Coronavirus Financial Crash Is Bitcoin’s Biggest Test, BitMEX Says

BitMEX, the world’s second largest crypto exchange by daily trading volume as of press time, believes that amid the ongoing global coronavirus crash, Bitcoin faces its biggest challenge and the opportunity to prove its potential during the global financial crisis.

The 2020 coronavirus financial crash could be the biggest opportunity Bitcoin has ever seen

On March 17, BitMEX’s research arm, BitMEX Research, published an analysis of the ongoing impact of COVID-19 pandemic on the financial markets. Titled “Inflation Is Coming,” the blog post by BitMEX Research outlines the coronavirus financial market crash as the biggest economic turmoil since the 2008 financial crisis. In the same analysis, BitMEX also compared the downturn with the 2000 Dotcom bubble and the 1997 Asian crisis.

Pointing out that inflation is likely to reveal “one clear winner” under a new global financial regime, BitMEX Research emphasized that Bitcoin — created in 2009 as the first ever cryptocurrency — now has its biggest chance to purportedly prove its worth.

BitMEX Research wrote:

“In our view, in this changed economic regime, where the economy and financial markets are set loose, with no significant anchor at all, not even inflation targeting, it could be the biggest opportunity Bitcoin has seen, in its short lifetime.”

Stablecoin cryptocurrencies already gaining its market share notably

On the same day as BitMEX’s post, a different blog post tried to explain why Bitcoin experienced a major sell-off last week, plunging to as low as $3,600. As reported by Cointelegraph, BitMEX blamed two DDoS attacks for crashing its platform on March 13.

On March 16, famous billionaire investor and Bitcoin bull, Tim Draper, predicted that “it will be Bitcoin, not banks and governments, that save the day” after the world comes back from the crisis.

Apparently, Bitcoin is not the only cryptocurrency that is expected to prove itself during the global financial market’s ongoing instability. As reported by Cointelegraph, amid the global market turmoil, stablecoin cryptocurrencies have gained significant market share. Compare this to the industry’s altcoins, which experienced a major drop in their market capitalization during the same period. As such, Circle’s USD Coin (USDC) reached a new all-time high of $568 million on March 14 — the day after Bitcoin touched a multi-month low of $3,600.

Bitcoin Hodlers Not to Blame for Record 50% Price Plunge, Data Reveals

Recent volatility in the price of Bitcoin (BTC) “did not come” from those holding coins for several years or longer, research claims.

In findings published on March 17, Unchained Capital revealed that BTC which had been “parked” for an extended period did not begin moving as a result of price changes in 2019 or 2020.

Hodl waves show “hands of steel”

Uploading the latest edition of its “hodl waves” graphic, the company highlighted that the section of the Bitcoin supply in storage for five years or longer had increased over the past year.

“The volatility certainly didn’t come from the >5y HODLers. Are those coins lost or do those bitcoiners have hands of steel?” a tweet presenting the data queried.

“Over the course of the last year the percent of >5y coins has increased from 20.37% > 21.65%, or by ~233,800 BTC.”

Bitcoin hodl waves diagram

Bitcoin hodl waves diagram. Source: Unchained Capital/ Twitter

According to hodl waves, it was those transactions involving coins stored for half a year or less which drove the market during 2019’s bullish phase and the current selloff.

“A majority of the volatility came from UTXOs 6 months old or younger,” Unchained Capital continued.

Big BTC miners aim to double market share

The findings were echoed by fellow monitoring resource Coin Metrics. Going forward, Cointelegraph Markets analyst Keith Wareing says, miners who survived the price crash will look to shield themselves from May’s block reward halving in advance.

They will do so by taking coins each block which smaller miners no longer claim after capitulating — the production cost for Bitcoin mining stood at around $8,000 as of last week.

“Why dump? Half the miners capitulate then only the hardware producing miners remain thus doubling their market share so then remain unaffected by the halving,” he summarized in private comments.

As Cointelegraph reported, sentiment among stalwart Bitcoin proponents has remained steadfast, even as the cryptocurrency trades down almost 50% versus just two weeks ago.

Winklevoss-Owned Nifty Becomes First USD-Based NFT Exchange

Nifty, a USD-based exchange for non-fungible tokens (NFTs), announced the completion of its ‘Nifty Gateway 2.0’ revamp on March 17.

The platform, which was purchased by the Winklevoss twins’ crypto firm Gemini in November 2019, describes itself as the first US dollar-based centralized exchange for NFTs

The platform allows U.S. users to withdraw fiat currency, and plans to support fiat withdrawal for international users “as soon as possible.” All other services are currently available to international users.

