Is CeFi any safer than DeFi?
BitMart, the self-proclaimed “Most Trusted Crypto Trading Platform”, has lost ~$196M from two of its hot wallets on Ethereum and BSC.
The stolen assets (mostly memecoins) total ~$100M on Ethereum and ~$96M on BSC.
Eventually, BitMart CEO Sheldon Xia announced that the withdrawals had in fact been down to a “security breach”, going on to inform users that “At this moment we are temporarily suspending withdrawals until further notice.”
CEXs are supposed to provide their users with trust.
With this latest “security breach” sending BitMart straight to number 2 on our leaderboard, one obvious question springs to mind.
If CeFi isn’t any safer, why use it?
On Ethereum, the affected wallet, labelled Bitmart 2, was drained of the majority of its contents. The only substantial remaining asset balance is ~$40M of BitMart’s own token, presumably because of the difficulty unloading it outside of the exchange.
The affected wallet on BSC: 0x8c128dba2cb66399341aa877315be1054be75da8
Breakdown of losses by token on Ethereum (~$100M).
Breakdown of losses by token on BSC (~$96M).
The hacker transferred BitMart user funds from the hot wallets to the following addresses:
Ethereum 1: 0x39fb0dcd13945b835d47410ae0de7181d3edf270
Ethereum 2: 0x4bb7d80282f5e0616705d7f832acfc59f89f7091
From there, the various memecoins were swapped via 1inch to ETH and BNB before being washed via TornadoCash.
BitMart is still investigating what caused the security breach, and has yet to comment on any reimbursement for affected users.
The Security section of their website states that <0.5% of their assets are kept in hot wallets.
This puts BitMart’s total assets at over $39 billion…
If that figure is really true, then a full refund for affected users should be no problem.
Centralised platforms exist as a trusted go-between for those who may have reservations about interacting directly with crypto.
Users give up custody of their assets with the expectation that the people managing them are experts in security and best practise.
It remains to be seen how the attacker managed to gain access to the wallets in question.
Hopefully it wasn’t another basic OPSEC error such as granting unlimited approvals to an EOA, as in Celsius’ case.
These are understandable mistakes when it comes to individuals and smaller balances. But at this level it’s hard to forgive, especially when CeFi represents the corrupt legacy financial system cashing in on the innovation of DeFi.
A Cayman-registered corporation has lost close to $200M. Their communications team first denied and then downplayed the losses. All this while freezing withdrawals until out of the news cycle, when the fear of a “bank run” has subsided.
Do these middlemen deserve to take a profit?
And if they insist on doing so, will BitMart at least commit to refunding their users?
If you enjoy our work, please consider donating to our Gitcoin Grant
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
Nothing to see here… Another CEX rekt, $7.94M stolen. The USP of centralised finance grows smaller by the day.
Another CEX rekt, but they have yet to admit it. ~$33.7M taken, hundreds of users affected, and Crypto.com are still claiming that "funds are safe".
New year, old news. Rug pulls are common on Binance Smart Chain; we’re only mentioning this one because it was larger than most. ~$10 million taken, and Arbix Finance are nowhere to be seen.