FairyEx - a fabulous and frightening tale of an insolvent cryptocurrency exchange
Posted: Fri Nov 13, 2015 11:54 pm
Tonight, I bring you the fabulous tale of a exchange in the wonderful universe of Fairyland. Fairyland is a place of magic, wizardry, honor, and glory. Like all magical universes, Fairyland has cryptocurrency exchanges. One of its most well-known exchanges, FairyEx, has been offering trading for years, and has handled millions of bitcoins throughout its history.
Fairyland is also the home of FairyReddit. Citizens of Fairyland read FairyReddit for the latest news on using and trading cryptocurrency. One day, several users reported that they were having trouble logging into FairyEx, receiving error messages stating that their passwords were invalid. Eventually, these users realized that they could log into FairyEx by resetting their passwords by clicking the "reset password" button, which sends an E-Mail to their registered E-Mail addresses. Most users quickly forgot the incident and resumed trading.
After this trouble had long been forgotten, users of FairyReddit, and another forum, FairyTalk, began to complain that their withdrawals weren't processing. But their complaints were strange and inconsistent: some users had no problems at all, some were able to withdraw some of their money, and some were able to withdraw nothing. Many users of FairyTalk noticed that they had issues withdrawing bitcoin, but other currencies were unaffected. Even with bitcoin, small amounts were withdrawn successfully, with large amounts being withheld.
FairyEx executives used their wizardry and magic powers to make themselves vanish. Citizens of Fairyland had no idea where they had gone. Support tickets were answered with canned replies. FairyEx published no official phone number on their website, and employees who had previously been highly visible were no longer available.
Every tale needs a villain, and this story is no different. Let us introduce our evil hacker, DeathPixie. In Early October one year, DeathPixie discovered a vulnerability in FairyEx's systems. Or, perhaps DeathPixie was an insider from within FairyEx. Whoever this mysterious figure is, he waved his magic wand, sending smoke, sparks, and bitcoins out from FairyEx's headquarters and into DeathPixie's hands.
Learning of DeathPixie's exploit, FairyEx executives called an emergency meeting. Fortunately for them, DeathPixie had stolen only bitcoins, leaving the remainder of FairyEx's wallets untouched. Unfortunately for them, they did not have enough bitcoins to pay out customers. There was one ray of light at the end of the rainbow - FairyEx was a highly profitable business, so it probably wouldn't take long before they earned enough fees back to make up for DeathPixie's theft. So the FairyEx executives decided that all they needed to do is to keep quiet and stay alive long enough to regain their full reserve. It would take a while, so subtle measures would be necessary so as not to attract the attention of regulators.
First, FairyEx's managers decided that they would enact a withdrawal limit for all customers. Customers would be granted a limit of several thousand dollars, high enough for most not to notice. Customers that were verified for three months would receive a much higher limit - which would not be a problem because FairyEx's reserve would be expected to have been re-earned by then. Even long-time customers who had traded hundreds of bitcoins through FairyEx, who one would think FairyEx would want to retain, would be refused these increased withdrawal limits for the three months. Unlike in the real world, nobody in Fairyland believed that institutions have no right to simply refuse to provide customers their money after an arbitrary limit.
Second, FairyEx would significantly raise its withdrawal fees, adding a percentage fee in addition to the existing set fee, making withdrawing bitcoins cost several dollars in many cases. The increased withdrawal fees would encourage users to leave money on the exchange instead of transferring it in or out, providing more time for the reserve to catch up.
Next, FairyEx managers decided there was no reason to raise suspicion by limiting withdrawals of any other coins. Since only bitcoins were stolen, only withdrawals of those would be restricted. Full reserve existed for all other coins, so customers could sell their fractional reserve bitcoins and withdraw these other coins. Eventually, this situation would result decoupling of the altcoin exchange rates from those at other exchanges - but since many of FairyEx's coins are traded nowhere else, few would notice.
