The troubled Hong Kong virtual currency exchange, Bitfinex, has re-opened after a hacking incident that resulted in the theft of approximately 119,756 bitcoins, which are currently worth nearly $70 million.
Bitfinex has chosen a “socialized” procedure to remedy this loss:
“Due to the indiscriminate nature of the attack, we have decided to generalize losses across all accounts. Upon logging into the platform, customers will see that they have experienced a generalized loss percentage of 36.067%. In a later announcement we will explain in full detail the methodology used to compute these losses.”
The methodology used to compute this percentage has yet to be released. However, Bitfinex has revealed that it is going to cover this loss adjustment with the issuance of “BFX” tokens priced at $1.00 each that will be distributed to each customer in an amount equal to the customer’s loss. Bitfinex has not committed to redeeming these tokens for cash. Instead, according to Bitfinex, “[t]he BFX tokens will remain outstanding until repaid in full by Bitfinex or exchanged for shares of iFinex Inc.”
Currently, there is not much clarity as to what the value of shares of iFinex, the holding company that operates Bitfinex, could be worth. iFinex Inc. is a private corporation, so its stock is not listed or traded on any exchanges. In addition, private corporations do not have to make public filings, such that there are no publicly available iFinex Inc. financial statements. Thus, to the extent that Bitfinex customers ultimately receive iFinex shares, they will not have easy access to the company’s financial condition or other important information, unless iFinex becomes a public company.
Bitfinex’s solution is admirable, in that it does not overly burden the customers whose actual bitcoins were stolen, by having them bear the entire risk that Bitfinex will be able to fully make good on the loss. However, this solution places substantial risk on all Bitfinex customers. It is similar to the “Cyprus bail-in” of 2013. A bail-in forces a delinquent borrower’s creditors to assume additional risk by having a portion of their debt converted to equity (in the case of Cyprus, the creditors in question were bond holders, and depositors with more than 100,000 Euros in their accounts). The uninsured Cyprus depositors faced a haircut in the 40-50% range and were given equity in exchange just like the Bitfinex customers received here. The Cyprus bail-in has been somewhat successful, as in 2014, the Bank of Cyprus released approximately 950 million Euros to repay the depositors. As stated above, Bitfinex plans to do the same, but it has not provided any projected timeline for redeeming the BFX tokens.
The solution implemented by Bitfinex appears on its face to benefit Bitfinex’s customers, as it is preferable to a liquidation in bankruptcy that would have likely taken years to complete, but a socialized method for remedying losses where a self-interested party that was unable to prevent the losses has total discretion is troubling. First, Bitfinex insiders, who bear primary responsibility for not preventing the hack, claimed to have committed all company reserves to compensate its customers but failed to provide any evidence of an audit to support this statement. Second, this solution does not require any change in Bitfinex’s management or its procedures, which leaves it exposed to future hacks. There must be some accountability for the hacking incident and assurances that steps are being implemented to prevent hacks in the future. If Bitfinex had filed bankruptcy, it could have continued operations and the bankruptcy trustee would have had the power to hire qualified personnel to oversee the operations of Bitfinex. While that would have come with a significant cost, it would have paled in comparison to the damage that would be caused by a further hack, as that would likely cause Bitfinex to shut down completely.
The importance of not allowing Bitfinex to stay the course cannot be understated here because allegations of internal misconduct at Bitfinex are nothing new. Bitfinex has previously been plagued by allegations of insider trading by its management, which has denied the charges. Additionally, the U.S. Commodity Futures Trading Commission (CFTC) previously placed the company under scrutiny and ordered Bitfinex to pay $75,000 for offering illegal off-exchange financed retail commodity transactions and failing to register as a futures commission merchant. Bitfinex paid the fine, but chose not to register with the CFTC. Instead, it discontinued the use of cold storage wallets, such that it was not subject to CFTC registration requirements. Bitfinex recently announced that it has re-implemented cold storage procedures for storing customer bitcoins, such that Bitfinex is now likely required to register with the CFTC.
Recently, Bitfinex issued an interim update stating:
“Management has committed all reserves of the business with a view of making our customers whole. …[A]ny principals and employees of the business with any property on Bitfinex were subject to the loss allocation. In point of fact, two out of the top ten BFX token-holders are in our management team.”
Bitfinex did not provide any evidence to support these statements but assuming that they are true, Bitfinex has raised additional concerns.
First, as it appears Bitfinex management traded on the Bitfinex platform, there are issues concerning potential insider trading and conflict of interest issues. Unfortunately, Bitfinex’s customers do not get the benefit of the Dodd-Frank Act’s insider trading protections for these prior acts, as the CFTC has authority to enforce them, but Bitfinex appears to have successfully avoided CFTC registration in the past.
Second, Bitfinex principals and employees who traded on the exchange should have taken a greater loss allocation than the non-insider customers. If anything, the principals and employees should have taken a 100% loss allocation on their deposits to show accountability to the non-insider customers and to demonstrate their confidence in Bitfinex’s ability to repay the losses in their entirety. This action would have enhanced the credibility of Bitfinex and as a result increase customer confidence in the principals and management of the exchange.
As there are undoubtedly some Bitfinex customers who are unhappy with Bitfinex’s actions, there is a real possibility of litigation here. For example, under California law, because Bitfinex has opted to remedy the hack by taking its customer’s bitcoins without permission and providing them with a token of indeterminate value, it could be liable for conversion if it refuses to return the funds after a customer demands that it do so. See Cerra v. Blackstone, 172 Cal. App. 3d 604, 609 (1985). Additionally, to the extent that Bitfinex has not treated all of its customers equally, or given preferential treatment to its management, it could be liable under state consumer protection statutes or for fraud.
It will likely only be economically viable for a Bitfinex customer to sue the company if it can pursue a class action under U.S. law. To do this, the customer would need to get around Bitfinex’s terms of service, which ban class actions and provide that the law of the British Virgin Islands governs any legal action against the company. While these types of contractual terms are usually enforced by U.S. courts, a provision in Bitfinex’s terms of service could cause a U.S. court to invalidate them. The terms of service provide the company with essentially unfettered discretion to alter the terms:
“These Terms of Service may be amended, changed, or updated by BFXNA or iFinex, as applicable, without prior notice to you. You should check back often to confirm that your copy and understanding of these Terms of Service is current and correct. Your non-termination or continued use of any Services after the effective date of any amendments, changes, or updates constitutes your acceptance of these Terms of Service, as modified by such amendments, changes, or updates.”
In 2012, a federal court in Nevada held that a similar provision in the terms of service for Zappos.com rendered the terms “illusory,” since Zappos, but not the customer, could change the agreement at any time. See In re Zappos.com, Inc. Customer Data Security Breach Litigation, 893 F. Supp. 2d 1058 (D. Nev. 2012). That court then allowed a Zappos customer to avoid a mandatory arbitration clause in the terms of service and pursue his case in federal court. Applying the same logic here could allow a Bitfinex customer to pursue a class action in a U.S. court, instead of in the British Virgin Islands, and seek to have that court apply U.S. law.
Bitfinex’s imposition of a socialized bail-in remedy on its customers in response to a hack that Bitfinex failed to prevent is unfair and one-sided. Its customers should be wary of this solution that provides for no real changes in the way Bitfinex does business and does not create a defined obligation for Bitfinex to repay its customers at any point in time.