
Bitfinex never ‘repaid’ their tokens, they started a ponzi scheme - mbgaxyz
https://medium.com/@bitfinexed/bitfinex-never-repaid-their-tokens-bitfinex-started-a-ponzi-scheme-86a9291add29
======
thisisit
Reading this article made me wonder - how much of the bitcoin rally is due to
counterparty risks?

If I remember correctly the last ramp up happened during Mt. Gox era. They
were having USD withdrawal issues which resulted in BTC prices being very high
on the exchange. But it din't deter them from publishing prices and making
markets.

Now is the case of Bitfinex suffered from a hack like Mt. Gox and are trying
to stay afloat. As per coinmarketcap, has nearly 15% of bitcoin volume which
is pretty high to ensure market follows in-step to their market making. A
quick search on Google turns up pages of people asking about Bitfinex
withdrawals.

For people who are curious about this, there was an article yesterday about
Zimbabwean Bitcoin soaring to 12k USD, which obviously hinges a lot on
counterparty risks and resulting low liquidity:
[https://news.ycombinator.com/item?id=15627608](https://news.ycombinator.com/item?id=15627608)

~~~
cm2187
I am not sure I follow. Counterparty risk should push the price down, not up.
This thing is not worth as much because there is a significant risk your
investment may go away because of a bug or a mistake.

~~~
runeks
> Counterparty risk should push the price down, not up.

Not if the counterparty risk causes you to be unable to withdraw national
currency, thus forcing you to buy bitcoins for national currency and then
withdraw the bitcoins.

The only way for the price to go down, in a scenario like this, is if it's
possible to sell bitcoins on the exchange (thus pushing down the price) and
withdraw the proceeds.

In a BTCUSD market, if you are unable to withdraw BTC you will sell BTC for
USD and withdraw USD, thus pushing down the price. And if you're unable to
withdraw USD you will buy BTC for USD and withdraw BTC, thus pushing up the
price.

~~~
gwern
It would only push the price up on the untrustworthy exchanges, and it would
lower the price everywhere else because it indicates the asset is not useful,
it could be stolen & dumped on the market, it discourages anyone from getting
in, it forces them to use alternative usually less convenient exchanges, etc.
And even the counterparty risk doesn't produce that much increase: right up to
the end when it was too late, the Mtgox premium was only like 10%. Such a
mechanism can't possibly explain all or even a little bit of a runup from $2k
to $7k (not to mention, the market cap being an order of magnitude or two
higher).

~~~
thisisit
That is assuming bitcoin and other cryptocurrency markets are mature and
perfect. They are not.

~~~
gwern
Well then, why do you think they're mature and perfect enough to worry about
counterparty risk? What's sauce for the goose is sauce for the gander.

~~~
thisisit
Um? Let me use an example to explain what is happening here:

Me - Cryptocurrency markets are not mature that is why we have lot of
arbitrage opportunity between exchanges.

You - Why do you think they're mature and perfect enough to worry about
_arbitrage opportunities_?

So, let me repeat again - It is exactly because they are not mature there are
issues. If they are mature, there is nothing to worry. And that is the _sauce_
you are looking for.

~~~
gwern
You're claiming they are efficiently pricing in a particular risk, pushing up
prices to reflect the counterparty risk, but then denying they are efficient
enough to price in the other consequences they should be. This is not
consistent or at least is very stretched.

------
csomar
While I'd enjoy a good detective journalism, this article is just making
claims out of thin air. And here is one:

> However, this doesn’t stop Bitfinex from tripping over their shoelaces to
> immediately list a fork which doesn’t exist, in order to make money off of
> suckers.

That is not correct. Bitfinex didn't list Bitcoin Gold. They listed a future
contract of Bitcoin Gold (though the naming "token" is a bit confusing). You
can create a future contract about anything, like the weather or soccer.

> Prior to publishing this post I was informed that Tethers are on the rise.
> Today, at the time of this post there has been another 25,000,000 USDT
> printed.

First, a new creation of Tether doesn't result in a pump. That would be too
obvious for traders to arb the effect.

Second, Tether is not used by Bitfinex heavily. Tether biggest clients are
Polonix and Bittrex. And there is _blockchain_ proof for that:
[https://wallet.tether.to/richlist](https://wallet.tether.to/richlist)

~~~
einarvollset
>First, a new creation of Tether doesn't result in a pump. That would be too
obvious for traders to arb the effect.

