We have formally signed a letter of intent with BnkToTheFuture, the online investment platform for financial innovation and technology investment opportunities, to provide solutions towards compensating customers with equity in Bitfinex.
BnkToTheFuture will be providing a Special Purpose Vehicle (SPV) through which qualifying BFX token holders can contribute their tokens in exchange for an equity interest in compliance with their individual jurisdictions. Further details will be released in future announcements.
BnkToTheFuture has hosted funding rounds resulting in over $70m worth of investments from qualified investors over the past year including investments in BitPesa, Uphold, ShapeShift and many others. They now host the largest global community of qualified investors investing online in FinTech, Bitcoin, Blockchain and Technology companies.
You can read more about BnkToTheFuture and how we’ll be cooperating on their blog.
We are now in a position to offer our customers and the public updates on a few key areas associated with the security breach that occurred on August 2nd. Specifically, we want to provide you with preliminary information about the breach itself and about security enhancements that have been made to prevent its recurrence. We also need to give you some further background on the commitment of resources to the effort to satisfy outstanding customer losses through the tokens.
Ledger Labs Inc., a top blockchain forensics and technology firm, is undertaking an analysis of our systems to determine exactly how the security breach occurred and to make our system’s design better going forward. We engaged Ledger Labs in the hours immediately after the attack happened. The investigation is ongoing. We are also in the process of engaging Ledger Labs to perform an audit of our complete balance sheet for both cryptocurrency and fiat assets and liabilities [See footnote for update]*.
The exact attack vector is as yet unknown, but Ledger Labs has already identified certain areas in our architecture that can be improved. Ledger Labs is working closely with our development and operations personnel to ensure that all of their recommendations are understood and fully implemented. The key security breach, which allowed the amount of bitcoins released by BitGo to be increased without BitGo realizing it or alerting us, has been squarely addressed. We have currently suspended use of the BitGo segregated multi-signature wallet solution and have re-implemented robust and safe multi-signature cold storage procedures, with minimal coins exposed on our hot wallet. We are reassessing our storage options, both internally and with potential third party multi-sig vendors.
We would like to address some stories that have circulated online stating that management has contributed no property to compensating our customers. This is false. Management has committed all reserves of the business with a view to making our customers whole. Moreover, any principals and employees of the business with any property on Bitfinex were subject to the loss allocation. In point of fact, two out of the top ten BFX token-holders are in our management team. We assure everyone that we feel the loss acutely, both as a company and as individual customers.
However, we need to be clear that we have also, after committing those resources, held back certain amounts to pay our forensic investigators, to hire auditors and other advisors to work through these issues, to build our systems so that this security breach does not happen again, and for other contingent liabilities—all of which takes time and money. Our best efforts to repay customers can only bear fruit with the determination and resources to make it happen. We are committed to deploying all of our resources to getting this done. To the extent that reserves are not needed for these purposes, they will be used to redeem token-holders as quickly as possible.
We are actively engaged with efforts to convert certain qualifying token-holders to shareholders of Bitfinex and to redeeming the remaining BFX tokens through a combination of new capital and earnings. We have re-enabled most of the features on the platform and are deeply grateful to our customers, who continue to trade with and help us rebuild our brand. As always, we continue to listen to our customers and welcome their feedback, questions, and concerns.
We will continue to provide further updates as and when we are able.
The Bitfinex Team
* Update (4-5-17): Ledger Labs has not been engaged to perform a financial audit of Bitfinex. When in initial discussions with Ledger Labs in August 2016, we had initially understood that they could offer this service to us. Our discussions with Ledger Labs were continuing at the time of publication of this blog post. However, we should clarify that Ledger Labs’s role was limited to security and investigative services related to the security breach. We understand that they do not offer auditing services to clients. We are in the process of engaging a reputable, third party accounting firm to audit our balance sheet, but this continues to take longer than anticipated and than we would want. We apologize for any confusion in this matter.
