Earlier today the Chinese exchange Bter.com had $1.7m worth of NXT stolen (50 million NXT in total) from their account. A forum post on the NXT forums has been tracking developments and various options were being considered as the scene played out.
The first option is a rollback and the NXT developers have released a modified client which repeals the transaction in question.
The next option with essentially the same effect but subtly different is that those forging (equivalent to mining in bitcoin) manually repeal the transaction if they disagree with it.
The last option is that the hacker is paid a ransom in bitcoins, and they return the NXT.
The first option is a rollback and the NXT developers have released a modified client which repeals the transaction in question.
The next option with essentially the same effect but subtly different is that those forging (equivalent to mining in bitcoin) manually repeal the transaction if they disagree with it.
The last option is that the hacker is paid a ransom in bitcoins, and they return the NXT.
Bter Adds $56,000 Insult to Injury
What has actually played out so far is hard to believe.
However unpalatable, the ransom may have seem like a simple way for this to be resolved - Bter pay a ransom for their security failure but return funds to their customers - and in fact many agreed on the forum. The hacker now holds notionally $1.7m in NXT but clearly cannot realise that value in the market - NXT is simply not liquid enough to exchange 5% of its base into dollars at the drop of a hat (few assets are). The real value of the NXT then, particularly to the hacker is far below $1.7m.
As a result it was proposed that the total payment for the returned NXT would be 100 bitcoin. Bter would send bitcoins to the hacker in increments and they would return NXT in corresponding increments. Bter and the hacker appeared to agree to this situation and initially it appeared to be working; Bter sent the hacker 10 bitcoin and 5 million NXT were returned to an account presumably under the control of Bter. That all this could occur, be arranged and verified publicly is a testament to the power of cryptocurrencies and blockchains, if also a demonstration of how they can be abused.
Unfortunately, the hacker then posted some tried and tested social engineering, claiming they wanted the bitcoins more quickly, putting Bter under pressure to send the remaining amount. Bter fell for it, sending a further 100 bitcoin.
What is incredible about this situation is that an exchange managing far more than $1.7m in assets could fall for such a basic ploy without first considering that if they sent the full ransom, the hacker would no longer have any incentive at all to return the NXT.
As we have seen with the demise of Mt Gox, poor actors in the cryptocurrency space will eventually fail, but can also take a lot of unsuspecting end users with them. Whether this is a testament to the strength of the currency (in that it does not allow repudiation) or whether it is damaging to it (allowing end users to be burned by clearly criminal activity when it has the power to prevent it) is debatable.
However unpalatable, the ransom may have seem like a simple way for this to be resolved - Bter pay a ransom for their security failure but return funds to their customers - and in fact many agreed on the forum. The hacker now holds notionally $1.7m in NXT but clearly cannot realise that value in the market - NXT is simply not liquid enough to exchange 5% of its base into dollars at the drop of a hat (few assets are). The real value of the NXT then, particularly to the hacker is far below $1.7m.
As a result it was proposed that the total payment for the returned NXT would be 100 bitcoin. Bter would send bitcoins to the hacker in increments and they would return NXT in corresponding increments. Bter and the hacker appeared to agree to this situation and initially it appeared to be working; Bter sent the hacker 10 bitcoin and 5 million NXT were returned to an account presumably under the control of Bter. That all this could occur, be arranged and verified publicly is a testament to the power of cryptocurrencies and blockchains, if also a demonstration of how they can be abused.
Unfortunately, the hacker then posted some tried and tested social engineering, claiming they wanted the bitcoins more quickly, putting Bter under pressure to send the remaining amount. Bter fell for it, sending a further 100 bitcoin.
What is incredible about this situation is that an exchange managing far more than $1.7m in assets could fall for such a basic ploy without first considering that if they sent the full ransom, the hacker would no longer have any incentive at all to return the NXT.
As we have seen with the demise of Mt Gox, poor actors in the cryptocurrency space will eventually fail, but can also take a lot of unsuspecting end users with them. Whether this is a testament to the strength of the currency (in that it does not allow repudiation) or whether it is damaging to it (allowing end users to be burned by clearly criminal activity when it has the power to prevent it) is debatable.
Clouded Enthusiast Thinking
If any type of rollback were to go ahead, NXT would have repealed a transaction and its claimed feature of non-repudiation would be demonstrably broken.
As a result many are crying out against the rollback in the fear that NXT will be irreparably harmed, but there are a couple of interesting points here:
1) it is clear that NXT could repudiate transactions, it just isn't clear if it will happen this time
2) non-repudiation is held to be such a critical feature of NXT that it would fail should any transaction, even a large scale admittedly criminal one, be repealed
From an enthusiasts point of view that believes in the values that NXT (and many other cryptocurrencies) espouse, repudiation of any transaction is a failure to adhere to those values and taints the system. If it doesn't adhere to these values it is no better than any other system out there (PayPal for example).
