Conversation

The bitfinex hack in 2016 was a special beast: They were not using the typical hot/cold storage setup most exchanges use but rather had a novel wallet setup where each user had their own separate multisig wallet, both bitfinex and bitgo held keys and in some cases so did users.

331

ODELL

@ODELL

Feb 9

The setup was not designed with security in mind, but rather with regulatory arbitrage in mind: at the time bitfinex was fighting with the US Gov about their lack of financial compliance and this was an attempt to say "we do not hold customer funds so we do not have to comply."

143

ODELL

@ODELL

Feb 9

The result was an insecure setup where bitgo blindly signed any bitfinex customer withdrawal request without additional authorization, by design. An extremely insecure setup that could have been easily compromised through effective social engineering.

215

Jesse Powell

@jespow

Replying to

@ODELL

Definitely one of the worst, most directly attributable cases ever of a greedy regulator’s blind exertion of authority causing massive consumer harm, by forcing a service to downgrade security in order to achieve compliance with a self-serving interpretation of an outdated rule.

1:56 AM · Feb 10, 2022Twitter for iPhone

Retweets

Quote Tweets

Likes