Nifty to take cautious approach to new NFT listings

While users are able to list NFTs on the Nifty marketplace, the platform states that it will be “slow and intentional” about which tokens its supports:

“You may also deposit NFTs from other projects and put them up for sale on the marketplace — however, for the time being, we will be slow and intentional about which NFT projects we support, so that we can handle the volume, and deal with any fraud issues that may arise.”

Users can sign up and begin trading NFTs on Nifty with just an email address.

Nifty partners with celebrities to issue tokenized collectibles

Nifty also revealed it will create and release exclusive tokenized collectibles in partnership with celebrities over the coming months. 

The company will launch a new NFTs approximately once every three weeks. The first collectible will be a product of collaboration between female mixed martial arts pioneer Cris Cyborg and photographer Lyle Owerko.

NFT platforms collaborate with sporting industry

A number of sporting companies and athletes seeking to drive new forms of fan engagement have announced partnerships with blockchain firms to release tokenized collectibles in recent months.

Earlier today, Cointelegraph reported that blockchain-based fantasy soccer game Sorare had inked a licensing deal with Italian soccer team S.S. Lazio. The partnership will see Sorare create tokenized player cards of Lazio’s athletes that can be used in weekly fantasy tournaments or traded on secondary markets.

Last month, CryptoKitties creators Dapper Labs announced a partnership with the UFC to create tokenized representations of fighters that can be traded or used within a game.

BitMEX Explains Why Bitcoin Nearly Hit $0 Last Week, Pays Out $200K

The meltdown at derivatives giant BitMEX, during which Bitcoin (BTC) fell to $3,600, has seen the company payout compensation worth a modest $200,000.

In a blog post about the event, which occurred on March 13, BitMEX blamed “two DDoS attacks” for crashing its platform.

Ethereum traders see 40 BTC refunded

Coming at a time of intense volatility across Bitcoin markets, a botnet managed to consume hardware resources, ultimately causing BitMEX to fail altogether and go offline for around half an hour. 

As a result, many users claimed that they had lost funds via liquidations that should not have occurred. BTC/USD, meanwhile, could have hit $0 if the vicious circle, which the attack triggered had continued, one researcher claimed.

“As part of our internal post mortem, the BitMEX team identified 156 accounts for which Last Price stops were clearly erroneously triggered on ETHUSD, caused by the unintended late processing of market orders during the first downtime at 02:16 UTC,” CEO Arthur Hayes confirmed. 

“For each stop that triggered erroneously during this period, BitMEX calculated the delta to the printed Index Price and refunded the user. A total of 40.297 XBT was refunded.”

At current levels, the refunds equate to $217,800.

Community to Hayes: “Nice try”

Hayes added that developers were working to shore up the platform’s operations in an attempt to shield it from further DDoS attacks while acknowledging that “no system is immune” to such a threat.

Reacting, suspicions continued to run high, with Twitter-based analyst Armin van Bitcoin giving Hayes little room for maneuver.

“Ain’t gonna work here. Nice try though,” he responded to the blog post. 

Additional questions center on BitMEX’s giant insurance fund, which only temporarily decreased in size last week before hitting fresh all-time highs of 36,493 BTC ($197.5 million). The fund, critics argue, should have been used to stem user losses. 

Addressing the issue, Hayes also took the opportunity to deny accusations that BitMEX had deliberately crashed its own systems.

“We operate a fair and efficient platform. Trading downtime degrades the experience for all customers and reduces our stature in the market. It would be against our own interests to fabricate downtime,” he concluded. 

“That said, it is clear that the community wants to know more about how liquidations interact with the insurance fund, especially in this very demanding scenario. We will share more details about this very soon.”

Brave Browser Delivers on Promise, Files GDPR Complaint Against Google

Earlier today, March 16, Brave filed a formal complaint against Google with the lead General Data Protection Regulation (GDPR) enforcer in Europe.

In a February Cointelegraph interview, Dr. Johnny Ryan, Brave’s chief policy and industry relations officer, explained that Google is abusing its power by sharing user data collected by dozens of its distinct services, creating a “free for all” data warehouse. According to Ryan, this was a clear violation of the GDPR. 

Aggravated with the situation and the lack of enforcement against the giant, Ryan promised to take Google to court if things don’t change for the better.

