Coinbase ($COIN) #7 - Crypto Hacks & Security
checking our hypothesis that COIN is the leader in crypto security
Our hypothesis: COIN is the most secure player in Crypto
Inversion: What would COIN need to do to be hacked
We're actively studying the reasons for the recent crypto hacks. The fact that fraud will occur doesn't bother us. We believe that to be a negative side effect of any new and growing technology (banking fraud, credit card fraud, identity theft, robo call scams etc). Fraud is taking place over the phone, a technology that has existed for years and it is working particularly well with senior citizens. The fact that fraud exists does not reflect on the medium used to facilitate the fraud, but on the security measures of the companies.
What we're interested in is figuring out how these hackers were able to exploit security holes to than figure out if COIN's procedures are set up to protect them from it.
https://www.bbc.com/news/technology-60933174
Axie Infinity was hacked for ~$600 million in crypto. The huge increase in player influx (increase in demand) was too big for Axie's security protocols. According to the article, they decided to loosen their standards to be able to handle the demand and they forgot to turn the security back on. They forgot? Our initial estimation of the probability that they forgot is low. We think it more likely a result of the culture within the company. Excitement and greed became the driver for decision making instead of discipline and reason. This reflects corporate culture and thereby of the leadership of the company.
https://arstechnica.com/gaming/2022/04/axie-infinity-raises-150m-to-help-reimburse-hacked-user-funds/
Axis responded by raising $150 million in VC money to reimburse users affected by the hack. The financial damage of diluting your company shares plus the reputational damage will remain. Axie confirmed that in their race to mainstream adoption they became too relaxed about security.
https://www.reuters.com/technology/decentralised-finance-latest-front-cryptos-hacking-problem-2021-08-16/
Smaller companies face a chicken and egg problem. Security is of the utmost importance, but it is also costly and difficult to implement. In the race to acquiring users to be able to generate revenue to scale companies are taking short cuts on the security front. As we have seen with Binance changing an ingrained culture once it has taken momentum is difficult. Yet if a new startup focuses on security and sacrifices growth, will that hurt them in the long run? We believe this is where (assumption with probability) COIN has competitive advantages. They started with a security first culture. They have scaled during a time when crypto was not widely known. They have a first mover advantage.
https://www.sec.gov/news/press-release/2021-145
Frauds like this one illustrate a few things. First, people act on their emotion of wanting easy money. They may have heard something from a friend, read something on the news and their emotional brain was triggered to act. Bad actors, or excited startups themselves triggered by a rush of excitement, begin operations with money, which ends up being hacked or stolen.
https://www.forbes.com/sites/emilsayegh/2022/04/11/reflecting-on-the-biggest-crypto-hack-ever/?sh=ee4edd2753c1
Forbes also makes the point that lacks security measures are the result of hacks. Towards the end of the article, they point out that blockchains have a great future if companies ensure security. The security first approach can save companies and customers a lot of trouble in the future. The problem is that events such as this undercut the trust in blockchain technology with the public.
How is COIN different than all these examples?
https://www.coindesk.com/business/2022/02/12/coinbase-trading-vulnerability-exposed-by-repeat-white-hat-hacker/
In February 2022 COIN was lucky to have been hacked by a white hat. This could have been bad.
https://beincrypto.com/white-hat-hacker-saves-coinbase-from-advanced-trading-exploit/
The hack found a vulnerability in the advanced trading app, which is still in testing, but could have sent arbitrary prices through the system which could have caused a lot of harm. The fact that it was in testing is a plus, but this is something potentially dangerous showing that we can never rest easy. Beware of the Black Swan.
What are the internal consequences in response to this hack? We saw the tweets in the immediate aftermath. We know that the platform in question was in Beta testing, which of course may be one purpose of testing in the first place. However, since the platform was connected to real customer accounts, and could have possibly “nuked” the market what are the implications?
