The Nano-Bitgrail saga is now over, and it’s changed cryptocurrency
What a ride. Let's not do that again.
BitGrail never had an especially good reputation. Even before a massive theft put the exchange under, its operator Francesco "The Bomber" Firano was often accused of lacking both the technical competence and the wisdom to near-single-handedly run a cryptocurrency exchange.
As authorities trawled through a mountain of evidence following the incident, they found ample evidence to support these accusations.
The issue has been settled now, with BitGrail as a business and Firano personally being declared bankrupt and ordered to pay back customers as much as possible.
The resulting saga left an indelible imprint on cryptocurrency in the form of an emerging legal precedent and an absolutely incredible example of what not to do if you're running an exchange.
Bad decisions, decisions
Bitgrail had almost accidentally put itself in the position of being one of Italy's only cryptocurrency exchanges, and one of the only places to trade Nano, during 2017 when cryptocurrency in general and Nano in particular were booming in popularity.
So almost by accident, Firano had quickly gone from running a scrappy trading venue for a handful of Italian bitcoin enthusiasts, to running a scrappy trading venue for hundreds of millions of dollars in digital assets from customers around the world. All exchanges at the time had the same experience, but navigated it with widely varying degrees of grace.
With the case now settled and lots of dirty details aired, it's now possible to look back at the entire incident from start to finish, and really marvel at some of the incredibly bad decisions made along the way.
First mistake: Not reading the manual
The thieves took advantage of an oversight on BitGrail which allowed people to withdraw more funds than they should have been able to.
Basically, it was possible to request multiple withdrawals from BitGrail, and it would make it so. The theft was literally just someone making the same withdrawal request multiple times on Bitgrail, at which point Bitgrail would tell the blockchain to send multiple withdrawals to that person. BitGrail failed to implement "idempotency" as the lingo goes.
The need to implement idempotent transactions for Nano was known at the time. It wasn't some kind of newly discovered vulnerability. Firano didn't feel the need to thoroughly read the available documentation or engage with developers when adding Nano to BitGrail.
Just slap it in there, it's probably fine. What's the worst that could happen?
Second mistake: Ignore the problem
The Nano was stolen from BitGrail between July and December 2017. The first batch of Nano went missing in late July 2017, and as the court noted, Firano was aware of the loss almost as soon as it happened.
He made a blasé note of the event on Twitter, saying he closed the perpetrators' accounts.
2.5 million Nano went missing in that first batch, and although prices were much lower then (about US$0.05 each) it was still worth $125,000 at the time, and probably qualifies as a little more than an "attempted" scam.
Third mistake: Keep ignoring the problem
At this point most people would realise that closing people's accounts doesn't do anything to actually fix the vulnerability and would want to do something about that rather than keep leaking money.
Firano is not most people.
The next big loss was 7.5 million Nano that went missing in October 2017, worth somewhere near $1 million at the time.
Despite the worries that must have been starting to niggle at this point, he still took no meaningful action.
Fourth mistake: Wow
Nano prices went nuts shortly after the second loss.
- It topped US$1 each on 10 December – the first two bouts of lost Nano were now worth $10 million, and still no one had any idea that it was missing from the exchange.
- It broke $5 on 21 December. That stolen Nano was now worth $50 million.
- It shot past both $10 and $15 within a 24 hour period on 29 December. That's $150 million lost now. Man, Firano's customers are gonna be pissed.
Nano prices eventually peaked at about $37 before they started declining with the rest of the cryptocurrency markets. The entire time, BitGrail remained one of the only places to trade Nano, and its exorbitant rise was undoubtedly good for business.
Unfortunately the vulnerability was still out there, new people were coming to BitGrail to chase Nano every day, and no one knew that hundreds of millions in cryptocurrency were missing from behind the scenes. The rising prices coupled with the vulnerability saw millions more Nano disappearing during these heady days, and the thefts continued right up until BitGrail stopped deposits entirely.
So, what happens when people try to cash out their winnings?
Something like this:
Fifth mistake: Nothing to see here, move along
So, people are all trying to cash out hundreds of millions of dollars of cryptocurrency that you don't have. You need to stem the outflow, but have to play it cool and make it look like nothing's wrong. Firano did this first by converting the main exchange hot wallet to a cold wallet and switching off withdrawals for large periods of time in the process.
And second, by instituting a sudden bout of apparent AML/KYC measures. Under the sudden changes all Euro-based traders would have to get verified, and all non-Euro traders would have two weeks to get their funds off the exchange, which could only be done by converting to BTC – no Nano withdrawals allowed. The kicker is he also capped daily withdrawal limits, which prevented a lot of people from getting their funds off the exchange within the time limit.
This caused Nano prices to plummet and bitcoin prices to rise sharply on the exchange, which may have bought some more breathing room.
Sixth mistake: Bail and shift the blame
Firano released a public statement on 9 February announcing a "shortfall" of 17 million Nano. But he was quite busy before then.
Nano withdrawals were closed for the last time on 28 January, leaving thousands of people with on-paper money trapped in the exchange. A week later, Firano started cashing out bitcoin, in the form of a 230 BTC deposit at another exchange, which he then moved to convert to cold hard cash through a linked bitcoin ATM.
And the day before the big reveal, he was in talks with the Nano team.
"I need to report this lost to the police ASAP," - Firano, literally 6 months and 16 days after first discovering the loss
The chat log is well worth a read with full knowledge of what happened. Among other statements that have aged poorly, highlights of the chat log of Firano's talk with the Nano team shows:
- The thefts continued right up until January.
- Firano was fishing for a way to avoid admitting that he knew about the vulnerability for over half a year.
- In the end, Firano owed his users 19 million Nano and had only 4 million left.
- The switch from hot wallet to cold, and disabling of withdrawals seem to have been misguided efforts to prevent the funds from disappearing.
"We can't wait and we need to be 100% transparent on it," - Firano, a guy who's all about timeliness and transparency.
In the end, Firano decided to try to shift the blame onto Nano. He asked for a recovery fork, said that he would be blaming Nano if they didn't agree, and the rest is history.
Firano wasn't done though, and in the following months he would punctuate circumstances with a few more head-scratchers.
- February: Firano polled users to ask whether BitGrail should re-open or declare bankruptcy. About 80% said to declare bankruptcy. Firano says screw it, and made plans to reopen anyway.
- March: He floats an option to affected users where they could get reimbursed 20% of their lost Nano, and get the remainder in "BitGrail shares" which would be bought back over time. In turn, users would have to agree not to sue him. It wasn't popular.
- April: A class action lawsuit against BitGrail gains steam, funded by donations. Nano developers agree to match user donations to take on BitGrail. Firano probably shouldn't have ticked them off.
- May: BitGrail re-opens for literally hours before closing again when a Florence court says something like "seriously? No. Switch that thing off".
- June: Courts take BitGrail funds from Firano's possession, figuring he can't be trusted with them.
The case has concluded, with remaining BitGrail assets being used to compensate affected customers where possible. Beyond that, the courts have found that Firano's conduct throughout the entire ordeal directly contributed to a loss of user funds, and that he is personally responsible for some of the losses.
As such he's also been pushed into bankruptcy and forced into liquidation to compensate users.
One of the more lasting implications of the case, in Italy at least, is the finding that cryptocurrency exchanges do have some kind of obligation to protect customer funds. It sounds obvious, but there are still a lot of dead zones where crypto exchanges can scrub their hands of customer losses where any other financial institution would be liable.
Disclosure: At the time of writing the author holds ETH.