Orly? ->
[https://www.dropbox.com/sh/lylx2da2vobps8h/AAAN0q62s1X_Wl0H-...](https://www.dropbox.com/sh/lylx2da2vobps8h/AAAN0q62s1X_Wl0H-j3W7KGDa?dl=0)

~~~
mbgaxyz
There is interesting linear regression analysis in the folder above, between
issuance of Tethers and the price of Bitcoin.

------
keypusher
This guy has been trying to spread doubt about bitfinex for a long time, but
never has much to back it up. A few months ago he went on a big campaign
against Tether (tokens associated with Bitfinex), claiming they were created
out of thin air. Tether then completed and released an audit by a
professional, accredited team of their bank balances (1). I don't personally
use Bitfinex, and it's possible some of these accusations are at least
partially true, but there's really no evidence to confirm that. Don't buy into
this type of FUD without doing your own research.

Some of the claims he makes are disingenuous. Bitcoin Gold has nothing to do
with Bitfinex, and is listed on a number of exchanges. It's definitely a
pretty sketchy project, but it was a BTC fork and users tend to dislike when
their exchange keeps forked tokens to themselves. EOS/IOTA are big projects
with large market caps and real teams. Did some weird accounting happen after
the Bitfinex hack? Maybe. Did most of the people end up getting their money
back? Yes. Does it matter now? Not really. This is the largest BTC exchange
(by volume) in the world. They generate tens of millions of revenue from
exchange fees every month. There's no clear reason for them to engage in any
weird, illegal money schemes at this point, they already have a money printing
factory.

[https://tether.to/wp-content/uploads/2017/09/Final-Tether-
Co...](https://tether.to/wp-content/uploads/2017/09/Final-Tether-Consulting-
Report-9-15-17_Redacted.pdf)

~~~
pja
There are two key quotes that you need to pay attention to in that document:

 _This engagement does not contemplate tests of accounting records or the
performance of other procedures performed in an audit or attest engagement._

 _In addition, our services do not include a determination of compliance with
laws and regulations in any jurisdiction. All inquiries made throughout the
consulting process have been directed toward, and the data obtained from, the
Client and personnel responsible for maintaining such information._

In other words, that document is not an audit. Just like previous "audits"
published by Bitfinex connected companies, it’s an internal management report
created for the management by an accounting firm. Such reports assume that
everything they’re told by management is true: why would management lie to
themselves? What would be the point?

If you’re an external entity on the other hand, eg a shareholder in the
company say who wants an external third party to validate claims made by
management, then you will only rely on a real audit made by a company that
sends staff to check on those claims personally. This document is not such an
audit & it’s authors are at pains to point that out.

Edit: The auditors did confirm bank balances with the holding banks, but did
not perform an audit that would find any corresponding liabilities, nor that
the claimed Trustee relationship between the company and the individual named
on the account had any legal force. What this document shows is that people
connected with the company had accounts with the claimed $Xmillion in them in
total on the day in question & this was confirmed by the accountants. That’s
it - it’s still not an audit.

~~~
keypusher
> Such reports assume that everything they’re told by management is true

No, they checked the balances with the banks. They verified the amount as
stated was held by the bank at the time. You can see that in the section that
begins "FLLP confirmed each bank account directly with the respective bank"

~~~
pja
Apologies: I had missed that line. Edited appropriately.

------
dnautics
Maybe I misunderstood this, but basically you got 1 bfx token for each dollar
that was stolen due to the hack. As people sold bfx tokens at lower prices
than $1, (in part, because the us announced this was not ok, in part due to
varying confidence in bfx ability to repay,) bitfinex could rebuy some of
those tokens at a discount, and clear them to itself at a fraction of the cost

There were also occasionally rolling rebuys of bfx tokens at the face value of
$1.

------
thisisit
> As Bitfinex has become more and more desperate, they have listed more and
> more crypto-currencies of questionable value, such as EOS/IOTA/ETP and so
> on.

As per coinmarketcap.com:

EOS is ranked 19, 442 million in marketcap

IOTA is ranked 11, 950 million in marketcap

ETP is ranked 70, 73 million in marketcap

Anyone can throw some light on what these coins really are?

