CoinBerry ETransfer Glitch Fraud
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
In April 2020, CoinBerry reportedly made an update to their service which allowed customers to purchase bitcoin by starting an eTransfer process. It appears completing the eTransfer (ie making an actual payment) was not required, and this opportunity was available all the way through to August 24th, 2020, when withdrawals were shut off for a period of 17 hours. According to a lawsuit later filed by CoinBerry, 120 bitcoins were ultimately withdrawn without paying during this time. CoinBerry requested the return of funds, and 37 bitcoins were returned by customers.
As no announcements were made to explain the situation, there was speculation on what happened in this case for roughly 2 years until June 2022 when CoinBerry finally published a lawsuit in Brampton, Ontario. This was reported in the media in September 2022. It is unclear if CoinBerry has been able to recover any funds in this case.
This exchange or platform is based in Canada, or the incident targeted people primarily in Canada.[1][2][3][4][5][6]
About CoinBerry
Coinberry was founded in 2017[7] and is Canada’s first regulated crypto-only trading platform[8] which called itself "the safest and most secure digital currency trading platform in Canada"[7]. In 2021, the platform supported Bitcoin, Ethereum, XRP, Litecoin, Bitcoin Cash, and Stellar[7].
"Based in Toronto, Coinberry is Canada's first federally registered commission-free crypto trading platform, which secures the best cryptocurrency prices from trusted exchanges using proprietary algorithms."
In 2021, the platform offered zero funding or withdrawal fees, was registered with FINTRAC, and had low trading fees of 0.5%[7]. The CEO Andrei Poliakov describes the vision for the company[7].
At Coinberry we believe in an inclusive blockchain-based economy. So we set out to build a global digital financial institution of the future. And we started with the most important step: building a trusted digital asset trading platform.
Partnership With BRD
In August 2018, CoinBerry announced a partnership with BRD at a Blockchain Futurist Conference, which introduced their platform to 1.2 million users of the Bread Wallet application[9]. This partnership allows Coinberry users to maintain control of their cryptocurrency keys securely, addressing concerns about exchanges' vulnerability to hacks[10]. BRD's non-custodial wallet technology ensures users can buy, deposit, and withdraw bitcoin seamlessly on Coinberry while retaining control of their keys[10]. Both companies aim to empower users by providing secure and convenient solutions for managing their crypto assets[10]. This integration enhances the Canadian crypto industry by enabling faster payments and remittances into fiat currency[10]. With BRD's decentralized framework, users can safeguard their assets against centralized risks, further emphasizing the importance of maintaining control over cryptocurrency keys amidst ongoing security threats in the exchange ecosystem[10].
Partnerships With Municipalities
One of the strategies which CoinBerry used to gain early trust with Canadians was their ongoing partnership with municipalities including the Town of Innisfil and the City of Richmond Hill which were established in 2019[7].
"In 2019, the Town of Innisfil officially partnered with the exchange. This was the first Canadian property tax payment paid in Bitcoin. Today, Coinberry also has a partnership with the City of Richmond Hill."
Under this strategy, CoinBerry offered the towns the ability to accept payment for taxes through bitcoin through web or mobile devices[7]. As there was no cost to participate, the municipalities only derived a potential benefit of extra revenue from the partnership.
Audit By MNP LLP
CoinBerry completed an audit by Canadian public accounting firm MNP LLP[11]. They were one of the first Canadian platforms to do so[12].
"Coinberry is one of the first Canadian cryptocurrency trading platforms to audit its first year financial statements." "The audit was conducted by MNP LLP, one of the preeminent Canadian public accounting firms active in the blockchain and cryptocurrency space."
The platform reportedly undergoes third party financial statement audits annually[7].
Wallet Storage Policies
CoinBerry placed a strong public emphasis on diligence[13][14].
"Practicing due diligence is paramount. Research and continuous education of cryptocurrencies and the markets will arm you with the highest protection level possible." "Thieves and scammers in the crypto ecosystem write malware to attack your digital wallet, empty your accounts, spy on your clipboards to steal your cryptocurrency addresses, and swap out your exact addresses for those belonging to a scammer."