Complaint against Google 

Now, the complaint is with the Irish Data Protection Commission. It accuses Google of violating Article 5(1)b of the GDPR. Dublin is Google’s European headquarters and, as Dr. Ryan explained to Cointelegraph, the Commission “is responsible for regulating Google’s data protection across the European Economic Area”.

Article 5(1)b of the GDPR requires that data be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”. According to Dr. Ryan:

“Enforcement of Brave’s GDPR ‘purpose limitation’ complaint against Google would be tantamount to a functional separation, giving everyone the power to decide what parts of Google they chose to reward with their data.”

Google is a “black box”

Dr. Ryan has spent six months trying to elicit a response from Google to a basic question: “What do you do with my data?” to no avail. 

Alongside the complaint, Brave released a study called “Inside the Black Box”, that: 

“Examines a diverse set of documents written for Google’s business clients, technology partners, developers, lawmakers, and users. It reveals that Google collects personal data from integrations with websites, apps, and operating systems, for hundreds ill-defined processing purposes.”

Brave does not need regulators to compete with Google

Cointelegraph asked Dr. Ryan how Google’s treatment of user data frustrates Brave as a competitor, to which  Dr. Ryan replied:

“The question is not relevant. Brave does not —  as far as I am aware — have direct frustrations with Google. Brave is growing nicely by being a particularly fast, excellent, and private browser. (It doesn’t need regulators to help it grow.)”

A recent privacy study indicated that Brave protects user privacy much better than Google Chrome or any other major browser.

In addition to filing a formal complaint with the Irish Data Protection Commission, Brave has reportedly written to the European Commission, German Bundeskartellamt, UK Competition & Markets Authority, and French Autorité de la concurrence.

If none of these regulatory bodies take action against Google, Brave has suggested that it may take the tech giant to court itself.

‘Not a Drill’ — Business as Usual for Bitcoin as Fed Bails out US

Bitcoin (BTC) has failed to hold onto gains once again as commentators warn that the interest rate cuts by the Federal Reserve are “not a drill.”

After the United States’ central bank cut rates to near zero on Sunday, BTC/USD briefly rallied but on Monday was falling in line with another panic trading session on traditional markets.

BTC, stock markets shed 7%

24-hour highs of $5,900 soon gave way to current lows over $1,000 beneath — press time levels center on $4,850.

Stocks broadly sank at the opening bell in Asia, Europe and London, with 7% losses commonplace as coronavirus concerns heightened.

The United Kingdom’s FTSE 100 fell below 5,000 points for the first time since 2011, with companies such as airline EasyJet shedding 30% of their share value.

For Bitcoin analysts, however, it was the lack of reaction to the Fed which was cause for more caution. Despite its “unprecedented” move, markets appeared less than optimistic about either the rate cuts or the injection of vast amounts of cash into the economy. 

“The last time the Fed did an emergency rate cut was during the 2008 financial crisis. Over the last two weeks, they did two separate emergency rate cuts that totaled 1.5% and brought us to 0% interest rates,” Morgan Creek Digital co-founder Anthony Pompliano summarized on Twitter.

“This is not a drill. These are unprecedented actions by the Fed.”

Bitcoin price versus the S&P 500. Source:

“No circuit breakers, no bailouts”

Previously, U.S. Treasury Secretary Steven Mnuchin described the total liquidity available to U.S. banks and businesses as “almost unlimited.”

Money printing on such a scale is music to the ears of those heavily invested in fixed-supply hard money such as Bitcoin. As Cointelegraph often reports, it is Bitcoin’s lack of manipulation by governments and central banks which allows it to “monitor itself” in times of crisis. 

After hitting almost 18-month lows last week, BTC steadied, reining in volatility and avoiding renewed heavier losses without any external intervention.

This, various sources noted on Monday, is in stark contrast even to stock markets, which are shut down automatically if losses occur too quickly.

“…The difference with #btc is that all that leverage/debt is cleared by the drop, all leveraged longs are liquidated, gone,” PlanB, creator of the stock-to-flow Bitcoin price model, explained on Sunday before the latest stocks tumble. 

“No circuit breakers, no bailouts, that is great, the system clears itself. Very different from stocks and bonds markets.”

Cardano to Roll Out Commercial Infrastructure, Denies Coronavirus Delay

Proof-of-stake (PoS) blockchain Cardano (ADA) is working on implementing commercial infrastructure. The coin’s officials have reassured the public that development is on schedule.

During a March 13 YouTube livestream, Charles Hoskinson — the CEO of IOHK, the firm behind Cardano — said that official updates about the coin’s critical commercial infrastructure should be expected in the coming months, but reassured that things are proceeding as expected.