Today, August 10th, 2016, at 16:00:00 UTC we will be enabling additional platform features as we continue to restore service after the incident on August 2nd. Exchange trading will be enabled for all currencies and pairs, while deposits and withdrawals will be enabled for BTC, ETC, ETH, and USD - with LTC and Tether to follow shortly thereafter. Exchange trading will also be enabled for the BFX token on pairs BFXUSD and BFXBTC. We are working on tokenizing BFX via the Omni Layer to allow withdrawals for the BFX token, but we are still working out some protocol level details. Please note that U.S. residents will only be able to sell—not buy—BFX tokens at this time. Terms for the BFX token are available here. Requirements for token transfers are here. Margin Trading will be re-enabled for non-U.S. residents later this week.
In the past week, we have taken significant steps to ensure that we can restore service in a secure environment. We have added additional platform and infrastructure security checks; regenerated all encrypted services, including wallets, security tokens, and passwords; moved funds to multisig cold storage; re-evaluated all third-party integrations; performed a comprehensive system audit in order to identify vulnerabilities; and, rebuilt our entire platform on new infrastructure.
Please note that we have invalidated all deposit addresses that were generated before August 9 19:00:00 UTC for all cryptocurrencies except Tether USDT. Please do not deposit to these older addresses as this will cause substantial delay in deposit processing. All deposit addresses now shown on the site or generated by the API are the new addresses. Please be sure to use these new deposit addresses when depositing cryptocurrencies.
We are aware that many questions remain and we intend to discuss the theft, the distribution of losses, and our recovery plan in follow-up announcements. We are trying to be as transparent as we can be while we continue to try to make the best of a terrible situation. We regret the loss that took place, but we continue to remain confident in Bitcoin, the trading community, and our plan to compensate our customers. As always, we remain open to constructive commentary and suggestions from all sides.
We are beginning the process of bringing the platform online in a controlled and secure way. Currently the site is available on a read-only basis as we continue to work towards enabling full functionality. This means that users will be able to log into their accounts but trading, depositing, and withdrawing will remain disabled at this time.
Please be aware of the following changes required by the ongoing platform recovery:
Please take this time to log in and review your account and balances, taking note of the adjustments caused by the closing of open margin positions and the application of the Extraordinary Loss Adjustment. The loss adjustment is represented by your balance in “BFX” tokens which are priced at 1.00 USD until we are able to allow trading of that token, likely within the next week. The trading of BFX tokens may be restricted for US customers.
Full platform functionality will come online in progressive steps in the coming days. Withdrawing, depositing and exchange trading will come online first, with margin trading (for non-US customers) to resume sometime after that. Further announcements will be made when the schedule for turning on those features is finalized. Once again, we thank you for your patience.
The Bitfinex Team
Following the theft on August 2nd, the Bitfinex team has been working tirelessly towards bringing the platform back online in a secure and controlled manner. We have finalized the accounting of losses incurred and are currently coordinating strategic plans for compensating customers.
We intend to come online within 24-48 hours with limited platform functionality. Additional announcements will be made as we progressively enable more platform features and return to full operations. We appreciate that our customers and the public want this handled quickly, but it needs to be done a way in which all assets are secure and immune from vulnerabilities. Every resource is being leveraged to make that happen in a safe and optimal way.
As disclosed in earlier announcements, all withdrawals, open orders, and open funding offers have been canceled and all financed positions have been settled. Exact settlement prices were published on August 3rd.
After much thought, analysis, and consultation, we have arrived at the conclusion that losses must be generalized across all accounts and assets. This is the closest approximation to what would happen in a liquidation context. Upon logging into the platform, customers will see that they have experienced a generalized loss percentage of 36.067%. In a later announcement we will explain in full detail the methodology used to compute these losses.
We are actively discussing various strategic options with numerous potential investors as part of our strategy to fully compensate our customers. Such discussions, however, are in early stages and will likely take time to play out. In the meantime, In place of the loss in each wallet, we are crediting a token labeled BFX to record each customer’s discrete losses. Tokens will be distributed without release or waiver. The BFX tokens will remain outstanding until redeemed in full by Bitfinex or possibly exchanged—upon the creditor’s request and Bitfinex’s acceptance—for shares of iFinex Inc. We are still sorting out many details on this; we will post further updates in the coming days.