Storage wallets have been described as "industry-standard cold-storage"[7]. The service reportedly implemented a multi-signature protection scheme on client funds, though this only required 2 members of the team to sign off on transactions[12].
"We only use multisig cold storage wallets [m]eaning that any 2 members of the executive team are able to access the funds. What does this mean for you? If the CEO goes missing during a trip to open an orphanage in India, your Bitcoin, Ethereum and Litecoin will still be accessible by the Coinberry executive team."
Guide Pages on Digital Security
CoinBerry likes to teach others. The CoinBerry platform includes an entire page about "The Latest Crypto Scams & Fraud" and "how to protect yourself"[13][14] and a page on "Digital Security for Cryptocurrency Investors"[15][16].
Crypto is the currency of the future. As it grows in popularity, cyber attackers and criminals find it an attractive target for digital theft and financial fraud. Investors, exchange organizations, and all stakeholders must adopt security practices to reduce the risks and protect their financial accounts and digital assets.
The Reality
“On April 13, 2020, Coinberry implemented a software update to the Coinberry Platform. Unfortunately, the said update contained a vulnerability whereby Coinberry’s system was notified of e-transfers of CAD despite the fact that the moneys had not actually been received by Coinberry,” the lawsuit read.
CoinBerry underwent a platform upgrade, whereby customers could initiate an Interac eTransfer, get the amount credited to their CoinBerry accounts, and then cancel the original eTransfer, which enabled them to get bitcoins without paying for them[8].
"Customers could initiate an Interac e-transfer, get the amount credited to their Coinberry accounts, buy bitcoin and transfer the coins out, and then cancel the original e-transfer, retaining their own funds and getting free bitcoin." "In the end, users would then cancel the original e-transfer, thereby retaining their own funds and getting free bitcoin, [a later] lawsuit said."
What Happened
Evidence suggests that CoinBerry operated in a glitched state where customers could obtain free bitcoin by initiating and not completing eTransfers for a period of over 4 months. By the time that CoinBerry fixed the issue, 546 of their customers had already taken advantage of it[8]. Data suggests more than 80% of customers had done so in small amounts below $5,000[8], and there is some speculation that many customers did so unintentionally.
"Due to a software glitch, the platform accidentally tricked people into buying bitcoin using Canadian dollars, which had not yet been properly transferred to their accounts."
Date | Event | Description |
---|---|---|
August 16th, 2018 7:00:00 AM MDT | CoinBerry and BRD Partnership | CoinBerry announces a partnership with BRD at the Blockchain Futurist Conference. BRD is a Swiss-headquartered company offering one of the first iOS cryptocurrency non-custodial wallet applications with 1.2 million users[9][10]. This partnership, announced at the Blockchain Futurist Conference, aims to empower users by allowing them to maintain control of their cryptocurrency keys in a secure wallet, a critical feature amidst ongoing vulnerabilities in some exchanges to hacks[10]. BRD's non-custodial wallet technology ensures decentralized control, reducing centralized risks associated with hacking[10]. The integration enables users to seamlessly buy, deposit, and withdraw bitcoin on Coinberry while retaining control of their keys[10]. Both companies emphasize the importance of user empowerment and security in the cryptocurrency landscape, with BRD highlighting the simplicity and security benefits of the integration[10]. |
January 17th, 2019 8:10:00 AM MST | Financial Statement Audits Completed | CoinBerry announces completion of their first year financial statement audits. The audits were carried out by accounting firm MNP. The audit was successful, meaning that Coinberry's financial statements were "free from material misstatement". The platform was also one of the first Canadian cryptocurrency trading platforms to audit its financial statements, and is notable for being registered with the Financial Transactions and Reports Analysis Centre of Canada[17][11]. |