Hoskinson explained that the people involved in the coin’s development are starting to set aside funding for dedicated commercial infrastructure, which he explained as follows:

“Cardano commercially critical infrastructure are things that Cardano needs for it — in our view — to be competitive against other cryptocurrencies.”

Hoskinson said that such infrastructure needs to ensure decentralized applications, such as the DeFi protocols, work properly on the blockchain. He also mentioned the Jormungandr node software is about to see an update that will allow for easier retiring of stake pools.

Hoskinson also claimed that Cardano’s development team is making good progress on the next network update, Shelley. He said that the number of bugs reported in the Shelley testnet has massively decreased over the last three weeks and the stability of the software is increasing.

Coronavirus doesn’t affect Cardano development

Recently, several industry news outlets reported that Cardano’s Shelley update will be postponed due to the coronavirus pandemic. Hoskinson was quick to deny such reports and call them “fake news” on Twitter earlier today.

Hoskinson was quite vocal about his high hopes for blockchain, cryptocurrencies, and decentralized finance largely changing how the world functions. As Cointelegraph recently reported, Hoskinson announced that “the economic order of the 20th century” is dead. He was referring to the centralized hierarchical economy that was built through “a series of treaties” made by a few great powers.

At the start of March, Cardano received praise from a major figure of a big four audit firm, the PwC. Recently the auditor’s legal leader said that the Cardano Foundation and the team surrounding IOHK’s CEO and founder, Charles Hoskinson, are a huge part of the decentralized future.

‘Extreme Fear’ Grips Markets Despite Oversold Bitcoin Price Metrics

Compared to the trading action of earlier this week, Bitcoin’s (BTC) price was relatively muted on Saturday as the digital asset traded between $5,045 and $5,641. Although the digital asset dropped more than 50.8% on March 12, it has since regained 37.5% to trade at $5,200. 

Crypto market daily price chart

Crypto market daily price chart. Source: Coin360

Many in the crypto space are still attempting to piece together a narrative that explains the carnage of the past week and for the time being, the weekend closure of major equities markets appears to be mitigating some of the Coronavirus fear, which has negatively impacted both markets for weeks. 

Some traders and analysts continue to point accusatory fingers at BitMEX, claiming foul play on their part allowed the situation to escalate to near catastrophic levels. 

BTC USDT daily chart

BTC USDT daily chart. Source: TradingView

At the time of writing, there is a neutral Doji candlestick on the daily timeframe, showing traders remain uncertain on the direction the price may take and the candlestick by itself is neither bullish or bearish. 

Referring to other indicators helps provide a better picture of the prevailing trend and a glance at the relative strength index (RSI) shows the indicator flat in oversold territory 

BTC USDT 4-hour chart

BTC USDT 4-hour chart. Source: TradingView

On the shorter, 4-hour timeframe, traders will notice that the RSI remains flat as buy and sell volume decrease and Bitcoin trades within a narrowing range between $5,517 and $5,021. 

Some traders would argue that the short-term frame supports a bullish case for Bitcoin as each 4-hour candlestick has formed a lower-high as price descends lower but the moving average convergence divergence, Stochastic RSI and RSI trend upward, and the MACD histogram shows an increase in positive momentum. 

Such bullish divergences have been the signal du jour for crypto traders for some time and the drop in trading volume and tightening Bollinger Bands also signal that an explosive move is bound to occur before the weekly close. 

Currently, the price is pinned beneath $5,500 where there is a high volume node on the volume profile visible range (VPVR) and there is support at $5,200 and $4,850. If Bitcoin price could push above $5,500 there is open-air overhead and the price could rise to $7,650 but this is dependent on sustained volume and traders’ confidence that the event which catalyzed to drop to $3,770 has ended. 

The current price action suggests that traders are taking profits as the range top is reached instead of opening long positions and buying on breakouts. 

Bullish scenario

BTC USDT 4-hour chart

BTC USDT 4-hour chart. Source: TradingView

If the price can break above the $5,500 resistance and reclaim the former support at $6,300 to $6,400 this would be an encouraging step. As mentioned earlier, given Bitcoin’s oversold position and the volume gap from $5,500 to $7,650 could easily be exploited by a high volume spike. 

Such a move would set the price back in the $7,750 range Bitcoin traded in prior to last week’s meltdown and also set the asset up for a move back to $8,500. 

Bearish scenario

As shown by the daily time frame, losing the $5,200 support would be far less than ideal, even though the price Bitcoin bounced higher when the price dropped to $3,770 on March 13. 

