What caused the $170 million BitGrail Nano incident?

Andrew Munro 12 February 2018 NEWS

shutterstock computer fire tech 738x410

The most likely explanation seems to be carelessness on BitGrail's end, rather than theft or flaws in Nano.

BitGrail was one of the most widely used Nano XRB (formerly known as RaiBlocks) exchanges, responsible for much of the coin's global volume. But news abruptly broke on 10 February that 17 million XRB, 10% of the total supply worth about US$170 million at the time, had gone missing.

A few hours later it emerged that the loss had actually happened in November and December but had been covered up, or possibly gone entirely unnoticed, until now.

Users started speculating that the recent and equally sudden BitGrail freeze may have been related. The reasoning is that BitGrail management may have known it didn't have enough XRB for everyone to withdraw, and imposed restrictions to buy some time. The nature of the restrictions – a sharply restricted withdrawal limit and an unusual requirement that some customers withdraw BTC only instead of XRB – suggest that this might be the case.

Nano prices quickly plummeted after news of the theft and are still down around 30% at the time of writing, largely due to an initial fear that millions of stolen XRB would soon be flooding the market at discount prices. But a few hours later it became apparent that the missing coins had probably been sold off and recirculated weeks ago.

BitGrail has since announced its insolvency.

More significantly, it was speculated that an inherent vulnerability in Nano had resulted in the theft, or otherwise resulted in the loss of the coins. This theory was supported by:

  • BitGrail management pointing the finger at Nano, and saying it was a double spend problem with the software. The Kucoin exchange also said that it had experienced similar problems with Nano.
  • The loss seeming to only affect XRB. If it was a hacking theft rather than a technical problem one would expect coins other than XRB to have been stolen as well.

But further information suggests that neither of these is correct.

Firstly, released chat logs suggest that BitGrail management had known about the incident for a while, and promised to blame Nano for the problem if the Nano developers didn't modify the coin's ledger to cover BitGrail's losses.

"We have no reason to believe the loss was due to an issue in the Nano protocol. The problems appear to be related to BitGrail’s software," wrote Nano developers in their official statement on the incident. "[BitGrail owner] Firano informed us of missing funds from BitGrail’s wallet. An option suggested by Firano was to modify the ledger in order to cover his losses — which is not possible, nor is it a direction we would ever pursue... We now have sufficient reason to believe that Firano has been misleading the Nano Core Team and the community regarding the solvency of the BitGrail exchange for a significant period of time."

And more recently, the creator of Nanex has weighed in with a theory about exactly what happened.



What (probably) happened?

According to a post by the Nanex creator, it was basically a $170 million failure to read the user manual. Kucoin had the same problem because it made the same mistake, but it also caught it quickly and reimbursed affected users. But BitGrail may have let it get out of hand.

The issue relates to Nano's unconventional architecture. It essentially offers a separate blockchain for each account, leading to fast and free transactions and almost infinite network scaling, but at the cost of unusual complexities and trickier integrating into other systems.

One of the most difficult factors is that each individual Nano wallet can only run about 6 transactions per second at most on its own blockchain. This is way more than enough for any individual, but not for an exchange.

To solve this, an exchange needs to run multiple Nano accounts on multiple nodes (blockchain connections). This introduces a new problem; making sure all the data is sychronised. It doesn't matter so much with a personal account where you're only sending and receiving your own funds from your own address, but it's a critical issue for automated exchanges. If a transaction gets out of synch and isn't fixed, the problem can snowball.

"With coins like Bitcoin everyone's data is updated at the same time in 'blocks', whereas on XRB every account has its own chain that can update independently from everyone else. For something like an exchange, having data that isn't strongly consistent is a big no no," writes the Nanex creator.

"As such, you have to have a consensus model. You need to wait until all of your nodes have the exact same set of data on an account before you can reliably transmit further data out. You could just firehose it and hope for the best, but that's shown to be a bad idea. This is not BitGrail's fault, but that's what they were running into at one point - a node would think it broadcasted a block but the broadcast failed. As such, every block after that was invalid and their entire withdrawal system would fail until they fixed it manually. You would see 'invalid block' in the explorer. This bug has since been fixed... All in all, it requires a lot more work on the software side to ensure scalability but also data integrity."

BitGrail basically just tossed it onto the exchange like a more generic crypotcurrency and experienced expensive technical problems as a result. This complexity is one of Nano's main downsides, but it's a solvable issue. But only when it's actually solved.

Unfortunately the forensics don't do much to help the now-defunct BitGrail or the users whose funds were lost. Other popular Nano exchanges, including Binance and Kucoin, have announced their intention to help recover the XRB where possible, but the vast majority of the erroneously transmitted money has now probably been lost in circulation.

Depending on how you see the coin, this situation is either evidence of Nano's untenable complexity, or might be a good time to buy at discounted prices.

How to buy Nano. And not at BitGrail.


Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VEN, XLM, XRB, SALT

Latest crypto guides

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Privacy & Cookies Policy and Terms of Use, Disclaimer & Privacy Policy.
Ask a question
Go to site