February 6th, 2019 4:58:10 PM MST | Aftermath of QuadrigaCX Article | In the initial uncertainty of the QuadrigaCX platform going offline, CoinBerry publishes a Medium article highlighting how their services are "leading the pack not only in terms of ease of use, customer service, and pricing but also from the perspective of trust, security, and accountability". They assure customers that their data, Bitcoin, Ethereum, Litecoin, and CAD deposits are safe and secure through various measures. Coinberry has fully supportive, transparent, and CDIC insured segregated banking in Canada, hierarchical wallets for crypto deposits, multisig cold storage wallets, a Business Continuity Plan, and strict Internal Controls and Storage Processes. Additionally, Coinberry is one of only two cryptocurrency trading platforms in Canada to successfully complete an independent Financial Statements audit, registered with the Financial Transactions and Reports Analysis Centre of Canada as a Money Service Business (MSB), and has its platform penetration tested by the top cybersecurity firm in the country. Personal information submitted on the platform is also OpenPGP protocol encrypted at rest on servers in Canada[12]. TBD review for any further links to follow. |
April 13th, 2020 | CoinBerry Platform Upgrade | CoinBerry upgrades their Interac ETransfer payment system. This new system reportedly credits customers with the amount of their transfer before customers have actually completed the payment[8]. |
August 24th, 2020 12:00:00 AM MDT | Withdrawal System Shut Off | CoinBerry shuts off their withdrawal system for 17 hours after a withdrawal of 8.33 BTC. |
September 2nd, 2020 9:05:00 AM MDT | Lloyd's Coverage CoinDesk Announcement | CoinDesk publishes an article on CoinBerry announcing CoinBerry has secured a financial institution bond, becoming the first crypto firm in the country to obtain such coverage, according to CEO Andrei Poliakov. The surety bond is required for registration with the Ontario Securities Commission and provides insurance in case of dishonest or fraudulent acts by employees. The move comes after the collapse of rival exchange QuadrigaCX, which led to a loss of client funds and has resulted in a tightening of regulation in the country. The coverage limit is CAD1m ($764,000) per claim/incident and is underwritten by Lloyd's of London[18]. “I cannot speak to whether the others in Canada are in the process of getting this,” Poliakov said in a follow-up email. “I do know some platforms are not applying at all, while others (like BitMEX) have already received instructions from the OSC to cease operation in Ontario because they are not going the registration route.”[19]. The article is also shared on Yahoo Finance[20]. |
October 29th, 2020 11:12:00 AM MDT | CipherBlade Twitter Report | Blockchain investigation firm CipherBlade reports that CoinBerry "appears to have been hacked a couple months ago". They note a transfer of "8.33 BTC stolen from Coinberry's hot wallet [and] sent to 1KcTk7kJMjYaCV3FXo5bzpjaZs2aK18ntz"[21]. (TBD explore wallet.) |
October 29th, 2020 12:36:00 PM MDT | Amy Castor Follow Up | Journalist Amy Castor shares the tweet with the CoinBerry Twitter account for comment[22]. No response is received from CoinBerry. |
October 30th, 2020 7:09:00 AM MDT | News Discussed On Reddit | The Cipherblade investigation tweet was shared to Reddit[23]. According to a discussion on Twitter by CipherBlade, a blockchain forensics firm, Coinberry, a Canadian cryptocurrency exchange, was hacked earlier this year. The hack involved 8.33 BTC stolen from Coinberry's hot wallet and sent to a specific address. The breach lasted for about 17 hours, during which no withdrawals were processed from the hot wallet. However, after the breach, Coinberry continued using the same wallet for withdrawals, suggesting that the compromise was not related to the seed phrase or private key. The exact cause of the breach is unclear, but possibilities mentioned include social engineering, impersonation scams, bugs, or internal breaches. It is speculated that Coinberry absorbed the loss and tried to move on without attracting attention. The discussion also raises concerns about Coinberry's security practices, the potential impact on customer accounts, and the reliability of the exchange's alleged third-party insurance[23]. |
