CoinSpice Research: Bitcoin Cash Upgrade Attack and the 110K BCH Bitfinex Position

CoinSpice Research: Bitcoin Cash Upgrade Attack and a 110K BCH Bitfinex Position

TL;DR: Ahead of the Bitcoin Cash (BCH) protocol upgrade and corresponding attack on the network, both of which took place 15 May 2019, traders on cryptocurrency exchange Bitfinex borrowed more than 110,000 BCH. If the price of that BCH position fell, traders potentially could have profited handsomely. Although unusually timed, it is impossible to say whether this borrowing activity was linked to the attack. And, while it looks unlikely the money was ever used to short sell BCH, the traders would have been left with a hefty bill all the same.

Earlier this week, we saw a malicious actor carry out an attack on the Bitcoin Cash network, coinciding with a previously planned network upgrade. The attack, lasting just a few hours, resulted in transactions not confirming and the network producing 10 consecutive empty blocks before a patch was released to resolve the bug. During the attack, a few clever developers managed to steal 1.2 BCH from the attacker, however rumours of possibly larger financial stakes came on the back of higher-than-usual BCH lending activity on Bitfinex.

Following the attack, eagle-eyed Redditors spotted that the amount of BCH lent out on Bitfinex increased to roughly 180K BCH (~$66m at the time). This led to speculation someone borrowed BCH to take out a large short position on the price of Bitcoin Cash, earning them a profit should the price of BCH decrease. It was furthermore suggested the attacker and this large borrowing activity might have been related, potentially the same person or entity.

Let’s look at a timeline of events on 15 May 2019 (all times UTC).

With the attacker exploiting the bug from approximately 12:20 until 16:05, we can see an increase in the number of unconfirmed transactions in the Bitcoin Cash mempool, waiting to be confirmed by miners. Additionally, due to the nature of the attack, the number of above-average transaction-fee transactions (those denoted in colours other than dark blue) had also substantially increased during that period.

The BCH Mempool during the May 15th netowork upgrade.
Source: https://jochen-hoenicke.de/queue/#2,4d

Turning to the price of BCH versus USD (denoted BABUSD on Bitfinex), we can observe price activity during 15 May 2019, which started that day at approximately $390, finishing up roughly 3% higher to about $402.

Focusing on the period in question, we can see the orange box showed some volatility and a drop to roughly $370 during the attack, which then rebounded as the patch was rolled-out across the Bitcoin Cash network.

Trading activity during the May 15 BCH network upgrade
Source: Tradingview, Bitfinex

Looking at short activity on BCH versus both BTC (yellow) and USD (purple), we can see a slight increase in the amount of shorts against BCH to USD during the hours preceding the attack, however this was significantly lower than the 180K BCH picked up by Reddit.

BCH margin trading activity during and around the time of the May 15th network upgrade
Source: Tradingview, Bitfinex

So what could have happened?

We should explain how shorting works on Bitfinex. A short sale effectively allows a trader to borrow some amount of a cryptocurrency from other traders (lenders) on Bitfinex, selling that cryptocurrency on Bitfinex, then rebuying that same amount of cryptocurrency (plus a little bit more) to return to the original lender (plus interest) at some point in the future.

In the early hours of 15 May 2019 (just after midnight UTC), approximately 12 hours before the attack began, traders borrowed a significant amount of BCH on Bitfinex, bringing the total amount lent out to nearly 177K BCH. The day before, there had been approximately 65K BCH borrowed, total, on Bitfinex by traders. This 112K BCH borrowing drove the interest rate from approximately 5% annually (amount paid by borrowers to lenders) to approximately 30% by the time the attack started.

BCH borrowed, used, and lending rates from Bitfinex during the May 15 network upgrade
Source: Bitfinex

While one could definitely interpret the timing of increased borrowing activity over the morning of the 15th and the attack in the early afternoon as likely more than a coincidence, looking closer we notice something interesting. While approximately 112K BCH had been borrowed (orange line) during the 15th, this money had not been deployed in a margin position (grey line), meaning that someone borrowed BCH but did not substantially enact new short positions. During the evening hours, we can see the funds borrowed, but unused funds had all been returned to lenders at approximately the same time.

There are several potential explanations for this. One possible reason could be that the traders borrowed BCH with the intention of shorting but then decided against it, closing approximately 110K BCH in borrowing positions around 23:00 on 15 May 2019. Whether they were connected to the attack, or at least had knowledge of it beforehand, is impossible to say.

Given the average rates reported by Bitfinex over this period, the interest paid for these unused positions likely cost somewhere in the range of 79 BCH (~$31,500 at the time) — quite a lot of money for sitting on the sidelines, though less than had they shorted into a rising market over the same period. 🌶