[Note: I neither own nor have any trading position on any cryptocurrency. The views expressed below are solely my own and do not necessarily represent the views of my employer or any organization I advise.]
About two years ago I gave a speech discussing the challenges cryptocurrency-related companies have had in creating reliable internal financial controls. How over the span of a few short years the cryptocurrency startup landscape (un)intentionally reinvented the same type of intermediaries, custodians, and depository-like structures that the original creator(s) of Bitcoin wanted to route around but… setup without the oversight, assurances, and accountability you would find required in the traditional brick-and-mortar world.
The lack of financial controls and subsequent pitfalls is easily identifiable in the irrational exuberance of the get-rich-quick “initial coin offering” (ICO) world. I’ll save my ICO post for later, but there is one story that is a bit more concrete and easier to understand and involves a company called Bitfinex.
Bitfinex, as measured in terms liquidity and volume, is considered the top global cryptocurrency exchange. It is nominally headquartered in Hong Kong, has (had) bank accounts in Taiwan, servers in Europe (Italy?), operations in San Francisco and a staff around 30 altogether.
Above is a speculative corporate structure created back in September 2016 by an internet user by the name of RobotFinance. He created it “based on the last annual return of Renrenbee Limited and statements made in the pitch forum.” Unless you are registered as a user with BnkToTheFuture, you cannot view the pitch deck but an alleged copy of the Bitfinex deck can be found here and a discussion of it here. These leaked allegedly legitimate documents also suggest that Bitfinex did an equity swap at a $200 million valuation which was based on their financial growth and targets before they lost roughly $65 million in customer assets due to a hack that will be described below.
This post is not intended to single out Bitfinex as there are any number of other exchanges and wallet providers that could be looked at as well. Nor is it intended to dive into all of the subsidiaries or even the entire history of the parent company or the cryptocurrency platform. Rather it serves an illustration as to how new technology and financial controls could help increase visibility and transparency for all stakeholders involved thereby reducing the risks for users and retail investors (among others).
Last November I published an internal paper that may be released later this year which explored the proposed Winkleovss COIN ETF. In it, I highlighted a detailed history of various cryptocurrency exchange platforms and their colorful pasts, some more sordid than others.
Rather than rehash all of those stories, below are a few details specifically related to Bitfinex:
- In May 2015 Bitfinex was hacked and lost around 1,400 bitcoins (then worth around $350,000). In August 2016, Bitfinex was hacked again and lost roughly 120,000 bitcoins (at the time worth around $65 million). In the first hack, Bitfinex basically ate the losses themselves.
- Following the second hack, Bitfinex announced a way to compensate its customers. Why did it need to compensate the customers? Because, following the second hack, it socialized the losses, seizing the remaining customer assets and gave nearly all of them a 36% haircut. In exchange for giving everyone a haircut, Bitfinex then self-issued two different “tokens” called BFX and then later RRT. These two tokens (or IOUs) effectively enabled Bitfinex to monetize their debt/losses.
- According to their announcements, over 20 million BFX tokens were issued and exchanged for iFinex shares and then distributed to all affected users. As a result, Bitfinex basically conducted, from the perspective of a user, a non-voluntary ICO where participation was mandatory, as the BFX token was directly linked to equity of the parent company and users/customers could (later) trade BFX on the Bitfinex exchange. In addition, according to a post last summer from their head of communications, “two out of the top ten BFX token-holders are in our management team.” It is never revealed who these parties are or how they were made whole (or not). Furthemore, “certain verified, non-U.S. Bitfinex users to convert tokens to equity through a new BFX Trust.” They set up a dedicated BFX Trust site but did not include the verification requirements for non-accredited BFX holders. Nor is there public information about who all of the Principals are and the holdings they have.
- RRT, the acronym for Recovery Rights Tokens, are opt-in coins issued, “to compensate victims of the security breach and, thereafter, to offer a priority to early BFX token conversions.” It is unclear how many of these coins were issued or how many were redeemed.
- To this day, the Bitfinex still has not disclosed exactly how they got hacked and last year even published an open letter to try and negotiate with the hacker; asking to return the funds as part of an ex post facto “bug bounty.” It is believed that the hacker bypassed the transaction limits set in place by the BitGo multi-sig wallet but that is a story for another post.
