On February 8 2018, 15 million Raiblocks, the former native currency of the Nano network,  were stolen from Italian cryptocurrency exchange BitGrail.  In order to provide insights into alleged security breach and the theft of more than $150 million USD worth of XRB, Cointelegraph conducted an exclusive interview with Francesco Firano, the founder and operator of BitGrail.

This time, Cointelegraph reached out to the Nano team and conducted an interview with the Nano core team’s Troy Retzer, who oversees community & public relations at the organization, to better understand the large-scale theft.

Conflict with Nano, timestamps

During the interview with Cointelegraph, Firano claimed that the Nano core development team accused BitGrail of being insolvent and negligent in managing hundreds of millions of dollars worth of funds. Firano added that the issue originated from the timestamp technology of Nano and that the block explorer of the cryptocurrency is not reliable. Firano said:

“Baseless and malicious accusations are done by the Nano development team. The truth is their block explorer is dated January 19, the date of the theft. Since RaiBlocks have no timestamps on the chain, we cannot really find out when it actually happened other than rely on the block explorer, which, as already shown by the private conversation they disclosed, is totally unreliable.”

However, Troy Retzer explained that on January 19, the date noted by Firano, the Nano blockchain network conducted a re-synchronization of its nodes, providing every block or transaction missing before January 19 with a timestamp recorded at the time. This meant that all transactions or blocks were recorded accurately, with a timestamp on that date. Retzer told Cointelegraph:

“On January 19, a node resync was conducted and in this process, it picked up on blocks not already having a timestamp record and recorded them at that time, with that timestamp. And to the reason why there were gaps, during the transition of the website there were lapses in the script running, while we handled the transition of the site from the previous admin to our current admin. We received a copy of the old database and worked for some time to get it running correctly on the new server, thus many blocks never had a timestamp recorded until the full sync on January 19.”

In regards to Firano’s comment that the Nano team has released malicious accusations against himself and the BitGrail trading platform, Retzer commented that the core team had not received any information from BitGrail and from Firano apart from the data he had released publicly.

"It is difficult for us to help solve the situation due to a lack of information on the alleged hack,” said Retzer, stating that BitGrail had failed to clarify basic details, such as how many XRB tokens were actually stolen from the exchange. Initial reports from BitGrail suggested it was 17 million, but reports released later this month claimed 15 million XRB tokens were stolen.

The Nano team also emphasized that it has reached out to the Italian police in order to cooperate in the investigation of the theft and provide any assistance it may need in analyzing the BitGrail breach.

“Missing transactions”

On February 15, Firano released a Telegram conversation on his Twitter, in which he claimed that transactions before January 19 are missing on the block explorer of the Nano network. Firano also asserted that transactions were somehow removed and reinserted in a later date. But, in any public Blockchain, it is not possible to remove data stored in past blocks unless the entire Blockchain is compromised and attacked.

Even through public attacks such as a 51% attack (in which a group gains control over half of the Blockchain’s hash power), it is not realistically possible to modify data stored in historical blocks. In response to such claims, Nano developer Mica Busch wrote:

“A Blockchain, and the accounts within a block lattice, are one-way structures. Each references the cryptographic signature of its preceding block. It is impossible for new blocks to be inserted before newer block. Continuing this logic, our block explorer stores timestamps on a best effort basis. Therefore if a transaction shows a date later than another transaction that follows, we can prove that this transaction occurred before the later date, and regard the timestamp as erroneous.”

Given that Nano is a public Blockchain network and blocks within a Blockchain cannot be modified, a claim that transactions are missing from the Blockchain is likely not valid.

Usage of hot wallet, poor security

On October 23 2017, as the Nano team disclosed in its official statement, a massive amount of XRB was abruptly withdrawn from the BitGrail cryptocurrency exchange. 1 million XRB was withdrawn, which is worth nearly $10 million based on the current price of XRB at $9.82.

While the nature of this transaction is yet to be confirmed, it could also be possible that the theft of 15 million XRB tokens was initiated on October 23, starting with the withdrawal of 1 million XRB.

“Specifically, this transaction for a withdrawal of 1 million XRB occurred on October 23 2017, at 1:22 AM (GMT) according to BitGrail’s database timestamp data. You can see from the Explorer data that there were significant funds withdrawn before and after this transaction to account ‘bbjn’. Firano categorized this transaction on Twitter and in our Telegram conversation as ‘unauthorized’” states Nano’s report on the matter.

According to the public Blockchain explorer of Nano, Nanode, BitGrail continued to use a hot wallet to store all of its funds in XRB, which is unsecure. Hot wallets are managed online, and can be vulnerable to attacks and security breaches as a consequence. For example, Japan’s Coincheck, one of the largest cryptocurrency exchanges in the country, suffered a $530 million hacking attack due to the exchange  storing funds in hot wallets.

Until December 16 2017, the BitGrail Rep 1 wallet was used as  the only hot wallet of the BitGrail exchange to store user funds, which is extremely insecure and dangerous. Once a hot wallet is compromised, all of the funds within it can be lost, especially if there are no multi-signature technology-based security systems in place.

On December 16, the BitGrail Rep 1 wallet was changed to a cold wallet, and BitGrail Rep 2 was changed to a hot wallet, as seen on Nanode.

It is not possible to definitively state that the BitGrail trading platform was breached due to poor security measures, unless and until all of the information regarding the theft is transparently shared with the community. But, unlike Coincheck and other large-scale cryptocurrency exchanges like South Korea’s Bithumb, BitGrail has not been able to refund its investors and as Firano explained in its interview with Cointelegraph, the business believes it is “impossible” to refund all of its Nano investors.

Ultimately, as an independent company, BitGrail might be held responsible for the theft of the funds of its customers if it is found that the cause of the theft of the 15 million XRBs on the platform is not due to an issue of the Nano Blockchain protocol.