On the Cryptopia hack - re. CRYPTO 101
Postponing my planned story for something a little unexpected...
"Dear Average Consumer
Yes an exchange might have exited and stole money
But does that mean we quit? It’s over? It all was a scam?
We get stronger, smarter, and hold these exchanges and people who operate them responsible
Sincere apologies to anyone w/ $$ on @Cryptopia_NZ"
Hi, I'm James Scaur. I worked at Cryptopia from 2017 through 2018.
I wanted to write this to show the average consumer what it's like on the inside of an exchange and why you shouldn't give up on getting your coins back from Cryptopia.
For those out of the loop:
Yesterday Cryptopia were hacked for somewhere between $4-11 million worth of various cryptocurrencies. You can read more via Stuff.co.nz or Cryptopia's official statement.
The history of Cryptopia as I knew it
Cryptopia was a cryptocurrency exchange originally founded in 2014 by Adam Clarke and Rob Dawson. If I recall correctly, they started it after the July 2014 hack of cryptocurrency exchange Cryptsy - to make sure no one got screwed like they did.
Over time the service turned from hobbyist project into fully-fledged business, with a large uptick in trading volume in mid 2017. I noticed a distinct change of priorities through 2018 from being a "one stop crypto shop" (i.e. former mining pool, crypto marketplace, forums, etc) to specialising in cryptocurrency trading.
Cryptopia quickly gained a reputation for it's large amount of coin listings, many considered 'shitcoins' by the crypto community. I think that's a fair critique, there were 550+ coins/tokens listed in late 2018 and we were struggling to support them.
During early 2018, they had many issues getting on top of our customer support. Cryptopia grew from 10000 users to over 2 million in under a year and there were nowhere near enough workers to help them. It's from this time that you'll see most of the accusations of Cryptopia being a scam coming on via Twitter/Reddit/etc (I'll explain these below).
You can read a founder statement by Rob and Adam from around this time that I think illustrates the spirit of the founders. From my perspective they were two of the most hardworking people I've ever met, and genuinely cared about making an kickass cryptocurrency exchange.
Recently Cryptopia were rated #24th cryptocurrency exchange in the world by the Blockchain Transparency Institute, who noted that Cryptopia were one of the "the biggest movers up the charts" indicating a lack of wash trading - unusual for an exchange listing so many low-market cap coins.
Since it's foundation until yesterday, Cryptopia hadn't had a single hack.
Common user complaints & suspicious behaviour - explained
It became a bit of an internal meme that Cryptopia was "Scamtopia" as commonly called in support tickets. We had many disgruntled customers well within their right to suspect us as a scam. I can assure you there was nothing shady going on, we just had no systems or automations. Hanlon's Razor is relevant.
We didn't send users their coins (example)
This was always caused by a miscommunication between our proxy server and wallets. Withdrawals were sent via a process like
- User issues withdrawal
- Withdrawal is set to "Pending"
- Withdrawal is taken up by proxy, changed to "Processing", command sent to wallet
- (Hopefully) transaction ID is returned with success/failure message. If not, withdrawal would remain stuck in processing.
What did this mean? Our database wouldn't have a clue whether the withdrawal went out or not. A support worker like myself had to go in and manually check the withdrawal transaction ID on a 3rd party block explorer, and see if there were matching transactions.
For a long time, we had no process in place to check if our withdrawals went out. We relied on customers raising support tickets to fix their withdrawals.
So yes - valid problem, withdrawals got stuck. But they were never stuck on purpose so we could make profit etc.
We removed coins without warning (example)
Unfortunately yep, back in the early days we would only announce delistings via our News page, no email notification, and you'd go back to your account with coins removed.
We didn't credit deposits, or we credited them inaccurately (example)
This was a similar issue - miscommunication between our proxy and wallets.
Sometimes a deposit would appear but it would never be 'Confirmed'. This could be down to a few reasons -
- We had no way of automatically detecting orphaned deposits and invalidating them - leading to confusion
- We couldn't detect Ethereum 'Smart Contract' deposits (example) - which means we'd need to manually credit them
- We used a lot of wallets that were never designed or tested with millions of transactions (for example ETN). They'd sometimes fail to load, and neither deposits would be recognized nor withdrawals sent out.
In other cases, we'd have to manually insert deposits - problems could happen here too. Multi-output transactions e.g. BTC would only credit the first amount, with the rest ignored - until it was manually fixed. And sometimes we would incorrectly insert the amount deposited.
One memorable mistake I made was accidentally copying only "20051" on a "15.20051" LUX transaction - the user almost got 200051 LUX instead of 15. (Yep, there was a very high degree of trust between exchange employees. I'm amazed we never had any bad actors.
For any average consumer's reading this, follow the rule of thumb that "if you have more than a week's paycheck in crypto, buy a Ledger/Trezor wallet")Of course there were many ways a customer could also mess up a deposit, but in the cases it was on our end, we were never manipulating the amounts or invalidating deposits for profit.
We didn't answer support tickets (example)
Another valid issue - in early 2018 we took months to respond to tickets.
But - unlike a scam - we eventually resolved them.
For the previous example, of crediting user withdrawals, this could often take more than 5 minutes per ticket, and often we'd have more than 200 of these tickets coming in per day. If you were unlucky enough to have a stuck withdrawal during the Janurary period, you may have waited more than 60 days for a response.
It's actually for these reasons I quit my job. I got sick of doing manual searches all day and knew the crypto ecosystem needed a bulk search block explorer, so I started txBatch.
We closed support tickets with incorrect answers (example)
There's no excuse for this, but there is a reason - we were overwhelmed and misdiagnosed issues.
The big question: are you getting your coins back?
I can't promise anything, and I don't represent the company. But taking the risk to my public identity, I would predict yes you will, or at least a percentage of them proportional to reserves minus hacked funds.
The founders of Cryptopia are two of the most legit and humble people I've ever met. You can critique Cryptopia on a lot, it definitely was a Wild West kind of startup - but Adam and Rob aren't the types to pull an exit scam.
I think there will be layoffs, and even the company may close - but I'm confident they'll both do their utmost to get you your coins back.
How to keep your crypto safe
Another exchange hack is a great time to brush up on cryptocurrency security. I actually agree with the sentiment of Crypto 101's original Tweet.
Do we quit? Is crypto a scam? No! We take this as a lesson and get smarter and stronger.
Here are some security guides that I recommend:
- MyCrypto’s Security Guide For Dummies And Smart People Too - by Taylor Monahan / MyCrypto.com
- How to keep your cryptocurrencies safe - by Alan Grainger / EasyCrypto.nz
- Wallets - Offline and Offline / Binance Academy
A request for help
I wrote this article to shine some light on the situation and resolve some worries. If you found it useful, can you consider helping me out with the following items?
- A lot of my old coworkers are likely getting laid off. If you work in the crypto industry and are looking to get some kickass backend devs/support agents/managers on board, I can forward you the best ones. My contact details: Keybase.io/JamesScaur, james at txbatch dot com, @JamesScaur on Twitter, and LinkedIn.
- My friend Bevan Barton has launched a killer dApp called Peepeth - it's like Twitter but you own your data. He's hosting a blockchain developers retreat in Bali - and you can get a ticket until 11:59pm PST tonight...
- I'm building txBatch.com - a bulk search block explorer, designed for cryptocurrency customer support. You can see our 5 minute demo here. If you'd like to try out our beta, email me via james at txbatch dot com.