BTC USDT daily chart

BTC USDT daily chart. Source: TradingView

To date, there is sufficient interest in Bitcoin at $3,769, a zone Bitcoin price nearly pierced during the precipitous drop. Below this level, the price of Bitcoin would look to form a double bottom at $3,384 and $3,177. 

One must remember that while not uncharacteristic of the sector, Bitcoin price is being heavily impacted by the financial crisis created by the COVID-19 pandemic. 

As the situation grows worse, investors expected that the markets will worsen and so a self-fulfilling cycle driven by fear and threat or long-term economic slowdown impact asset prices. 

Over the coming weeks, one should expect to see a series of multilateral stimulus packages launched by various governments, thus as equities markets possibly rise from financial bailouts, investor sentiment for risk-on assets, commodities and stocks could improve. 

Until then, it might be wise to either wait along the sidelines until a bottom is found in traditional markets or for those trading, play clearly defined ranges and rest in cash by the closing market bell or bedtime each day. 

Obviously, some Bitcoin investors will advise taking long positions and accumulating as a range develops but with the current global economic uncertainty, perhaps it is better for those with limited capital to rest in cash in order to live to trade another day. 

The views and opinions expressed here are solely those of the author and do not necessarily reflect the views of Cointelegraph. Every investment and trading move involves risk. You should conduct your own research when making a decision.

Bitcoin Price Crashing Due to Coronavirus Fear but Will BTC Hit $2K?

The price of Bitcoin (BTC) has seen a destructive week, as the price crashed 52% on one single day this week. One of the most massive crashes witnessed since the existence of Bitcoin.

Not only has Bitcoin been hitting hard during the week, but equity markets have also seen their worst week since 2008, and other safe havens gold & silver have seen a selloff. Cash is king, is the idea. However, are we continuing dropdowns, or are we temporarily done?

Crypto market daily performance. Source: Coin360

Crypto market daily performance. Source: Coin360

Bitcoin drops to $3,750 and bounces with $2,000 since

The volatility of all markets has been skyrocketing during the week, as the VIX (Volatility Index in the USA) is reaching levels not seen since Bitcoin was invented. Similarly, Bitcoin has seen a drop from $7,500 to $3,750, after which the price jumped up with $2,000 to $5,750 in the 24 hours after.

BTC USDT 1-day chart. Source: TradingView

BTC USDT 1-day chart. Source: TradingView

The daily time frame is showing the selloff from last week. It’s also showing which levels the market should keep in mind for the coming period. The primary resistances above us are found at $6,400 and $6,800-6,900.

That’s quite far from here. Massive drops usually occur in a short period, through which support levels are found far away from each other. The other way around, during upwards rallies, the same occurs with levels there. An example is a rally from $3,100 to $14,000. This whole rally had movements of $1,000 in one hour, which makes gaps in the chart.

However, the main resistances are $6,400 and $6,800-6,900. Similarly, the support levels to be watched are $4,800 (as the price of Bitcoin has bounced on that weekly level), $4,250, and $3,700 as further support levels.

Currently, the price of Bitcoin tries to flip the $5,250 level as support. Making that level support gives the market space to test levels above us, which are $6,400 for instance.

Crypto fear & greed index hits extreme fear

Crypto fear & greed index. Source:

Crypto fear & greed index. Source:

The crypto fear & greed index gives a proper perspective on the current sentiment of the market. It shows the level of 8 out of 100, which is named extreme fear. The number is significant, as the last time these levels were hit, the price of Bitcoin was $3,100 (November 2018) or $6,000 (February 2018 crash).

Remarkably, the level of fear on the equities fear & greed index is showing the level of 1, which means that there’s no belief anymore. However, the equities markets have seen a selloff of 30% in ten days. Dropdowns not seen before, unlike 2008 and 1929.

Does that mean we’re going to see further dropdowns? Well, it seems natural to expect further dropdowns the moment many countries decide to go in lockdown for the coronavirus.

But institutions and governments are already announcing solution packages for the economy. One of them was President Trump yesterday. This resulted in U.S. equity markets bounced by 8% in 30 minutes, while Bitcoin jumped from $4,800 to $5,600 in these hours.

Nevertheless, a further dropdown is likely to occur, as the whole global economy is coming to grips with the coronavirus. However, the effects of that will usually come after some time, which will be later this year. In the short term, the fear and panic may hit peak levels as people anticipate more lockdowns.