But cryptocurrencies in general are trying hard to reach the mainstream. The real benefits of cryptocurrencies will appear when they are widely used and easily used by people around the world. From a typical user's point of view, there are potentially many benefits to using cryptocurrencies of which non-repudiation may be one, but it likely isn't a deal breaker. If we imagine a future in which many average people around the world hold NXT and 5% of all NXT are stolen, it isn't much of a stretch to see the majority agreeing that the transaction should be repealed. Whether it would be possible would be another matter.
Further evidence of clouded judgement appears with calls of a bounty to catch the hacker. Whether these suggestions are serious or facetious these vocal members of the NXT community clearly would like to see the the NXT (money) returned to their rightful owners, but are publicly supporting an illegal and violent vigilante bounty than supporting simple repudiation of the transaction.
Time will tell how this pans out but how thinking prevails may give some insight into the distribution of the currency and its user base, particularly of those with large balances and if they are held by enthusiasts rather than with a wider distribution.
As a result many are crying out against the rollback in the fear that NXT will be irreparably harmed, but there are a couple of interesting points here:
1) it is clear that NXT could repudiate transactions, it just isn't clear if it will happen this time
2) non-repudiation is held to be such a critical feature of NXT that it would fail should any transaction, even a large scale admittedly criminal one, be repealed
From an enthusiasts point of view that believes in the values that NXT (and many other cryptocurrencies) espouse, repudiation of any transaction is a failure to adhere to those values and taints the system. If it doesn't adhere to these values it is no better than any other system out there (PayPal for example).
But cryptocurrencies in general are trying hard to reach the mainstream. The real benefits of cryptocurrencies will appear when they are widely used and easily used by people around the world. From a typical user's point of view, there are potentially many benefits to using cryptocurrencies of which non-repudiation may be one, but it likely isn't a deal breaker. If we imagine a future in which many average people around the world hold NXT and 5% of all NXT are stolen, it isn't much of a stretch to see the majority agreeing that the transaction should be repealed. Whether it would be possible would be another matter.
Further evidence of clouded judgement appears with calls of a bounty to catch the hacker. Whether these suggestions are serious or facetious these vocal members of the NXT community clearly would like to see the the NXT (money) returned to their rightful owners, but are publicly supporting an illegal and violent vigilante bounty than supporting simple repudiation of the transaction.
Time will tell how this pans out but how thinking prevails may give some insight into the distribution of the currency and its user base, particularly of those with large balances and if they are held by enthusiasts rather than with a wider distribution.
Will NXT Survive?
There are a number of ways this situation could work out longer term but really only one question will determine the viability of NXT in the long term - confidence.
If the transaction is not repudiated then possibly a large portion of its user base may become disaffected with NXT and its failure to act (something which bitcoin developers have stated they would do in, for example, the face of a 51% attack). This would also leave 5% of the NXT monetary base in the hands of a known bad actor keen to launder his prize which would undoubtedly have a depressive effect on the NXT price for some time to come.
If the transaction is repudiated then those that consider non-repudiation a critical feature may become disaffected and choose to exit NXT, again damaging confidence and likely the price.
The distribution of the coin may determine both the actions taken and the result. If NXT is widely distributed enough to those outside the cryptocurrency core then it may repudiate the transaction, may lose some enthusiasts on the way but will likely survive.
If the distribution of the coin is largely in the hands of the enthusiasts then the repudiation may not take place. In this case the majority holders in terms of value will likely retain confidence. How it will be viewed by later adopters and the mainstream is less clear and a depressed price could serve as an indication of NXT's decline.
If the transaction is not repudiated then possibly a large portion of its user base may become disaffected with NXT and its failure to act (something which bitcoin developers have stated they would do in, for example, the face of a 51% attack). This would also leave 5% of the NXT monetary base in the hands of a known bad actor keen to launder his prize which would undoubtedly have a depressive effect on the NXT price for some time to come.
If the transaction is repudiated then those that consider non-repudiation a critical feature may become disaffected and choose to exit NXT, again damaging confidence and likely the price.
The distribution of the coin may determine both the actions taken and the result. If NXT is widely distributed enough to those outside the cryptocurrency core then it may repudiate the transaction, may lose some enthusiasts on the way but will likely survive.
If the distribution of the coin is largely in the hands of the enthusiasts then the repudiation may not take place. In this case the majority holders in terms of value will likely retain confidence. How it will be viewed by later adopters and the mainstream is less clear and a depressed price could serve as an indication of NXT's decline.