Additionally, BTC markets:

[https://coinmarketcap.com/currencies/bitcoin/#markets](https://coinmarketcap.com/currencies/bitcoin/#markets)

shows Bitfinex raking in over 15% of the current market volume. I wonder what
will happen to the price if they go under.

While I agree to most of the article, specially the Tethers part, Debt to
Equity swap is a real thing and not a Ponzi scheme:

[http://www.investopedia.com/terms/d/debtequityswap.asp](http://www.investopedia.com/terms/d/debtequityswap.asp)

Though whether the equity shares are worth as much as Bitfinex is claiming
them to be is an another question.

~~~
redka
IOTA actually seems pretty revolutionary. I don't think it's a finished
product yet but if you want some info then it's a DAG ("tangle")[1] instead of
a blockchain and offers 0 fees and possibly huge scalability. There are some
products already using it: RuuviTag[2], Bosh XDK Iot[3], PoC ElaadNL charging
station[4], Modum[5]. Once they prove they can go without the "Coordinator"[6]
I'm going to be completely sold on the project.

[1]
[https://iota.org/IOTA_Whitepaper.pdf](https://iota.org/IOTA_Whitepaper.pdf)

[2] [https://lab.ruuvi.com/iota/](https://lab.ruuvi.com/iota/)

[3] [https://xdk.bosch-connectivity.com/](https://xdk.bosch-connectivity.com/)

[4] [https://medium.com/@harmvandenbrink/how-elaadnl-built-a-
poc-...](https://medium.com/@harmvandenbrink/how-elaadnl-built-a-poc-charge-
station-running-fully-on-iota-and-iota-only-e16ed4c4d4d5)

[5]
[https://www.reddit.com/r/Iota/comments/6vl57m/iota_modum_ask...](https://www.reddit.com/r/Iota/comments/6vl57m/iota_modum_ask_us_anything/dm14etf/)

[6] [https://domschiener.gitbooks.io/iota-
guide/content/chapter1/...](https://domschiener.gitbooks.io/iota-
guide/content/chapter1/current-role-of-the-coordinator.html)

~~~
espadrine
The principles could be relevant (although I haven't verified (or read an
independent review of) the proofs).

However, at least the execution is dubious: not only was a major cryptographic
vulnerability found a few months ago[0], it highlighted that

1\. they made their own unproven crypto hash, which is a red flag, (in
production, you should always prefer crypto that has survived many years of
cryptanalysis) and

2\. they were really not up-to-date on cryptanalysis techniques, as being
vulnerable to differential cryptanalysis is, as Bruce Schneier puts it, "a
rookie mistake".

Worse than that, they seem to rely on security through obscurity, purposefully
making it hard to analyse their systems by making it base 3 (instead of the
obvious base 2 that all of practical computer science relies on).

Finally, their justification for the coordinator is also a red flag[1].

[0] [https://medium.com/@neha/cryptographic-vulnerabilities-in-
io...](https://medium.com/@neha/cryptographic-vulnerabilities-in-
iota-9a6a9ddc4367)

[1] [https://medium.com/@ercwl/iota-is-
centralized-6289246e7b4d](https://medium.com/@ercwl/iota-is-
centralized-6289246e7b4d)

~~~
dutchbrit
The coordinator will be open-sourced and in all seriousness, even bitcoin had
a sort of coordinator in the beginning, people aren't even forced to use
it/can bypass it, but it's recommended to use it for now. So your statement
isn't 100% valid.

Regarding crypto, you can read their response & reasoning here:
[https://blog.iota.org/curl-disclosure-beyond-the-
headline-18...](https://blog.iota.org/curl-disclosure-beyond-the-
headline-1814048d08ef)

"The replacement Kerl hash function is unmodified KECCAK-384 that only
converts its input and output from/to 243 trits to 48 bytes using basic two’s
complement. KECCAK-384 is well vetted and researched."

~~~
comex
Just to clarify, since I misread your quote and think others might as well:

> "The replacement Kerl hash function is unmodified KECCAK-384 that only
> converts its input and output from/to 243 trits to 48 bytes using basic
> two’s complement. KECCAK-384 is well vetted and researched."

"Replacement" really does mean replacement, i.e. what they substituted in
after the researchers successfully attacked their original hash function. (The
new one is called "Kerl" and the old one is called "Curl", which seems
confusing.)