Where does that leave us in the equity markets? Probably the so-called “bull trap” as shown in the Wall Street Cheat Sheet.

Wall street bubble pattern

Wall street bubble pattern

The bubble pattern is pretty well-known around the crypto investors, as these have experienced one during the past years. After the first massive selloff, there’s a period of calm upwards movements in which people expect things to be healthy and calm down.

Such a period could also occur in the equity markets in the coming months, as Western countries are going to take measures to contain the virus, which may stop the panic. However, the real economic impact will only show up later this year, which then would trigger a further downwards drop as is shown in the chart.

What’s next for Bitcoin?

It’s not unreasonable to expect further downwards momentum for Bitcoin, as BTC is massively seen as a risky asset and the first one to be sold. People need cash on hand rather than a volatile digital token.

However, the majority of the fear and panic could be priced in. The history of Bitcoin shows many 80%+ dropdowns, after which the price stabilized and slowly started to grind upwards. A similar case could occur here. From a technical point of view, it’s important to keep an eye on the 200-Week moving average, as it’s the key indicator for bullish/bearish markets on equity markets and Bitcoin.

BTC USD 1-week chart. Source: TradingView

BTC USD 1-week chart. Source: TradingView

The 1-week chart is showing the 200-Week MA. During 2015, a giant drop below the 200-week MA occurred as well, after which the price bounced back up and held the level.

It’s essential to keep an eye on this indicator and to see how the price will close during the coming weeks. As long as the 200-Week MA holds, the market could have seen a capitulation bottom.

Short term relief rally to $6,100 possible

BTC USD 30-min chart. Source: TradingView

BTC USD 30-min chart. Source: TradingView

The short-term view is showing a clear range through which Bitcoin is moving with resistances lying at $5,600-5,750. The support levels are found at $4,900-5,100.

As long as the lower support remains to support, a continuation upwards and tests there are on the tables. Such a push upwards makes levels of $6,100 possible as a relief rally and bearish retest.

However, in conclusion, Bitcoin is not out of the woods. It might have already made a capitulation bottom, but breaking below $4,800 may result in a further dropdown and test of the lows around $3,750.

If you’re trading in these markets, be aware of the high risks involved in these volatile times, and use proper risk management.

The views and opinions expressed here are solely those of the author and do not necessarily reflect the views of Cointelegraph. Every investment and trading move involves risk. You should conduct your own research when making a decision.

Bill Gates Departs Microsoft Board After Pledging $1.4M to African Blockchain

According to a press release, software developer, philanthropist, and Microsoft co-founder Bill Gates will depart the company’s board.

Now 64 years old, the business magnate started Microsoft alongside Paul Allen in 1975. The company is surely most known for its Windows computer operating system, which was first released in 1985 and remains as vital as ever today.

Microsoft announced a blockchain token and data management service at the end of 2019 that would be a new tool for users of its enterprise Azure service. Gates himself has also recently backed a blockchain-enabled security service for fintech companies operating in Africa and Asia called Crest, writing a check for $1.4 million earlier this month to help financial technology companies in these areas bring financial services to unbanked populations.

Microsoft’s release explains that Gates’ departure from the board is about making more time for his philanthropy and effort toward tackling climate change.

Voatz ‘Blockchain’ App Used in US Elections Has Numerous Security Issues, Says Report

Voatz, the Massachusetts-based company touting a blockchain-enabled mobile voting app, has been met with public criticism for a lack of transparency, among other things, particularly when it comes to data security. And with the threat of election tampering, the stakes are as high as ever. 

Voatz has been used in elections in West Virginia; Jackson County, Oregon; Umatilla County, Oregon; municipal elections in Utah County, Utah; as well as in runoff elections and municipal elections in Denver, Colorado. 

The public security audit by a reputable third-party firm that experts have been calling for is here at last. In December 2019, Voatz and Tusk Philanthropies, which funded most of Voatz’s mobile voting pilots, engaged security firm Trail of Bits to conduct a comprehensive white box audit. 

Although Voatz failed to provide a backend to live-test malicious attack vectors, Trail of Bits had access to all of the source code, including the core server, Android client, iOS client and administrator web interface.

The audit report is comprehensive, and includes a 122-page security review and a 78-page document on threat-modeling considerations. Here’s a quick rundown of the main parts.

