
BitGrail got hacked and is insolvent - chris_overseas
https://www.reddit.com/r/CryptoCurrency/comments/7wh2a1/bitgrail_got_hacked_and_is_insolvent/
======
Al-Khwarizmi
I had been following Nano (previously Raiblocks) since it was at around $0.5
(now $10). I was convinced it was going to go up due to the promising tech
compared to other cryptocurrencies. But I didn't buy due to exchange risk, as
the only exchanges carrying it were Bitgrail and Mercatox, both small
exchanges that didn't give me much trust.

I was a bit regretful when I saw how it skyrocketed in price, but now I know I
made a reasonable choice... of course, perhaps I would have sold some time ago
already and my money would be out of Bitgrail by now, multiplied by 10 or so.
Or maybe not. But the risk was very real all along.

To me, exchange hacks and exchange risks are the biggest problem for crypto to
be accessible to the mainstream. While we can't buy and store coins in a safe
and trusted way, it won't be ready for the average (even reasonably tech-
savvy) user.

~~~
adamnemecek
You can store them in a safe.

~~~
Al-Khwarizmi
Yes, if I had bought, I would probably have stored them in a local wallet. But
anyway, they must be on the exchange at least for the necessary time to make
trades, which is often more than one thinks as withdrawals tend to take time,
etc. And if the hack/scam/etc. hits precisely on the day that you're trading
or pending a withdrawal, you're out of luck.

Probably some Bitgrail users were minimizing the time their money was on the
exchange, but they were unlucky enough to have it there at the wrong moment.

And anyway, this is not the kind of thing people should need to think about if
we want crypto to become mainstream. If I place an order on my bank to buy
some shares, I don't need to be thinking that I should go to the bank as soon
as possible and request the original paper version of my shares (does that
exist anymore?) to store in my safe because it could get stolen from the bank
any day. The risk of that is so minimal no one but the most paranoid would
worry about it. Having significant risks of that kind totally kills crypto (or
at least all but the largest coins) as a mainstream option.

------
whyoh
BitGrail had bugs in their exchange code, which have been known for a while.
Many people reported that they deposited, say, 1 ETH and it showed as 3 ETH on
the BitGrail account. Or they withdrew some XRB, but then the same amount was
still on BitGrail so they could withdraw it again.

Perhaps some hackers knew how to reproduce this bug and were able to exploit
it, but there were obviously errors from BitGrail and they should take
responsibility.

~~~
tluyben2
Not sure about this one, but it seems many of these exchanges (and blockchain
solutions in general) were built by people with very little experience in
building financial transaction systems. Almost like they jumped on the
bandwagon although having little more experience than being a frontend dev. If
you worked with traditional financial transaction systems, HSMs, regulatory
bodies and their over-the-top audits, you will have more of a sense how to
design solutions like this. Might not apply here but from what you say it
seems likely.

~~~
tlrobinson
I’m kind of surprised there’s no open source exchange with much traction yet.

I think Buttercoin was the first attempt but they pivoted then failed. It
looks like there’s a few others but only a few small exchanges use them:
[https://www.reddit.com/r/Bitcoin/comments/37ku14/open_source...](https://www.reddit.com/r/Bitcoin/comments/37ku14/open_source_exchanges_blinktrade_vs_wlox_vs/)

Something that provides the core features of an exchange with focus on
excellent security and proof-of-solvency built-in would give small exchanges
(like BitGrail) a competitive advantage.

Additional benefits would include having a standard API others could more
easily write tools for, and opportunity to experiment with things like instant
cross-exchange transfers using payment channel / Lightning Network.

That said, it’s a pretty big undertaking. To do it well it would probably take
a funded (or already successful) exchange or other company with related
business model willing to do it.

------
ksutariya
Right now all the signs are pointing to the exchange owner as the culprit.

Multiple suspicious things occurred prior to this announcement. For example,
withdrawals were disabled for all unverified users and those who tried to
verify saw that the verification queue was severely backlogged. You could
terminate your account but only receive BTC regardless of what other
currency(s) you had stored (many users are reporting their accounts were
terminated but did not receive any BTC).

Some users reported that there was a bug that caused deposits to be
duplicated. Ex: Deposit 1 ETH and the transaction would show up twice in your
account therefore making your balance 2 ETH which then you could withdraw
successfully.

Disclosure: I had XRB at BitGrail

------
troydavis
Bitgrail’s announcement:
[https://bitgrail.com/news](https://bitgrail.com/news)

Scroll down for an English translation.

------
bhouston
Etherum was really nice to the guys who made the DAO that was hacked? What
determines when a cryptocurrency decides to cooperate to undo a hack? Does it
come down to connections between those affected and the cryptocurrency
management?

~~~
bfuller
Trust that the ledger is actually immutable is what gives these tokens most of
their value. I guess if the devs decide the loss of confidence in their
product hurts less than the loss from the hack then it makes sense to go for
it.

~~~
tlrobinson
This is spot on.

Even Bitcoin has forked to roll back transactions, though not recently, and in
the past only due to protocol vulnerabilities, never 3rd party software like
the DAO or a hacked exchange.

I’d be wary of mature cryptocurrencies where this is feasible, especially if
it’s "fixing" something that doesn’t affect the majority of users.