October 31st, 2020 12:02:14 PM MDT | Bitcoin Network Fee Controversy | A Reddit thread notes that CoinBerry has increased their bitcoin withdrawal "network fee" to 0.003 BTC ($55 CAD)[24]. At the time, users noted that the "average transaction right now is estimated to be around $11-12 USD"[25]. BitInfoCharts estimated the transaction fees for October 27th as $10.19, October 28th as $11.68, October 29th as $12.51, October 30th as $13.14, October 31st as $13.16, and November 1st as $8.69[26]. The thread included multiple references to the hacking incident within minutes of posting[27][28][29]. |
October 31st, 2020 3:38:46 PM MDT | Fee Adjustment Reported | Reddit user W944 reports that the fees are back to 0.001 BTC[30]. |
November 11th, 2020 7:12:16 PM MST | Fee Page Adjustments | CoinBerry network withdrawal fees appear to be 0.001 for BTC and have been moved to the top of the fees page. CoinBerry changed the text "0% Withdrawal Fees" to "0% CAD Withdrawal Fees"[31][32][33]. |
June 2022 | CoinBerry Files Lawsuit | CoinBerry entered a lawsuit in Brampton, Ontario against 50 customers and Binance[8]. |
September 8th, 2022 4:54:00 AM MDT | CoinDesk Article | CoinDesk reported that Coinberry, a Canadian cryptocurrency exchange, has filed a lawsuit against 50 users who exploited a software bug to withdraw 120 bitcoins in 2020[1]. The bug in Coinberry's Interac e-transfer software update allowed users to siphon off the bitcoin with Canadian dollars that were en route but not yet received by Coinberry[1]. While over 500 customers initially exploited the vulnerability, some funds were returned following Coinberry's request[1]. The incident underscores the risks associated with handling irreversible assets like cryptocurrencies[1]. It brings attention to the recent loss of $660,000 in crypto due to a programming error in the Solana-based OptiFi protocol as an example[1]. |
September 8th, 2022 9:34:04 AM MDT | Financial Post Article | A Financial Post article finally reveals the full extent of the losses[8], which was nearly immediately shared on Reddit[34]. The extent of losses was not previously disclosed[8]. CoinBerry had no comment on the matter at the time[8]. |
September 8th, 2022 9:00:00 PM MDT | Crypto.news Article | Crypto.news reports that Coinberry, a Canadian crypto exchange, has filed a lawsuit to recover lost bitcoins totaling $3 million due to a software glitch. The glitch occurred in 2020 and allowed customers to siphon off 120 bitcoins without making payments. Coinberry claims that it has been unable to retrieve two-thirds of the lost bitcoins from its customers. The exchange blames Binance, the largest crypto exchange, for the mishap as some of the bitcoins were transferred to its platform. While Coinberry was able to fix the situation, over 500 users had already taken advantage of the vulnerability. The lawsuit seeks to recover 63 of the missing bitcoins, including 9.48 units transferred to Binance, while 20 bitcoins and more than 200 users remain unaccounted for. Binance has not provided a response regarding the situation[35]. |
Technical Analysis
According to a lawsuit filed against 50 users who exploited the software bug in 2020, customers were able to withdraw 120 bitcoins (BTC) using Canadian dollars that were en route but not yet received by Coinberry due to a bug in an Interac e-transfer software update[1]. The lawsuit alleges that the update contained a vulnerability that notified Coinberry's system of e-transfers of CAD despite not actually receiving the funds[1].
Total Amount Lost
The total amount lost has been estimated at $1,413,000 USD.[36]
CoinBerry reported that the largest loss of $385,722.31 (as valued in April 2022) was from a user named both Jordan Steifuk and Connor Heffernan, who CoinBerry states is actually the same person[8].
Immediate Reactions
CoinBerry Shuts Off Hot Wallets
On August 24th, 2020, "there were no withdrawals processed from Coinberry's hot wallet for about 17 hours." It "[h]asn't been publicly reported yet. 8.33 BTC stolen from Coinberry's hot wallet & sent to 1KcTk7kJMjYaCV3FXo5bzpjaZs2aK18ntz. I guess they can't say they've never been hacked anymore."