Voatz doesn’t need blockchain

The appeal of blockchain voting is that it’s a decentralized system that doesn’t require voters to trust anybody. But the blockchain Voatz uses doesn’t actually extend to the mobile client. Instead, Voatz has been applying the votes to a Hyperledger Fabric blockchain, which it uses as an audit log — something just as easily done by using a database with an audit log. The code Trail of Bits looked at did not use custom chaincode or smart contracts. In fact, the report reads: 

“All data validation and business logic are executed off-chain in the Scala codebase of the Voatz Core Server. Several high-risk findings were the result of data validation issues and confused deputies in the core server that could allow one voter to masquerade as another before even touching the blockchain.”

Because voters do not connect directly to the blockchain themselves, they can’t independently verify that the votes reflect their intent. But anyone with administrative access to Voatz’s back-end servers has the ability to “deanonymize votes, deny votes, alter votes, and invalidate audit trails.”

The report found that the Voatz system doesn’t have any mitigation for deanonymizing voters based on the time their ballot was recorded in the blockchain. Although Voatz’s FAQ claims that “once submitted, all information is anonymized, routed via a ‘mixnet’ and posted to the blockchain,” this was called into question in an MIT report — and now again in this audit. 

“There does not appear to be, nor is there mention of, a mixnet in the code provided to Trail of Bits,” the audit reads. “The core server has the capability to deanonymize all traffic, including ballots.”

Trail of Bits confirmed MIT’s findings — Voatz disputed them

On Feb. 13, MIT researchers published the aforementioned report, “The Ballot Is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections,” to which Voatz responded with a blog post the same day to refute what it called a “flawed report,” leading the MIT researchers to post an FAQ with clarifications. 

It turns out that Voatz’s refutation was written three days after Trail of Bits confirmed the presence of the described vulnerabilities to MIT, having received an anonymized summary report of the issues from the United States Department of Homeland Security. This suggests that Voatz was aware that the report was accurate before publicly discounting it.

The audit also disputes some of Voatz’s objections to the MIT researchers’ reports. Voatz stated that the Android app analyzed was 27 versions old, but Trail of Bits wrote that it “did not identify any security relevant changes in the codebase” between the September 2019 version of the app used by the MIT researchers that would substantively affect their claims.

Voatz also took issue with the researchers developing a mock server, calling it a “flawed approach” that “invalidates any claims about their ability to compromise the overall system.” Voatz even wrote that this practice “negates any degree of credibility on behalf of the researchers.” 

But Trail of Bits claims that “developing a mock server in instances where connecting to a production server might result in legal action is a standard practice in vulnerability research. It is also a standard practice in software testing.” Furthermore, the report points out that the findings focused on the Android client, but did not rely on in-depth knowledge of the Voatz servers.

Prior audits were not comprehensive

Despite Voatz touting multiple security audits, this is the first time a white box assessment has been conducted, with the core server and backend having been analyzed. Although not all of the prior audits are public, Trail of Bits summarized all of them.

One prior security review was conducted in August 2019 by NCC, an independent, private nonprofit that doesn’t employ any technical security experts. The audit focused on usability rather than security. In July 2018, an unnamed vendor conducted a black box audit of Voatz’s mobile clients.

In October 2018, TLDR Security, now known as ShiftState, conducted a broad security hygiene review that included system architecture, user and data workflows and threat mitigation planning, but didn’t look for bugs in the system nor in the actual application. ShiftState then conducted another audit in December 2018, looking at whether the system operated as intended and followed best practices. 

Although ShiftState CEO Andre McGregor has previously said that Voatz “did very well,” Trail of Bits’ review of ShiftState’s audit points to issues with limited logging, unmanaged servers and a Zimperium anti-mobile malware solution that wasn’t enabled during the pilot. 

Since all of Voatz’s anti-tamper protections for mobile devices are based on Zimperium, it being inactive means the application could have been trivially tampered with, as Voatz lacks additional protection against malicious applications that could access sensitive information. 

The final audit by the DHS, conducted in October 2019, simply looked at cloud resources, not at the application — whether there’s evidence of hacking or if it could be detected if it takes place. 

Beyond the limitations of prior security assessments that Voatz has touted without making public — such as the fact that none of the audits included server and back-end vulnerabilities — Trail of Bits’ report states that the writeups from the other security assessments conducted were technical documents. This calls into question whether elected officials are making decisions based on documents they’re unqualified to read.

Voatz appears wildly disorganized

Trail of Bits’ assessment lasted an entire week longer than initially scheduled “due to a combination of delays in receiving code and assets, the unexpected complexity and size of the system, and the associated reporting effort.” 

