unclear, reports from Bitfinex indicate that it was a sophisticated and technical exploitation. Given the lack of current information, it is therefore difficult to state with certainty whether the changes Bitfinex made following the CFTC's investigation played a role in this hack. Some have speculated that the hosting of a greater number of segregated, but online, customer funds in wallets may have facilitated the hacker's ability to steal