On May 7th, the crypto community was shook as one of the largest exchanges of the cryptoverse became the unfortunate target of a serious security breach. Binance, one of the largest cryptocurrency exchanges by daily trade volume, lost an estimated $41.5 million worth of bitcoins (BTC) to malicious hackers, sending both the exchange and the crypto community into frenzy.
Binance’s CEO Changpeng Zhao, however, was quick in taking to Twitter to assure the community members that their bitcoin holdings were in fact safe. He revealed that there was only one affected transaction wherein the hackers managed to get away with 7,000 bitcoins and that they were only withdrawn from the exchange’s hot wallets, which only contain about 2% of Binance’s total bitcoin holdings.
He further assured the community members that the platform will be compensating for the lost Bitcoins through their very own Secure Asset Fund for Users (SAFU). Earlier today, Zhao shared some more security updates on the “security incident”, in light of maintaining transparency between Binance and its community.
According to the official post, the team is ardently working on revamping some of their security measures, procedures and practices. They include significant changes to the API, 2FA and withdrawal validation areas, areas specifically exploited by hackers in the security breach. The post further reassured the community that they are also working on improving their risk management in addition to user behavior analysis and Know-Your-Customer (KYC) procedures.
As the hackers employed a number of tactics, including phishing, Binance is also working on developing more innovative ways in order to fight phishing. Other than that, the team will also be adding soon hardware device support, such as YubiKey and other devices. Zhao simultaneously announced that they would run a give-away event where 1,000 YubiKeys will be distributed as soon as this feature is implemented.
Addressing specifically the single BTC transaction that cost the exchange about 7,000 BTC, Zhao said that many community experts are keeping a keen eye on every Binance wallet.
We are still investigating all other areas of the system to ensure no stone is left unturned. Furthermore, we are working with a dozen or so industry-leading security expert teams to help improve our security as well as track down the hackers.
Additionally, while not naming any of the platforms specifically, Zhao revealed that they are working closely with many exchanges and various other service providers in order to freeze the funds that were stolen.
The post held back on sharing too much information on Binance’s ‘post hack’ strategy because what they share with their community is ultimately being shared with their perpetrators. Zhao said in the post:
Please also understand hackers are reading every word we post and watching every AMA we host. Sharing too many security details actually weakens our security response strategy.
While tweeting the security measures being taken by the exchange, the term “Bitcoin-Reorg” popped up which kickstarted an escalating debate among the crypto community on Twitter. The idea was suggested a few hours after the hack when Jeremy Rubin, the developer behind Bitcoin’s and Stellar’s core code, tweeted to Zhao:
@cz_binance if you reveal your private keys for the hacked coins (or a subset of them) you can decentralized-ly at zero cost to you, coordinate a reorg to undo the theft.
— Jeremy Rubin (@JeremyRubin) May 8, 2019
How Would the ‘Bitcoin-Reorg’ Work for Binance?
Soon a thread was started on Twitter explaining how bitcoin reorganization would actually work for Binance.
The exchange would sign a bitcoin transaction which conflicts with the transaction that stole the $40M BTC, and instead gives some of this BTC directly to mining pools.
This transaction would obviously be invalid on the current Bitcoin blockchain (a double spend). However the Bitcoin blockchain (and any POW chain) is not immutable – the longest chain is always the real Bitcoin.
The thread further continued to explain the theory: if the value given to miners in the double spend transaction is high enough, it could make sense for them to reach back in time, mine that transaction instead of the original theft transaction, and then re-mine all of the Bitcoin blocks since then. This would also be profitable for the miners to do.
So it’s reasonable to assume that economically Binance could do this and pay say $15M out of the $40M stolen to miners. It seems like a win-win situation for both Binance and the miners. But what would it cost?
This move has the potential to hurt the confidence placed in bitcoin’s immutability and would crash the price of BTC to the point that it would no longer be profitable for anyone, including Binance.
Ever since Bitcoin’s inception, there have been very few changes to the blockchain’s transaction history in its 10 years of operation and those too were in cases of absolute dire emergencies.
Even the exchange’s CEO went on to dismiss the whole idea, listing out four reasons behind the platform not opting for reorganization. None of the reasons had anything to do with monetary cost, implying that bitcoin’s immutability and credibility is far important to Binance than their losses.
cons: 1 we may damage credibility of BTC, 2 we may cause a split in both the bitcoin network and community. Both of these damages seems to out-weight $40m revenge. 3 the hackers did demonstrate certain weak points in our design and user confusion, that was not obvious before.
— CZ Binance (@cz_binance) May 8, 2019
Zhao went as far as apologizing for even thinking of the term ‘Reorg’ in the official statement. It appears Bitcoin reorganization is a resounding no for Binance.
The exchange is looking to resume withdrawals and deposits sometime early next week. As per the statement, there are plenty of changes that need to be implemented, some of them will be done within a week’s window while others will be be added to the platform later on.