Computer scientists Tyler Moore (from the Southern Methodist University, Dallas) and Nicolas Christin (of Carnegie Mellon University) found 40 exchanges on the Web that offered a service changing bitcoins into other fiat currencies or back again. Of those 40, 18 have gone out of business—13 closing without warning, and five closing after suffering security breaches that forced them to close. Four other exchanges have suffered serious attacks but remain open.
One of those is Mt Gox, the largest Bitcoin exchange, with Moore and Christin stating that at its peak it handles more than 40,000 Bitcoin transactions a day, compared to a mean average of 1,716. It has been the victim of a huge number of distributed denial-of-service (DDoS) attacks over the past month during the peak of the Bitcoin bubble (and its subsequent bursting—though the price now appears to be rising again). Its latest statement, dealing with the attack it suffered on April 21, is long and comprehensive, seeking to assuage the fears of Bitcoin users who feel that Mt. Gox is becoming a weak chain in Bitcoin's infrastructure.
The sheer quantity of trade done on Mt. Gox has made it an extremely attractive target for hackers wishing to manipulate the wider Bitcoin price. That is the paradox that Moore and Christin discovered in their analysis—that an exchange needs to maintain a transaction volume above a certain level to survive, but becoming large enough to survive also makes a hack of that exchange worthwhile for cyber attackers.
The study said: "Exchanges handling 275 Bitcoins' worth of transactions each day have a 20 percent chance of being breached, compared to a 70 percent chance for exchanges processing daily transactions worth 5570 Bitcoins." Moore and Christin estimate that the median lifespan of any Bitcoin exchange is 381 days, with a 29.9 percent chance that a new exchange will close within a year of opening.
An extra risk for customers is losing their money from exchanges closing. Of the 18 closed exchanges, there was evidence that only six reimbursed their customers. Five did not, while there was not evidence enough to make a judgement regarding the remaining seven.
However, they found that there was still a significant degree of randomness behind the success or failures of many exchanges, which could be down to whether an exchange has a good or bad reputation (something they didn't control for). For instance, they point to Vircurex as an exchange that has had low transaction volumes since opening in 2011, and which suffered a large attack in 2013, but which has remained open regardless. Bitfloor, which lost money in one of the first high-profile Bitcoin break-ins, was not so lucky.
Also, a sample size of only 40 exchanges does means that some of their other results didn't reach statistical significance—it's going to take more time, as Bitcoin matures as a currency, for exchanges to appear and be eligible as samples for a more thorough analysis.
The paper, "Beware the Middleman: Empirical Analysis of Bitcoin-Exchange Risk," has been published online and was presented at the 17th International Financial Cryptography and Data Security Conference.
This story originally appeared on Wired UK.