But FairyEx needed time to examine the consequences of DeathPixie's attack and get their withdrawal system in order to deal with their new fractional reserve reality. As all business owners of Fairyland do from time to time, they looked at their crystal ball and noticed that they had a standing policy of requiring customers to wait 24 hours to withdrawal after a password reset request. In a stroke of genius, they realized they could solve two issues at once by running a simple database query to change most or everyone's passwords to something unguessable.
First, since they didn't know how DeathPixie had hacked their systems, they could ensure that if any passwords had been compromised in the attack, they would need to be reset by the users. Second, and more importantly, few or none of their customers would be able to make any withdrawals for 24 hours because they had made reset requests. Having no reason for suspicion, many of these customers would continue trading in the interim, earning enough reserve through fees for the company to keep it from going completely bankrupt right away. They could also easily deflect suspicion in forum posts by claiming that the user had forgotten his password; having one single user successfully reset his password and resume withdrawals had little impact on the business anyway once the complaints went away. This allowed FairyEx's situation to fly under the radar, because if FairyEx had limited withdrawals in any other way, such as by notifying users directly, then they could suffer a bank run, which would result in their collapse. In fact, even if long-lost users from years ago were later tipped off that something was amiss, they wouldn't be able to withdraw their money immediately because they needed to reset their passwords before logging in.
FairyEx's executives managed to execute this scheme for 32 days by operating as a fractional reserve. Undoubtedly, they planned to continue such operations indefinitely, in the hopes that they would become full reserve again. In the meantime, most of FairyEx's customers, who never actually created wallets to hold real coins that FairyEx trades, remain ignorant of its insolvency. And that's a good thing, because while FairyEx is not as large as FairyGox, its failure would be by far the second largest disaster in Fairyland bitcoin's history.
And thus our tale ends, with its conclusion yet to be written. Thankfully, Fairyland, with its wild-west feeling of irresponsible exchanges, is nothing like the bitcoin community we know, where every exchange honors its obligations and sends money to its customers as soon as it can. If there were an exchange like FairyEx in the real world, of course users of the real Reddit would begin an investigation as soon as they heard about the connection between the 24-hour password resets, the withdrawal limits, and the stuck payouts, and force it to provide a proof of solvency of its bitcoin reserves.
It's a good thing we don't live in Fairyland, isn't it?
Fairyland is also the home of FairyReddit. Citizens of Fairyland read FairyReddit for the latest news on using and trading cryptocurrency. One day, several users reported that they were having trouble logging into FairyEx, receiving error messages stating that their passwords were invalid. Eventually, these users realized that they could log into FairyEx by resetting their passwords by clicking the "reset password" button, which sends an E-Mail to their registered E-Mail addresses. Most users quickly forgot the incident and resumed trading.
After this trouble had long been forgotten, users of FairyReddit, and another forum, FairyTalk, began to complain that their withdrawals weren't processing. But their complaints were strange and inconsistent: some users had no problems at all, some were able to withdraw some of their money, and some were able to withdraw nothing. Many users of FairyTalk noticed that they had issues withdrawing bitcoin, but other currencies were unaffected. Even with bitcoin, small amounts were withdrawn successfully, with large amounts being withheld.
FairyEx executives used their wizardry and magic powers to make themselves vanish. Citizens of Fairyland had no idea where they had gone. Support tickets were answered with canned replies. FairyEx published no official phone number on their website, and employees who had previously been highly visible were no longer available.
Every tale needs a villain, and this story is no different. Let us introduce our evil hacker, DeathPixie. In Early October one year, DeathPixie discovered a vulnerability in FairyEx's systems. Or, perhaps DeathPixie was an insider from within FairyEx. Whoever this mysterious figure is, he waved his magic wand, sending smoke, sparks, and bitcoins out from FairyEx's headquarters and into DeathPixie's hands.
