On August 1st, peer-to-peer bitcoin trading and lending platform Hodl Hodl tweeted that the company was upgrading its security measures and contacting users individually through email. A few hours later, the firm shared it was force-liquidating some contracts in its lending platform, without further explanations. But today, Hodl Hodl released a PGP signed statement explaining the events and apologizing for the lack of proper communication.
“[We] have started migration/liquidation of user contracts to prevent the potential loss of funds,” the statement read. “Unfortunately, our recent internal and external audit identified that some user payment passwords might have been compromised. This affected a limited number of contracts, but we are taking proactive measures to ensure that everyone is safe.”
Hodl Hodl’s escrow-based lending system has three keys; the lender’s, the borrower’s, and another held by the company itself. These keys comprise the platform’s 2-of-3 multisignature escrow, where two signatures, and thus two keys, are required for spending funds locked in a lending contract’s multisignature address.
User private keys, from both lender and borrower, explained @6102bitcoin, “are generated using a user-specified ‘payment password’ in combination with a client-side random number generator.” If this password is weak, Hodl Hodl or a man-in-the-middle could discover what one or more keys are through brute-force attempts and steal the funds.
It is still unclear, however, what the specific compromise has been. HodlHodl said that the company is still investigating these issues and building tools to facilitate the migration of funds from old escrows to new ones. Hodl Hodl said it is “going to publish a transparency report” once it finishes the investigations.