Neither the CFTC nor multi-sig are to blame for the Bitfinex hack
There are several complex issues, both in regulation and the technology, at play.
A hacker made off with $70 Million worth of Bitcoin held by Bitfinex. Some have observed that this hack came right on the heels of a CFTC-Bitfinex settlement that may have triggered a reworking of how Bitfinex stores its customers’ Bitcoins.
Before we talk about this it's important to get some things straight.
The CFTC is not a prudential regulator.* Their mandate is to prevent fraudulent conduct in the trading of futures contracts. Their mandate is not to guarantee the solvency of bitcoin custodians or to bolster the security of their platforms.
The rules in question in the Bitfinex settlement only apply to exchanges that offer leveraged or margin trading (i.e. borrowing extra bitcoin in order to make bigger trades). None of this is relevant to common exchanges where users can only trade what they have.
Under the Commodities Exchange Act (CEA), exchanges offering margin trading must register as a contract market or derivatives transaction execution facility,** and are subject to a whole host of CFTC regulations.
The CEA provides an exemption -- a way to avoid being subject to the statute and the requirement to register and be subject to CFTC regulation. That exemption applies if the margin trades on an exchange result in “actual delivery” of the underlying commodity. If so, the exchange does not need to register and comply with regulations.
"Actual delivery" is pretty easy to think about in the area of traditional commodities: a truck load of pork bellies ended up in my warehouse. Actual delivery in the Bitcoin context is less determined, and regulators together with technologists are still working out that interpretation.
So, in its settlement, Bitfinex paid a fine for failing to register as a contract market while doing trades that did not result in actual delivery. After the settlement, Bitfinex continued to do margin trading but did not register. We can, therefore, assume they changed their technical set up and the CFTC interpreted the new arrangement as actual delivery of bitcoins in leveraged trades (thereby exempting Bitfinex from the CEA).
By reading the Settlement and Order and Bitfinex’s Terms of Service, one can deduce that one of the things they did in order to achieve actual delivery was to move customer funds from a single, pooled wallet (presumably with the keys for that wallet in cold storage, i.e. offline), to multiple multisig customer wallets, where keys were controlled by various parties including the customer.
Now there are two wrong conclusions one might reach given this background:
WRONG CONCLUSION: the CFTC settlement forced Bitfinex to weaken their security.
WRONG CONCLUSION: cold storage is safer than multi-sig.
That first conclusion is wrong for many reasons:
Bitfinex could have continued to use their existing technical architecture and chosen to register as a contract market or derivatives transaction execution facility. This is another way to comply with the CFTC rules, although it is unclear if the CFTC is open to such registrations from Bitcoin exchanges.
Bitfinex could have used multi-sig in a way that did not result in the vulnerability exploited by this hacker.
The second conclusion is also very wrong:
Cold storage and multi-sig are just different security models. The relative security of one or the other is entirely dependent on how they are implemented. For example, I could put keys to a pooled wallet on a USB drive and hide it in my five-year-old niece’s dollhouse. That storage is cold (the dollhouse doesn't have Wi-Fi) but it's also a terrible idea. Also, I could create a multi-sig wallet and hand all of the multi-sig keys to my niece. This is also a really lousy plan, but neither scenario tells us about the relative safety of one security technology vs the other—only the implementation.
There is a fundamental difference in some multi-sig implementations that is relevant to the security question: if every customer has been given the unilateral ability to transact with their funds (because they retain sufficient keys to sign transactions and the service-provider only keeps a recovery key in the event the customer loses one of theirs) then there is no single point of failure. If the service provider is hacked, the only keys compromised are the single backup keys. To actually steal the bitcoins the hacker needs to also target and compromise every individual customer—a substantially harder task than compromising one server.
Every hack is a step back for our community and a revelation of the continued vulnerabilities in these technologies. But every hack is also an opportunity to learn and grow resilient: let’s make sure we don’t learn the wrong lessons this time around by drawing hasty conclusions about regulation or multi-sig.
Jerry Brito expanded on this post: What does the CFTC have to do with the Bitfinex hack?
*In an earlier version of this post we wrote "the CFTC is not a consumer protection agency." This is not accurate; the CFTC does do investor protection. Our point is that they are not a prudential regulator; i.e. a regulator who guarantees the safety and soundness of a custodian (e.g. a bank or a money transmitter).
**In an earlier version of this post we wrote "must register as a SEF." SEF may not be the most appropriate regulated form for a firm like Bitfinex, a contract market or derivatives transaction execution facility may be the appropriate registration.