CoinBerry Attempts at Recovery
CoinBerry reportedly fixed the issue and contacted all 546 customers to demand the bitcoin be returned[8].
“Coinberry contacted all of the said 546 affected registered users by email and demanded return of the misappropriated bitcoins”
CoinBerry also reportedly contacted Binance, who restricted accounts that had received the funds[8].
“Binance acknowledged that it had identified a quantity of the misappropriated BTC and undertook to restrict any access to the accounts,”
“Binance acknowledged that it had identified a quantity of the misappropriated BTC and undertook to restrict any access to the accounts,” [a later] lawsuit read.
CoinBerry Public Relations
CoinBerry did not publicly report anything on the incident, and so the very first clue that anything had gone wrong for many users was the later tweet by CipherBlade.
CipherBlade Investigation
"Not sure exactly what the issue was, but possibilities include a social engineering attack, impersonation scam, or a bug that may have been exploited that allowed an attacker withdraw more than what they had (the latter seems by far to be the least likely vector to me)."
"After the [situation was noticed] (on 8/24), there were no withdrawals processed from Coinberry's hot wallet for about 17 hours. Then it started up again, but the address did not change -- this 8.33 BTC breach (not a huge amount of course) appears not to be a compromise of the seed phrase or private key (otherwise they wouldn't continue using that wallet), but presumably another issue."
"[T]here are other solutions apart from multi-sig that are suitable, for example SSSS and MPC so we don't know what type of setup they have on their hot wallet. But their hot wallet address is P2PKH, not P2SH (i.e. starts with a 1, not a 3), and while P2PKH addresses can theoretically be multi-sig, that's almost never the case. Our view is that hot wallets need to be multi-sig/SSSS/MPC but also have preventative measures that would allow any one person (such as a founder) to run off with any funds even in the hot wallet by themselves, and that's easier said than done. A spear-phishing attack is a possibility here."
"After the breach, when the hot wallet was turned off it had a balance of 0.06324605 BTC for a while -- if the seedphrase or private key had been breached, there would obviously be a balance of 0 (or very close to it). After about 17 hours, they (Coinberry) topped the hot wallet up with some funds before turning it on again."
"[T]hey're still using the same wallet for withdrawals they were using before, presumably because they know it wasn't compromised, which is presumably because they know the real reason for the breach. If they knew the compromise occurred due to a social engineering attack for example, the wallet is still perfectly safe to use (or more technically, just as safe as it was before)."
"[I]f an individual account was compromised, there would be no reason for Coinberry to turn off their hot (withdrawal) wallet for 17 hours. Coinberry was compromised, not a Coinberry account."
Community Reactions
Reddit user TI-IC reacted to receiving news of the "hack" for the first time. The extent of the situation was not known[37][38].
"Not a good look Coinberry. Yet another Canadian "exchange" failing to build the cryptoeconomy in Canada. Damn shame man I really though Canada would be a bigger player in that domain."
"Regarding whether or not customers are going to bear the loss, remember that the number in your account is just that, a number and an IOU. It doesn't mean they have the assets to back that IOU even before this breach happened. What do you think happened to Einstein? Coinberry may or may not be insolvent."
Ultimate Outcome
Acquisition by WonderFi
CoinBerry was acquired by WonderFi in July 2022 for $38.5m[8]. WonderFi is a Vancouver-based crypto outlet backed by Shark Tank personality Kevin O'Leary[8]. Coinberry's parent company, WonderFi, has applied to start trading on the Nasdaq, currently trading on the Toronto Stock Exchange[1].
"Coinberry [became] backed by WonderFi Technologies, a Vancouver-based crypto organization backed by Shark Tank personality O’Leary, which bought Coinberry in July in a deal worth $38.5 million." "On Aug. 25, Coinberry's parent company, WonderFi, applied to start trading on the Nasdaq. It currently trades on the Toronto Stock exchange."