- Prior to this hack, on June 2, 2016, the Commodity Futures Trading Commission announced that it had fined and settled with Bitfinex for offering regulated products without having properly registered to do so. This is important because several vocal Bitcoin proponents have distorted the actual historical events. According to the communications director of Bitfinex last year, “Bitfinex migrated to the BitGo setup before any discussion or anything with the CFTC happened.” In other words, this hack was not caused by the CFTC.
- On April 3, 2017 Bitfinex announced that it was completing the redemption of all BFX tokens and they would all be subsequently destroyed.
How did Bitfinex manage to pay off tens of millions of dollars of self-issued debt in a span of less than 8 months?
Three explanations given by Bitfinex include:
- Because Bitfinex is a popular trading venue and lists a number of other cryptocurrencies including Ether (both ETH and ETC), it generated enough cash-flow in the form of transaction fees to carve off some of the losses.
- Outside investors, through BnkToTheFuture, exchanged fresh capital in exchange for BFX tokens and equity.
- Bitfinex had a reduction in their contingent liability reserves.
Another more recent speculative theory explores the connection between BFX redemptions and a cryptocurrency called “Tether.”
What is Tether?
Its exact relationship status is complicated. Depending on who you talk to that is affiliated or was affiliated with Bitfinex, Tether Limited is a partially, or fully, or not-at-all owned subsidiary of Bitfinex. Tether was announced in July 2014 and was originally called “Realcoin.”
And one of the continual challenges in trying to follow this saga is that Bitfinex representatives, co-founders, and investors often post key comments in disparate social media channels across reddit, Twitter, Youtube, WeChat, TeamSpeak, Telegram, and others. For instance, there are several different reddit threads discussing the Tether terms of service involving a co-founder and another one with the general counsel, but this material is not centralized in a way for users to easily follow it all.
Tether Limited is also a regulated money service business and has applied to operate in nearly every US state and territory (see above).
What are tethers?
According to the official terms of service:
Based on the information above, tethers are not money or currency and may not necessarily be redeemable for money.
In practice a “tether” is intended to be a type of “stablecoin.”
What is a stablecoin you ask?
Because cryptocurrencies lack any native ability to rebalance or readjust themselves relative to a pricing index, their continual volatility (as measured by purchasing power) causes headaches and risks to users, including those moving money across borders. That is to say, in the time span it may take to satisfactorily confirm 1 bitcoin being transferred from your wallet to a merchant overseas, the market price may have moved a percent or two or three.
What if there was some way to lock-in a set price and not be exposed to these constant swings in price? Some merchant processors like BitPay and cryptocurrency OTC trading desks do quote and lock-in prices over a period of minutes, but these are not usually targeting the cross-border payment and remittance market.
Another proposed solution, albeit one that involves similar counterparty risk, is a stablecoin which is a pegged value guaranteed or at least marketed as being pegged on par to a specific exchange rate. The risk in this case is that the exchange operator might not fulfill his or her end of the deal (e.g., abscond with the funds).
There have been several theoretical approaches to creating a native stablecoin and a few efforts to actually implement them in the wild. Last year JP Koning chronicled the fate of one of them called NuBits. On reflection: at some point they all fail, their peg ends up failing for one reason or another.
And tether is no exception.
Tether is not so tethered
Originally 1 unit of tether was supposed to be equivalent to $1 USD. At the time of this writing it has fallen to $0.93.
While Bitfinex has made a few public statements about “pausing” wire transfers, there has been no major public statement explaining the precise nature of the drop in tether price. So a small army of internet users have pieced together a probable theory and it comes back to how Bitfinex operates.
Earlier this month, a lawsuit revealed that Bitfinex had sued WellsFargo – who had refused to process their wires and returned the USD-denominated funds – a bank that is integral to its correspondent banking relationships. About a week later Bitfinex withdrew its lawsuit but not before people poured through the documents.