How serious was this really? Did COIN make changes, internally, to preempt a hack in the future? What about the reactions and the seriousness is knowable and how should this new information affect our investment decision? COIN is down, this would be a great time to deploy more capital. But has the thesis built around security changed?
https://innovationatwork.ieee.org/10-largest-corporate-hacks-recent-history/
https://fortune.com/2017/06/22/cybersecurity-hacks-history/
How have google, amazon or Microsoft dealt with hacks in the past? Many of the organizations listed above have been the victims of hacks. We can say with confidence that the consequences, in the mind of the consumer, were of a more temporary nature. It raised awareness of the need for data security, but it didn’t cause the company’s significant long-term damage. A hack may well help us get an even better price for our investment.
However, we are prone to believe that recent history is a guide for future outcomes. This type of thinking is dangerous. The black swan could come, hack COIN in such a way that billions of assets are compromised. The likelihood of this event may be low, but it must be considered. What if COIN is subjected to a hack that destroys its ability to operate as a company?
COIN my go bankrupt.
COIN may need to take on considerable leverage to pay claims.
How well is COIN insured against such an event?
https://www.coinbase.com/legal/insurance
In their user agreement under the insurance section COIN states that all cash is insured under the FDIC. They also carry insurance for Crypto assets, but the amount is not disclosed.
COIN refers us to another page for more detailed information on what is insured. COIN also states that their policy called Account Protection is not the same as insurance.
https://help.coinbase.com/en/coinbase/other-topics/legal-policies/how-is-coinbase-insured
There is no additional information presented here. The best chance a customer has is the Account Protection Section 3.
https://www.coinbase.com/legal/user_agreement/united_states
Account Protection (Section 3): COIN will reimburse up to $1 million in crypto assets stolen due to a fault of their security. 2FA via text message is not sufficient to qualify for the reimbursements. That seems like something that should be made clear in the onboarding / identity verification, because 2FA via text is used all the time. When we did the identity verification it was not mentioned or stated. And let’s be honest, who reads the agreement except us?
Another one that’s not nice is that you must not have received a previous reimbursement. Well, if you guys get hacked twice, that’s certainly not my problem, is it?
Everything else is reasonable.
We did not find anything detailed about the insurance COIN has for themselves however. We still need to do that.
https://www.businessinsider.com/personal-finance/is-coinbase-safe
https://markets.businessinsider.com/news/currencies/coinbase-data-breach-crypto-customers-funds-stolen-accounts-phishing-attack-2021-10
The “hack” of 6,000 users’ money was a phishing scam. That was not a hack in the sense that we’re investigating. Phishing is terrible, but there isn’t that much the platform can do about it.
https://www.coindesk.com/markets/2019/08/09/coinbase-sets-out-how-it-foiled-a-sophisticated-hacking-attack/
In this case COIN was able to detect and stop a hack attempt which was quite sophisticated.
https://blog.coinbase.com/responding-to-firefox-0-days-in-the-wild-d9c85a57f15b
COIN openly responded to this attack. The detailed explanation is a positive. Yet, the attack was identified and blocked, which is of course positive in nature and therefore worth advertising publicly. Was there a blog post that discussed the white hacker attack as openly?
https://blog.coinbase.com/bitcoin-for-hacking-36145745d723
COIN has a white hacker program since 2014. That is something.
Other than that, we could not find a direct response except those listed and quoted in the news through google searches.
https://www.cnbc.com/2021/08/24/coinbase-slammed-for-terrible-customer-service-after-hackers-drain-user-accounts.html
In this case the article finally explains that the users were hacked and not COIN. However, the customer service response was not a great one. We did encounter this already in our initial research when comparing competitors.
https://blog.coinbase.com/committing-to-better-customer-service-during-this-time-of-heightened-interest-in-the-cryptoeconomy-5dc2637c4fa7
COIN did respond to the customer service situation and has taken steps to improve it.
SUMMARY
How does this new information and scuttlebutt change our probability assignments? The white hat hack has potential big implications for us. It shows that COIN is not immune to hacks and security threats. However, the platform was in testing, which means something as well. While the news made all other “hacks” sound like a COIN related problem, due to their bad customer service, it was the users who were hacked. This may result in bad press and short-term price drops (I smell opportunity), but it doesn’t reflect on the company’s competitive position.
We need to be aware of the black swan event. The probability that COINs security can be attacked has increased in our thinking. We do believe that the security first culture has a lot to do with how COIN responded to the white hack attempt as well as identifying a phishing scam directed at their employees.
Beware of the black swan