I'm not sure how asserting that the _replacement_ is well-researched addresses
the OP's point that their history of (a) rolling their own hash function, and
(b) not adequately considering differential cryptanalysis, is a red flag.
True, that specific vulnerability can now be considered fixed, which might not
be clear from the OP's post - but it's still evidence of incompetence, which
doesn't bode well for the quality of the rest of their design.

~~~
Aledgerly
This is a common misunderstanding. IOTA never deployed a vulnerable
hashfunction. They had precautionary measures in place and thus had Curl there
to test it out, which worked out brilliantly. Keep in mind that IOTA asked the
team to attack Curl, not the other way around. This was planned.

Curl is meant to be a lightweight crypto for IOT, a field of very active
research. None of this is controversial to anyone that isn't looking for
things to latch negativity onto.

~~~
AlexandrB
> Keep in mind that IOTA asked the team to attack Curl, not the other way
> around. This was planned.

This seems to contradict the researcher's own post [1]:

> We discovered a vulnerability in IOTA after reviewing their code on GitHub
> in July. We disclosed what we found to the IOTA team on July 14th, and have
> been in contact with them since then as we discovered new issues and
> exploits.

Finally, even if Curl is meant as a new, lightweight hash function, it was
broken by _differential cryptanalysis_ , not some novel, exotic attack vector.
Sounds like it needs a lot of work before it's fit for purpose.

[1] [https://medium.com/@neha/cryptographic-vulnerabilities-in-
io...](https://medium.com/@neha/cryptographic-vulnerabilities-in-
iota-9a6a9ddc4367)

~~~
Aledgerly
Yes, Ethan was then forced to admit that the IOTA team actually approached him
in May.

~~~
AlexandrB
Can you provide a link please? All I see in the comments to the researcher's
piece is an IOTA advisor threatening a libel suit - a really good sign that
they "really care" about their technical issues.

~~~
Aledgerly
I highly suggest you read

[https://blog.iota.org/curl-disclosure-beyond-the-
headline-18...](https://blog.iota.org/curl-disclosure-beyond-the-
headline-1814048d08ef)

~~~
AlexandrB
Ok. I've read it. Nowhere does it mention IOTA contacting the researchers in
question in May.

This article also answers the wrong question. If the crytocurrency is not
cryptographically secure all that stands between an attacker and a victim is a
piece of malware or social engineering. The fact that the researchers didn't
go all the way and document a specific attack that could be performed tomorrow
does not mean that Curl was secure in practice.

Finally this continues to fail to address many salient points. Like why use
trits? Why wasn't kekkac used from day one?

------
darawk
Bitfinex didn't force anyone to convert to equity. I was a bitfinex customer.
I lost money in the hack. They certainly paid me back. These silly criticisms
of them need to stop. They did the best they could with a bad situation. I
wouldn't have wanted them to do anything differently than exactly what they
did.

They allowed people to convert to equity as an _option_. A _choice_. They paid
back everyone who didn't _choose_ to do that, in full, and quite quickly.
Bitfinex's response to that hack should be considered a model for any future
company in that situation. Hopefully such a thing won't happen, but if it
does, there's no better way to respond than _exactly_ how Bitfinex did.

~~~
lawnchair_larry
All scams start with a "choice". That is not relevant, and the author is right
to educate "choosers" by demonstrating the information asymmetry that leads to
them going broke by choosing incorrectly.

It's great for you that you were able to be repaid at the cost of other
victims who were robbed and swindled, but that isn't a responsible way to
handle these things, and is most definitely not a model for handling losses.
It's illegal for a reason.

~~~
darawk
What information asymmetry? They didn't lie about anything. They offered
people a choice between repayment and equity. Some people chose equity, and to
be quite honest, I wish I had too. It seems like they're doing very well.

------
dmix
The 112k bitcoins stolen were worth $72 million at the time, they are now
worth $856 million (!). The loss they caused their customers is only getting
worse and worse.

------
salemoz
Bitfinex has a big pie chunk of bitcoin trading volume
[https://www.coingecko.com/en/coins/bitcoin/trading_exchanges](https://www.coingecko.com/en/coins/bitcoin/trading_exchanges)

Not going to afford another mtgox are we?

------
Geee
Every exchange has their own "virtual dollars", i.e. the user deposits. How do
you know they are real? Tether is just a way to securely transfer user
deposits between exchanges, and it's not more or less trustworthy.

~~~
nosuchthing
If the alligation is true that the supply of Tethers is created from nothing,
they would have the ability to trade their millions of "dollars" for other
cryptocurrencies, taking control of the supply of other blockchains.