Recovery From Customers
Apparently, 37 bitcoin were recovered from 270 of the registered users, leaving 83 bitcoin outstanding from the other 270[8].
“Coinberry was able to secure the return of approximately 37 of the misappropriated bitcoins from 270 of the affected registered users.”
"As Financial Post points out, 83 bitcoin are still floating around in the hands of tricksy customers."
Financial Institution Bond
"Toronto-based Coinberry has acquired a financial institution bond." "Coinberry’s surety bond is underwritten by the Lloyd’s of London insurance market and the coverage limit is CAD$1,000,000 ($764,000) per claim/incident, said Poliakov."[19]
CoinDesk publishes an article on CoinBerry announcing CoinBerry has secured a financial institution bond, becoming the first crypto firm in the country to obtain such coverage, according to CEO Andrei Poliakov. The surety bond is required for registration with the Ontario Securities Commission and provides insurance in case of dishonest or fraudulent acts by employees. The move comes after the collapse of rival exchange QuadrigaCX, which led to a loss of client funds and has resulted in a tightening of regulation in the country. The coverage limit is CAD1m ($764,000) per claim/incident and is underwritten by Lloyd's of London[18]. “I cannot speak to whether the others in Canada are in the process of getting this,” Poliakov said in a follow-up email. “I do know some platforms are not applying at all, while others (like BitMEX) have already received instructions from the OSC to cease operation in Ontario because they are not going the registration route.”[19]. The article is also shared on Yahoo Finance[20].
TBD Work on the wording of this section.
Trading Fee Increases
While CoinBerry's original "[t]rading fees [we]re around 0.5 percent." this was later updated to 1% and now fine print in the bottom of the fee pages states that "Coinberry establishes the rate for cryptocurrency transactions on our platform by adding a margin, or spread, of between 0% and 2.5% to the rate offered by our liquidity sources." "Coinberry claims $0 withdrawal fees but increased their mining/network fee to 0.003 BTC ($55 CAD currently)."
Binance Recovery Effort
This lawsuit was against 50 of the remaining users, demanding 63 of the bitcoin, including 9.48 BTC which were transferred to Binance[8].
“Binance acknowledges that it had identified incorrect BTC amounts and undertook to restrict any access to the accounts,” the lawsuit read. "In reply, Binance worked hard to identify all the inappropriate bitcoin and restricted access to all those accounts asap." "Binance reportedly acknowledged detecting a significant quantity of the misappropriated funds and restricted any access to the accounts." "It is unclear why Coinberry had resorted to suing Binance, given the latter’s apparent cooperation." Binance declined to comment on the lawsuit but said in a statement: “The company is committed to prevent bad actors from using the platform, which includes a world-renowned investigative team.” "Coinberry did not immediately respond to CoinDesk's request for comment."
Lawsuit Against Customers
CoinBerry was unsuccessful in obtaining the return of funds from at least 270 of the customers, and later undertook a lawsuit, which was filed in Brampton, Ontario[8]. The lawsuit also names the Binance crypto exchange[1]. Initially, over 500 customers exploited the vulnerability, with 37 bitcoins being returned following Coinberry's request[1]. CoinBerry reportedly did not include users who had amounts below $5,000, as valued in May 2020, in the lawsuit[8].
"The lawsuit was for 63 of [the defrauded] bitcoins, including 9.48 units that were transferred to Binance. In a list that Coinberry provided to court, all that was attributed to the 50 users named in the lawsuit." "That still leaves out 20 of the 120 bitcoins originally lost — and more than 200 of the 546 users who had allegedly misappropriated from Coinberry." "It is unclear how or if Coinberry is going after those people, given that they are not named in the lawsuit."
Total Amount Recovered
While the matter is still proceeding through the courts, the potential amount recoverable has been estimated at $436,000 USD[8].
Ongoing Developments
CoinBerry's lawsuit has yet to be tested in court[8].
