Alleged “Hack” Leaves BitGrail Insolvent
On February 9th, the Italian cryptocurrency exchange BitGrail released a public statement that it was rendered insolvent after an alleged hack of 17mln XRB (~$170mln). According to a Medium post by the Nano team, Francesco Firano (aka the Bomber) alerted the team of the losses the day prior in a Telegram chat. BitGrail suspended trading for XRB on the same day, as well.
XRB Markets currently unavailable.
— BitGrail Exchange (@BitGrail) February 8, 2018
In both the private chat and public statement, Firano/Bitgrail claims that the funds were stolen in a hack. At press time, this has not been confirmed, and what’s more, the community is not convinced. Reddit has taken up the investigative mantle in the matter, and a handful of theories have surfaced explaining the situation and making sense of the inconsistencies in Firano’s account of the events. But before we dig into theories, let’s look at what we know for sure and how we got here.
At 8:09am MT on February 8th, Firano contacted Colin LaMahieu and Zack Shapiro of the Nano team about a timestamp issue with Nano’s block explorer, a tool that allows users to inspect transactions on the blockchain. After exchanging words with Shapiro, Firano asked if he could get LaMahieu on that chat to hash out the issue, claiming “it’s urgent.”
Firano goes on to say that millions of XRB have been stolen from Bitgrail’s Representative 1 cold wallet reserve. These withdrawals were not approved by the exchange and, thus, are not on its database, Firano claims. Yet, the block explorer has them listed as occurring on January 19th, so Firano asked the team if the timestamps on the block explorer are accurate.
LeMahieu responds by saying that, since the timestamp is “just a local date to the explorer machine” and not the blockchain’s official public ledger, “it’s not a guarantee.” In a Medium post update published on the 11th of February, the Nano team explains that each transaction has a January 19th timestamp because “any transaction that was missing a date was updated with the date and time of [a server] migration” that occurred on the 19th.
According to the chat, Firano claims that 15mln XRB was stolen from the exchange’s cold wallet, while BitGrail’s official statement puts the figure at 17mln. The difference between these two amounts aside, either would leave the exchange insolvent, as Firano reveals that it only has 4mln XRB in reserve to cover losses.
At this point in the conversation, Shapiro presses Firano as to when he discovered the funds were missing. Firano claims that he became aware of the losses on the morning of February 8th, while Zack points out that the shady business had been “going on for months” according to the blockchain’s ledger.
Firano petitions for the Nano team to cooperate with him on fixing the situation, asking if they would consider forking Nano to restore the lost funds. They tell him no, and after debating the situation with each other for a day, they inform Firano that they don’t want to release a public statement with him. Firano responds by stating he’ll release the following version of events:
“Due to an xrb bug that caused the node to crash, the attackers forced the system to get double payments for which we have no trace of time due to another bug in xrb official explorer.”
The following problems, however, were not discussed in the Telegram conversation and the Nano team debunks them in their February 9th Medium post. Additionally, BitGrail does not stick to the story in its official announcement, instead attributing its insolvency to the alleged hack.
Further, in their Feburary 11th BitGrail Insolvency Update, the Nano team confirms that ~9mln XRB were withdrawn from BitGrail from October 19-23. One of these transactions was for a whopping 1mln XRB. The wallet that received these funds is the same that Firano originally cites in the Telegram chat, and what’s worse, the Nano team provides evidence proving that BitGrail had a timestamp of this transaction, something that Firano denies in the text conversation.
These revelations seem to lend credence to the Nano team’s statement in their prior Medium post:
“We now have sufficient reason to believe that Firano has been misleading the Nano Core Team and the community regarding the solvency of the BitGrail exchange for a significant period of time.”
Over the weekend, r/Cryptocurrency was abuzz with potential explanations and theories, as users posted tirelessly about how this could have happened under the noses of investors and developers alike. Most (if not all) the posts on Reddit deny that the insolvency is the result of a hack.
Currently, the most prevailing theory is that a few accounts took advantage of a bug in BitGrail’s design that doubled the account balance of deposited funds (i.e., if you deposited 2 ETH, the bug displayed an account balance on your exchange wallet of 4 ETH). This resulted in artificial account balances that, essentially, minted currencies on the exchange with nothing to back them. Thus, the malicious actor(s) took advantage of this glitch to withdraw the excess amounts, proceeded to arbitrage the amounts on other exchanges (in a few examples, Mercatox), and repeated the processed by re-depositing on BitGrail.
Ethereum is used in the above example because this glitch affected more than just XRB. According to one Reddit post, BitGrail users indicated as far back as three months ago that their accounts contained excess balances. If users have been exploiting this bug for as long as these posts suggest, this likely means the BitGrail’s funds have been hemorrhaging for quite some time. It could also mean that the exchange is insolvent in more than just XRB.
Testimonies of negative account balances that surfaced in January attest to these possibilities. In a January 4th chat in BitGrail’s Telegram, users were complaining about negative account balances in Ethereum and Nano, only to have the Telegram closed to the public the next day. Firano later acknowledged the negative balance in a January 18th post to the BitGrail subreddit, assuring users that this “bug” had been fixed.
So the TLDR of this theory: Opportunists exploited a flaw in BitGrail’s system to withdraw more funds than they had deposited and this lead to negative account balances for other users and the eventual insolvency of the exchange’s XRB funds.
Takeaways and Moving Forward
While most Reddit posts on the situation postulate that BitGrail is insolvent in more than just XRB, this has not yet been confirmed by any source or Nano’s ongoing investigation.
There are also theories/accusations that suggest that BitGrail/Firano moved funds between exchanges from January 17-19 in an attempt to recoup the exchange’s losses from the doubled account balances. Basically, these theories claim that BitGrail used Mercatox and KuCoin to arbitrage XRB in an attempt to become solvent after losing so many funds. Millions of XRB were moved between Bitgrail and Mercatox at a time when withdrawals for Nano were suspended on both exchanges. At this time, BitGrail had just mandated a KYC policy for verification. According to the theories, this and the withdrawal suspensions gave BitGrail the opportunity to lower the price of XRB on their own exchange, buy from their customers while cheap, and exchange it on KuCoin and Mercatox for a higher price.
A disclaimer about the above supposition: this is a theory of the community at large, not a proven fact, and Coin Central by no means endorses it as truth. The same can be said for any unconfirmed information in “The Theories” section of this article. Anything outside of what is document on BitGrail’s telegram, the chat between Farino and the Nano team, and what the Nano team has confirmed on their Medium posts is, at this point, unproven. That said, we feel as though it’s important to include the views of the community, as this is a community issue that has affected many of its members.
Further, the Nano team revealed on their Discord chat that the Mercatox team has agreed to comply with them in their investigation. As such, there’s no sufficient evidence to suggest that Mercatox is complicit in the heist. KuCoin and Binance have also pledged their support to aid the Nano team and to freeze any wallets that have interacted with the stolen funds.
We are in contact with Nano team (re: Bitgrail) and will freeze deposits from identified addresses as we receive them. This is one reason we require coin CEO/founder to submit listing requests. Binance will assist where we can. We need to work together to protect users.
— CZ (@cz_binance) February 10, 2018
When Coin Central reached out to the Nano team for comment, they assured us that “everything [they] know is public” and that they are “trying to be fully transparent” with the verifiable information at hand. As this story progresses, they’ll continue to update their Medium with developments, and we’ll also be tracking the story to post any worthwhile updates regarding the situation.
CoinCentral's owners, writers, and/or guest post authors may or may not have a vested interest in any of the above projects and businesses. None of the content on CoinCentral is investment advice nor is it a replacement for advice from a certified financial planner.