In summary we learned that Tether (which is named in the court documents) is a mechanism for enabling cross-border money flows; although we cannot say what the exact purpose was for these money flows is (e.g., pay for college tuition? buying a home? paying for a large order of buttery popcorn?).
Over a span of a few months, tens of millions of USD had been wired through WellsFargo into and out of four different banks in Taiwan which Bitfinex, Tether Limited, and other affiliated subsidiaries had commercial bank accounts with. At some point this past March or perhaps earlier, someone on the compliance side of WellsFargo noticed this large flow of USD and for one reason or other (e.g., fell within the guidelines of a “suspicious activity report“?), placed a hold on the funds.
In early April Bitfinex’s parent company, as noted above, filed a lawsuit for WellsFargo to release these funds. But about a week later retracted its suit.
According to a recent post from Mark Karpeles, the CEO who helmed Mt. Gox prior to its infamous bankruptcy, these actions set in motion a type of Streisand Effect: the lawsuit became newsworthy on mainstream media sites and consequently other banks — and compliance personnel at other banks — learned about the cryptocurrency exchange called Bitfinex and might (have) become wary of doing business with them.
We can only speculate as to all of what happened next, but we do know for certain that the bank accounts Bitfinex and Tether used in Taiwan were either fully terminated and/or unable to withdraw USD from late March until at least the time of this writing.
This is not the first time Bitfinex has been “debanked” before. Phil Potter, the CFO of Bitfinex, recently gave an interview and explained that whenever they have lost accounts in the past, they would do a number of things to get re-banked.
In his words: “We’ve had banking hiccups in the past, we’ve just always been able to route around it or deal with it, open up new accounts, or what have you… shift to a new corporate entity, lots of cat and mouse tricks that everyone in Bitcoin industry has to avail themselves of.”
But this story isn’t about debanking cryptocurrency companies, a topic which could include the likes of Coinbase (which has been debanked multiple times as well).
Because there is currently no USD exit for Bitfinex users, a price discrepancy has noticeably grown between it and its peers. The spread between exchanges is typically a good indication of how difficult it is to move into and out of fiat in a country as there are boutique firms that spend all day and night trying to arbitrage that difference.
In the case of Bitfinex, the BTC/USD pair now trades at about $50 to $75 higher than other exchanges such as Bitstamp. This ties back into the challenges Mt. Gox users had in early 2014, as the ability to withdraw into fiat disappeared, the market price of bitcoins on Mt. Gox traded at a dramatically different level than other cryptocurrency exchanges.
That is not to say that what is happening at Bitfinex is the same thing that happened at Mt. Gox. However, there have not been many publicly released audits of most major exchanges in the wake of Mt. Gox’s bankruptcy three years ago. Noteably, BTC-e publicly stated it would begin publicly publishing accounting statements certified by external auditors. It and its peers have not.
More questions than answers
About nine months has passed since the largest (as measured by USD) single successful attack took place on a cryptocurrency platform. Yet there are still many lingering questions.
For instance, on August 17, 2016, Bitfinex announced that they had hired Ledger Labs who, “is undertaking an analysis of our systems to determine exactly how the security breach occurred and to make our system’s design better going forward.”
According to one post, Michael Perklin was the Head of Security and Investigative Services at Ledger Labs and part of the team leading this investigation. However in January 2017 a press release announced that Perklin was joining ShapeShift as the Chief Information Security Officer; his profile no longer exists at Ledger Labs.
Thus the question, what happened to the promise of a public audit?
Nearly two months ago, the SEC rejected a rule change for the COIN ETF to be listed on the BATS exchange. Last week, the SEC said it would review that ruling.
Among other comments, the original 38 page ruling (pdf) gave a number of reasons why the Gemini-listed Winklevoss COIN ETF was being rejected. In the Commission’s words:
First, the exchange must have surveillance-sharing agreements with significant markets for trading the underlying commodity or derivatives on that commodity. And second, those markets must be regulated.
Later the Commission also writes that:
The Commission, however, does not believe that the record supports a finding that the Gemini Exchange is a “regulated market” comparable to a national securities exchange or to the futures exchanges that are associated with the underlying assets of the commodity – trust ETPs approved to date.