CoinBerry's lawsuit included Binance, despite the apparent cooperation of the platform[8]. Binance has not commented on the lawsuit[8]. They've only issued a general statement[8].
“The company is committed to prevent bad actors from using the platform, which includes a world-renowned investigative team.”
Individual Prevention Policies
This case does not appear to have resulted in a loss to any individual.
When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
There are a few strategies which would help in this case.
Published Platform Assessments
This situation could have been prevented by a published assessment of the platform at an interval of 6 months or less, which would have caught the issue sooner due to the lack of backing or the funding holes. Specifically, this problem was likely introduced during a platform upgrade, and a third party review after that upgrade could have caught the issue before any funds were lost. An internal validation that assets are properly backed would also have noticed the anomalies sooner.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
Multi-Signature Visibility
All customer funds should be secured by a multi-signature wallet requiring at least 3 signatures for release. It is possible that having greater visibility on the funds leaving the platform might have resulted in greater oversight, as there was likely an unusual withdrawal pattern associated with the exploit.
All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.
Industry Insurance Fund
The industry insurance fund steps in as a measure of last resort and has the discretion to ensure that the remaining users of the platform would be made whole. Platforms should be held to account with transparent disclosure of breaches. An efficient insurance fund which is overseen by industry operators could be a cheap, flexible, and highly protective option to restore reserves in cases like this. While this loss did not involve cryptocurrency funds, the same multi-signature requirement can be instituted at a policy level on outgoing fiat transfers.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
There are many ways to prevent this type of situation from happening, reaching the level of loss as reported, or impacting users.
Published Platform Assessments
This situation could have been prevented by a published assessment of the platform at an interval of 6 months or less, which would have caught the issue sooner due to the lack of backing or the funding holes. Specifically, this problem was likely introduced during a platform upgrade, and a third party review after that upgrade could have caught the issue before any funds were lost. An internal validation that assets are properly backed would also have noticed the anomalies sooner.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
Industry Insurance Fund
The industry insurance fund steps in as a measure of last resort and has the discretion to ensure that the remaining users of the platform would be made whole. Platforms should be held to account with transparent disclosure of breaches. An efficient insurance fund which is overseen by industry operators could be a cheap, flexible, and highly protective option to restore reserves in cases like this. While this loss did not involve cryptocurrency funds, the same multi-signature requirement can be instituted at a policy level on outgoing fiat transfers.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 Canadian Crypto Exchange Coinberry Files Lawsuit Against 50 Users After Losing 120 BTC - CoinDesk (Accessed Dec 1, 2022)
- ↑ Coinberry loses $3m due to software glitch - files suit for recovery - Business News (Dec 1, 2022)
- ↑ Canadian Crypto Exchange Sues Users for Return of Bitcoin Misappropriated During Software Glitch – Exchanges Bitcoin News (Dec 2, 2022)