Trail of Bits never received a working copy of the code, prohibiting the firm from live-testing, meaning that the researchers were almost entirely limited to static-testing, which required them to read through a massive amount of code. According to the report, Voatz has so much code that it “required each engineer to analyze, on average, almost 3,000 pure lines of code across 35 files per day of the assessment in order to achieve minimal coverage.”

Although Trail of Bits received access to the backend for live-testing a day before the assessment was scheduled to end, it was asked not to attack or alter the instance in a way that would deny service to concurrent audits.

Voatz made rookie mistakes — and doesn’t seem serious about fixes

Trail of Bits described several bugs that could lead to votes being observed, tampered with or deanonymized, or that could call the integrity of an election into question.

Beyond the fact that voters can’t independently validate that their ballot receipt is valid or that votes were tallied correctly, a Voatz employee could theoretically force a user to vote twice, allow them to vote twice or duplicate their vote without their knowledge on the backend. Also, Voatz uses an eight-digit PIN to encrypt all local data — something that could be cracked within 15 minutes.

Furthermore, the report found that the app doesn’t have security controls to prevent unattended Android devices from being compromised. Sensitive API credentials were stored in git repositories, which means anyone in the company with access to the code — perhaps even subcontractors — could use or abuse secret keys exposed in the repositories.

Voatz employees with admin access can look up specific voters’ ballots. Voatz uses an ad hoc cryptographic handshake protocol, which is generally not recommended — as homemade cryptography is prone to bugs, and it’s best to use encryption schemes that have been studied by researchers and tested out in the real world. The SSL (Secure Sockets Layer) wasn’t configured in an entirely secure way, missing a key feature that helps clients identify when a TLS (Transport Layer Security) certificate is revoked.

In one instance, Voatz even cut and pasted a key and initialization vector from a Stack Overflow answer. Cutting and pasting code is generally discouraged, even in college-level computer security courses, because the quality of information on Stack Overflow varies, and even good code might not work in a specific environment. However, cutting and pasting a key and IV is even worse, as it means that the key and IV used to encrypt the data are identical to something on the internet, even though it is not supposed to be public.

Even when summarized, Trail of Bits’ recommendations are eight pages long. Voatz appears to have addressed eight security risks, partially addressed another six, and left 34 unfixed. Typically, companies have a comprehensive plan on how to fix high and medium risks. Shockingly, Voatz decided it “accepts the risk” of many of these bugs, essentially accepting risk on behalf of the voters rather than making the fixes suggested from the firm it hired.

Cointelegraph has reached out to Voatz with a list of questions, and the article will be updated once the company responds. Both Tusk Philanthropies and Trail of Bits referred Cointelegraph to their separate blog posts about the audit and to the report itself.

Bitcoin Under $1K is Possible Warns Veteran Trader Peter Brandt

Bitcoin dipped below $4000 today, for the first time since the depths of crypto winter — and one veteran market analyst believes it could have even further to fall.

Crypto markets have been in freefall following the announcement of travel bans yesterday between the U.S. and Europe, and ongoing volatility in all financial markets. 

Veteran trader Peter Brandt — who is famous for correctly predicting the market crash from the all time high — today tweeted an answer that no one wanted to hear in response to an inquiry about the new ‘bottom’ for Bitcoin due to coronavirus.

Brandt said that if he looks at the Bitcoin chart “without bias” the new bottom is potentially “sub-$1,000”. That’s almost 80% below the current price, which is just under $5000,

Brandt is more bullish than bearish

The one time commodities analyst is no crypto skeptic — in fact, he’s often more bullish than bearish about Bitcoin, and believes that parabolic increases in the Bitcoin chart could see it hit $140,000.

Brandt also correctly tipped a price spike during the depths of crypto winter shortly before the Bitcoin price doubled in mid-July. 

Effects of coronavirus restrictions on crypto markets

Bitcoin sliced through the $5,500 and $5,200 support and even briefly dropped below $4,000 today — close to retesting 2-year lows — before rebounding by more than $1000 within minutes. 

Altcoin prices also took heavy losses. At the time of writing, notable losers were Ether (ETH), with a 43.06% loss, Bitcoin Cash (BCH), which has dropped 42.85%, and XRP, which now trades at a multi-year low of $0.13.

Blockchain conferences worldwide have also suffered the effects of COVID-19. Italy’s upcoming EDCON has been cancelled, and no new dates have been announced for South Korea’s Nitron Summit 2020. Meanwhile, the second firm to launch Bitcoin Futures in the U.S., CME Group, announced it would close the trading floor today (March 13), although trading will continue online as normal.