Thank you for your continued patience and for the many generous offers of support that we have received over the last several days. Notwithstanding this attack, we continue to believe in the possibilities associated with bitcoin. We will continue to update our customers and the public as and when we can.
We have received reports that phishing emails are being circulated from an address made to appear to be from Bitfinex. The email is in fact sent from @ibitfinex.com (notice the additional "i" in the domain name).
This is not a message sent out by Bitfinex and we advise anyone that has received this email or any similar email to delete it immediately. It appears the attachment on this email contains a virus. If you have opened this email's attachment, please do a system virus scan and take other necessary precautions to preserve your security and privacy.
If there is ever a doubt about the validity of a Bitfinex email or communication please send an email to [email protected] to inquire and we will be happy to confirm or deny the validity of the communication.
The malicious email begins like this:
We apologize to you for our inconveniences appeared in result of security incident. We intensively work with the law enforcement agencies to find out guilty people to make answer.
Again, this email is not from Bitfinex. It is an impostor sending phishing emails with an attachment containing a virus.
We are currently in an ongoing process of restoring limited functionality in a secure environment, with full functionality coming afterwards in progressive stages. The first step is bringing the site online and allowing users to login and view the state of their accounts. Note that initially trading, deposits, withdrawals, and other core site functionality will be disabled.
To accommodate the relaunch, all withdrawals, open orders, and open funding offers will be canceled. Furthermore, in order to compute losses for relevant parties, settlement of all financed positions will occur in all accounts. Margin positions for all pairs will be settled and closed using the following prices, representing the midpoint of the bid and ask on August 2, 2016 at 18:00:00 UTC:
Further announcements about the next steps of the relaunch will be posted as progress is made. All significant changes to feature availability will be announced in advance. We will strive to keep you as informed as we can.
Today we discovered a security breach that requires us to halt all trading on Bitfinex, as well as halt all digital token deposits to and withdrawals from Bitfinex.
We are investigating the breach to determine what happened, but we know that some of our users have had their bitcoins stolen. We are undertaking a review to determine which users have been affected by the breach. While we conduct this initial investigation and secure our environment, bitfinex.com will be taken down and the maintenance page will be left up.
The theft is being reported to — and we are co-operating with — law enforcement.
As we account for individualized customer losses, we may need to settle open margin positions, associated financing, and/or collateral affected by the breach. Any settlements will be at the current market prices as of 18:00 UTC. We are taking this necessary accounting step to normalize account balances with the objective of resuming operations. We will look at various options to address customer losses later in the investigation. While we are halting all operations at this time, we can confirm that the breach was limited to bitcoin wallets; the other digital tokens traded on Bitfinex are unaffected.
We will post updates as and when appropriate on our status page, bitfinex.statuspage.io. We are deeply concerned about this issue and we are committing every resource to try to resolve it. We ask for the community’s patience as we unravel the causes and consequences of this breach.
Starting at 12:30 UTC we will enable margin trading for the the ETC pairs ETCBTC and ETCUSD. Margin funding will also be enabled at this time, allowing users to place ETC margin funding offers and bids.
Margin requirements for ETC trading will be identical to those of BTC, LTC, and ETH: 30% initial margin (3.3x leverage) and a 15% maintenance margin requirement. Positions on ETC pairs can be backed with BTC, USD, ETH and/or ETC.
Please note that we cannot extend ETC margin trading privileges to our US-based customers at this time - we apologize for the inconvenience.
Today the Ethereum foundation announced plans for an Ethereum hard fork to recover the funds from the DAO exploit.
This hard fork is planned to occur at block 1,920,000, which should be on July 20th or 21st depending on your time zone.
In anticipation of this hard fork we will suspend all deposits and withdrawals starting at block 1,919,744 (approximately one hour before).
We will reenable deposits and withdrawals when we are confident that the longest valid chain has been clearly decided.
During this time exchange trading, margin trading, and margin funding will all continue to operate as usual.
Upon re-enabling deposits and withdrawals we will put up a notice on the website as well as bitfinex.statuspage.io, and Twitter (@bitfinex), so please monitor any one of these mediums to stay up to date.
If you have any questions don’t hesitate to let us know, you can email us at [email protected]