~~~
Geee
Every exchange can fake their user deposits in the same way. Tether doesn't
change that. We have to trust their audits.

------
ISL
Cache:
[https://webcache.googleusercontent.com/search?q=cache:Hpndb2...](https://webcache.googleusercontent.com/search?q=cache:Hpndb2l0FX8J:https://medium.com/%40bitfinexed/bitfinex-
never-repaid-their-tokens-bitfinex-started-a-ponzi-
scheme-86a9291add29+&cd=1&hl=en&ct=clnk&gl=us)

------
raverbashing
LOL

Even better than a Ponzi Scheme, let's just sell "shares" of this "company"
(which by the way has a paper value of a very round and big ZERO) for cash

Toilet paper provides better value

Oh wait, he "buys low and sells high", that explains it.

~~~
keypusher
Bitfinex is the largest BTC exchange in the world, over $500 million per day
in volume today. Big days are multi-billion dollar volume. Like most
exchanges, they take a percentage cut of every transaction. This is not a
company with zero value. The "buy low sell high" arbitrage thing is from a
previous, unrelated business idea posted 5 years ago to a btc forum by the
founder of bitfinex. As far as I know, it never went anywhere.

------
themanual
> As Bitfinex has become more and more desperate, they have listed more and
> more crypto-currencies of questionable value, such as EOS/IOTA/ETP and so
> on.

EOS and IOTA are legit!

------
ionwake
my mtgox-spidey sense is a tinglin

------
pavlov
I really wish that HN had a rule where it would be mandatory for commenters to
disclose their holdings in any cryptocurrency threads. This would make it
easier to flag comments that look like they're just pumping a coin to improve
its search engine status.

If you're praising Bitcoin, EOS, IOTA or whatever FooBarToken, please add a
short note at the end to explain what you stand to gain. Either: "I'm long
IOTA", or "I don't own IOTA and have no plans to initiate a position on the
short term".

Similar rules apply at forums where penny stocks and other volatile
traditional securities are discussed, so it's absolutely not an unreasonable
thing to ask.

~~~
pc86
It's not unreasonable to ask but it's completely unreasonable to expect that
anyone pumping a coin on HN would have even the slightest inclination to be
truthful about their position.

~~~
pavlov
The disclaimer (truthful or not) serves two purposes:

1) For the pumper poster, it makes them more conscious of the lie. Promoting a
coin and forgetting to mention your holdings feels like a little white lie of
omission. Actively lying about your holdings feels like deceit.

2) For the reader, it’s an important reminder that a seemingly objective
technical-looking comment can be motivated by greed.

------
martinko
Lots of bullshit.

Just a few points:

A) Iota is a legit currency trying to do something new in the crypto space.

B) The listing Bitcoin gold did not 'create' 2 bn usd - if you tried to
liquidate even a fraction of that, you would drive the price to 0. There was
significant demand from trader and speculators for its listing (not that I
agree with it, but anyway).

C) Saying that a company that generates 30 mil. usd in revenues each month is
worthless is really laughable.

D) This author has had a bone to pick with bitfinex for a long time. I
consider him a shill with an agenda, and it is surprising that he is given so
much space (even on HN) to spew his BS.

edit: formatting

~~~
the_stc
IOTA made their own crypto, then when got called on it they denied it mattered
at first. Then they backed down and said it was intentional! So that they
could destroy anyone else using their open source code. When pressed to
promise that they had not left more backdoors in, they refused. Of course they
had to refuse, these were accidental bugs rolling their own stuff.

That looks totally incompetent to me. Then mention centralized coordinator and
they throw fits. Refuse to discuss it because it is only temporary.

But judge for yourselves. Look at this nice comment by Vitalik Buterin
(Ethereum) and the childish retorts from the IOTA people:
[https://www.reddit.com/r/CryptoCurrency/comments/72l7kp/why_...](https://www.reddit.com/r/CryptoCurrency/comments/72l7kp/why_i_find_iota_deeply_alarming_eth_core_dev/dnk2zdy/)

~~~
martinko
Fair enough, the currency has questionable potential. However, the article
seems to imply that bfx lists some questionable currencies, and I feel that
that characterization is misleading.