- ↑ Glitch sees users pinch $3M in bitcoin from crypto exchange Coinberry (Dec 2, 2022)
- ↑ Coinberry sued its users for stealing bitcoins - TechStory (Dec 2, 2022)
- ↑ Coinberry's Software Blunder Costs $3M in Bitcoin: Report (Dec 2, 2022)
- ↑ 7.0 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 Coinberry Review: 5 Things to Know (2021 Updated) (May 15, 2021)
- ↑ 8.00 8.01 8.02 8.03 8.04 8.05 8.06 8.07 8.08 8.09 8.10 8.11 8.12 8.13 8.14 8.15 8.16 8.17 8.18 8.19 8.20 8.21 8.22 Coinberry says it lost $3 million in bitcoin due to a software glitch - Financial Post (Dec 1, 2022)
- ↑ 9.0 9.1 No Fee Crypto Trading Platform Coinberry Partners with Crypto Giant BRD - Newswire (May 15, 2021)
- ↑ 10.0 10.1 10.2 10.3 10.4 10.5 10.6 10.7 10.8 10.9 Coinberry Traders Keep Control of Keys With BRD Crypto Wallet Integration - Bitcoin Magazine (May 15, 2021)
- ↑ 11.0 11.1 Coinberry successfully completes first-year financial statement audit - Newswire Archive February 4th, 2019 12:16:52 AM MST (Apr 28, 2023)
- ↑ 12.0 12.1 12.2 9 Reasons CoinBerry is Ahead of Competition When it Comes to Security and Accountability - CoinBerry Medium Post (May 15, 2021)
- ↑ 13.0 13.1 The Latest Crypto Scams: Identify and Avoid Them (May 15, 2021)
- ↑ 14.0 14.1 The Latest Crypto Scams & Fraud - CoinBerry (Mar 31, 2023)
- ↑ The Importance of Digital Security for Cryptocurrency Investors (May 15, 2021)
- ↑ Digital Security for Cryptocurrency Investors - CoinBerry (Mar 31, 2023)
- ↑ Coinberry successfully completes first-year financial statement audit - Newswire (May 15, 2021)
- ↑ 18.0 18.1 Coinberry Crypto Exchange Gets Lloyd's Cover as Canada's Post-Quadriga Rules Tighten - CoinDesk (Apr 28, 2023)
- ↑ 19.0 19.1 19.2 Coinberry Crypto Exchange Gets Lloyd's Cover as Canada's Post-Quadriga Rules Tighten - CoinDesk Archive September 21st, 2021 3:27:27 AM MDT (Apr 28, 2023)
- ↑ 20.0 20.1 Coinberry Crypto Exchange Gets Lloyd’s Cover as Canada’s Post-Quadriga Rules Tighten - Yahoo Finance (May 15, 2021)
- ↑ @cipher_blade - "another Canadian exchange appears to have been hacked a couple months ago" - Twitter (May 15, 2021)
- ↑ Amy Castor - "@CoinberryHQ, care to comment on this?" - Twitter (Mar 28, 2023)
- ↑ 23.0 23.1 Coinberry was hacked earlier this year according to blockchain forensics firm - legit? : BitcoinCA (May 15, 2021)
- ↑ Coinberry claims $0 withdrawal fees but increased their mining/network fee to 0.003 BTC ($55 CAD currently) - Reddit (May 15, 2021)
- ↑ TI-IC - "average transaction right now is estimated to be around $11-12 USD" - Reddit (Mar 29, 2023)
- ↑ Historic Bitcoin Transaction Fees - BitInfoChart (Mar 29, 2023)
- ↑ jordan7104M - "even before they got hacked" - Reddit (Mar 29, 2023)
- ↑ Fiach_Dubh - "care to comment on this, and this" - Reddit (Mar 29, 2023)
- ↑ eastender99 - "They got hacked and didnt admit it yet." - Reddit (Mar 29, 2023)
- ↑ W944 - "Looks like they updated it." - Reddit (Mar 30, 2023)
- ↑ Bitcoin Trading Fees in Canada | Coinberry (May 15, 2021)
- ↑ CoinBerry Fees Page - September 19th, 2020 2:59:49 PM MDT (Mar 29, 2023)
- ↑ CoinBerry Fees Page - November 11th, 2020 7:12:16 PM MST (Mar 29, 2023)
- ↑ Coinberry says it lost $3 million in bitcoin due to a software glitch - Reddit (Sep 8, 2022)
- ↑ Coinberry Crypto Exchange Files Lawsuit After Losing $3 Million in Software Glitch - Crypto.news (Dec 2, 2022)
- ↑ Bitcoin Historic Prices - CoinMarketCap (May 15, 2021)
- ↑ TI-IC - "Not a good look Coinberry." - Reddit (Mar 20, 2023)
- ↑ Cipherblade - "Regarding whether or not customers are going to bear the loss, remember that the number in your account is just that, a number and an IOU. It doesn't mean they have the assets to back that IOU even before this breach happened. What do you think happened to Einstein? Coinberry may or may not be insolvent." - Reddit (Jun 29, 2023)