Learning of DeathPixie's exploit, FairyEx executives called an emergency meeting. Fortunately for them, DeathPixie had stolen only bitcoins, leaving the remainder of FairyEx's wallets untouched. Unfortunately for them, they did not have enough bitcoins to pay out customers. There was one ray of light at the end of the rainbow - FairyEx was a highly profitable business, so it probably wouldn't take long before they earned enough fees back to make up for DeathPixie's theft. So the FairyEx executives decided that all they needed to do is to keep quiet and stay alive long enough to regain their full reserve. It would take a while, so subtle measures would be necessary so as not to attract the attention of regulators.
First, FairyEx's managers decided that they would enact a withdrawal limit for all customers. Customers would be granted a limit of several thousand dollars, high enough for most not to notice. Customers that were verified for three months would receive a much higher limit - which would not be a problem because FairyEx's reserve would be expected to have been re-earned by then. Even long-time customers who had traded hundreds of bitcoins through FairyEx, who one would think FairyEx would want to retain, would be refused these increased withdrawal limits for the three months. Unlike in the real world, nobody in Fairyland believed that institutions have no right to simply refuse to provide customers their money after an arbitrary limit.
Second, FairyEx would significantly raise its withdrawal fees, adding a percentage fee in addition to the existing set fee, making withdrawing bitcoins cost several dollars in many cases. The increased withdrawal fees would encourage users to leave money on the exchange instead of transferring it in or out, providing more time for the reserve to catch up.
Next, FairyEx managers decided there was no reason to raise suspicion by limiting withdrawals of any other coins. Since only bitcoins were stolen, only withdrawals of those would be restricted. Full reserve existed for all other coins, so customers could sell their fractional reserve bitcoins and withdraw these other coins. Eventually, this situation would result decoupling of the altcoin exchange rates from those at other exchanges - but since many of FairyEx's coins are traded nowhere else, few would notice.
But FairyEx needed time to examine the consequences of DeathPixie's attack and get their withdrawal system in order to deal with their new fractional reserve reality. As all business owners of Fairyland do from time to time, they looked at their crystal ball and noticed that they had a standing policy of requiring customers to wait 24 hours to withdrawal after a password reset request. In a stroke of genius, they realized they could solve two issues at once by running a simple database query to change most or everyone's passwords to something unguessable.
First, since they didn't know how DeathPixie had hacked their systems, they could ensure that if any passwords had been compromised in the attack, they would need to be reset by the users. Second, and more importantly, few or none of their customers would be able to make any withdrawals for 24 hours because they had made reset requests. Having no reason for suspicion, many of these customers would continue trading in the interim, earning enough reserve through fees for the company to keep it from going completely bankrupt right away. They could also easily deflect suspicion in forum posts by claiming that the user had forgotten his password; having one single user successfully reset his password and resume withdrawals had little impact on the business anyway once the complaints went away. This allowed FairyEx's situation to fly under the radar, because if FairyEx had limited withdrawals in any other way, such as by notifying users directly, then they could suffer a bank run, which would result in their collapse. In fact, even if long-lost users from years ago were later tipped off that something was amiss, they wouldn't be able to withdraw their money immediately because they needed to reset their passwords before logging in.
FairyEx's executives managed to execute this scheme for 32 days by operating as a fractional reserve. Undoubtedly, they planned to continue such operations indefinitely, in the hopes that they would become full reserve again. In the meantime, most of FairyEx's customers, who never actually created wallets to hold real coins that FairyEx trades, remain ignorant of its insolvency. And that's a good thing, because while FairyEx is not as large as FairyGox, its failure would be by far the second largest disaster in Fairyland bitcoin's history.
And thus our tale ends, with its conclusion yet to be written. Thankfully, Fairyland, with its wild-west feeling of irresponsible exchanges, is nothing like the bitcoin community we know, where every exchange honors its obligations and sends money to its customers as soon as it can. If there were an exchange like FairyEx in the real world, of course users of the real Reddit would begin an investigation as soon as they heard about the connection between the 24-hour password resets, the withdrawal limits, and the stuck payouts, and force it to provide a proof of solvency of its bitcoin reserves.
It's a good thing we don't live in Fairyland, isn't it?