While the Gemini exchange is regulated in New York through a Trust charter, the vast majority of cryptocurrency exchanges and trading venues whose funds flow into and out of Gemini, are not.
It is unclear what will happen to Tether holders, if they will ever be made whole. Or what will happen to Bitfinex and future bank accounts. Or if the COIN ETF and other similar cryptocurrency-denominated ETF’s will be green-lit by securities regulators. Maybe these are all bumps in the road.
What we are a little more certain about:
(1) The Bitfinex hackers are still at large and no public post-mortem has been done to explain how it happened and what will be done to prevent future attacks.
(2) The unilateral self-issuance of the BFX “cryptoequity” was not done in a fully transparent manner as some customers had bigger haircuts than others nor is it clear if the extinguishing of these BFX coins was done through the use of tethers.
(3) That the tether “stablecoin” is not inherently stable and depends on fiat liquidity via the international correspondent banking network which raises the question of how to stabilize tether in the event that Tether Limited loses its bank accounts again.
(4) That marketplaces such as Bitfinex — despite a general lack of transparency (where is the “About” page with executive bios?) — are still used as part of the weighting mechanisms in ETFs, including at one stage the Winkdex (which has since been deprecated) as well as the current Tradeblock XBX index used in a couple other proposed ETFs.
As mentioned at the beginning of the post, the current trend over the past four years is that as Bitcoin intermediaries continue to operate as intermediaries and trusted third parties they increase their chances of regulatory scrutiny and oversight.
This empirical fact versus the original theoretical cypherpunk vision is arguably a type of cognitive dissonance. As Section 1 of the Nakamoto whitepaper explained:
Commerce on the Internet has come to rely almost exclusively on financial institutions serving as trusted third parties to process electronic payments. While the system works well enough for most transactions, it still suffers from the inherent weaknesses of the trust based model. Completely non-reversible transactions are not really possible, since financial institutions cannot avoid mediating disputes. The cost of mediation increases transaction costs, limiting the minimum practical transaction size and cutting off the possibility for small casual transactions, and there is a broader cost in the loss of ability to make non-reversible payments for non-reversible services.
The Bitfinex hack that occurred in August 2016 created measurable amounts of new transactions costs that ended up being mediated through a wide array of social media channels; non-reversibility does not appear to have helped reduce these costs. For all of the “backed-by-maths” and “epistemological” talk about routing around trusted third parties, Bitfinex and its peers, still play a key role in providing continuous fiat <–> cryptocurrency liquidity to the marketplace. And as illustrated with the lawsuit above, by in large, these exchange platforms heavily depend on banking access moreso now than at any other time before.
Last summer I proposed a Kimberley Process for Cryptocurrencies: in which market participants met with various regulatory stakeholders to iron out how to stop predators, remove encumbrances, and create best-practices for financial controls in this nascent space.
As more cryptocurrency platforms attempt to comply with a variety of regulations including the surveillance collection and sharing requirements (e.g., KYC and AML), this will likely increase the demand for the tools found in the growing field of “regtech.”
For example, if Alice can cryptographically prove the chain-of-custody from her customer to her customers customer, then she may be able to comply with the banks surveillance requirements and maintain her bank accounts — and international wiring access — as she grows her remittance platform.
There is a set of technology under development and in early pilots that enables authentication, provenance tracking, and document management and much of it involves digital signatures, standardized/mutualized KYC processes, and permissioned distributed ledgers. Documentation management, in this case, goes beyond just hashing and timestamping documents to include automatically updating legal agreements and contracts over their entire lifecycle.
Some of it also involves sophisticated data analytic tools created by startups such as Blockseer and Chainalysis. Universities such as UCL are automating regulatory processes. And on the enterprise side, there are companies that have built a shared KYC registry and other identity-related tools for highly regulated financial institutions to comply with a battery of reporting requirements.
Whether these will be adopted by the cryptocurrency community is another matter, but these tools will soon exist in full production mode and could help provide better visibility, auditability, and transparency for investors, users, entrepreneurs, law enforcement, compliance teams, and regulators around the world.
If you’re interested in learning more about these mechanisms, feel free to reach out or leave a comment below.