A Top African Crypto Startup Lost Over USD 27 K To Rogue Users After A Glitch
The BuyCoins crypto heist
On the evening of Monday, June 8, BuyCoins Africa — one of the fastest-growing cryptocurrency exchanges in Africa — suffered a glitch that cost it no less than USD 27 K (NGN 10.4 Mn).
Apparently, a number of users had taken advantage of a loophole in the system to withdraw more Ethereum (ETH) and Litecoin (LTC) than they owned to their Binance accounts.
By the time Buycoins Africa flagged and fixed the vulnerability to stop the heist, the rogue users had moved more funds than the amount Binance recently impounded from hackers tied to a similar heist on a South Korean exchange.
On May 13, Binance; the world’s biggest crypto exchange, froze ETH stolen from Upbit in 2019 immediately after a suspicious transaction was reported. An address associated with the USD 50 Mn hack of the South Korean crypto exchange, had moved some of the stolen Ethereum (ETH) to Binance. And it took only a few minutes for Binance to step in.
However, Nigeria’s BuyCoins Africa, a YC-backed startup, didn’t quite enjoy such a swift response. The company’s CEO, Timi Ajiboye, who revealed that this case even involves more money than that of the Upbit heist, had decried the sluggishness of Binance in responding to their case.
According to Ajiboye, 24 hours after the glitch saw rogue users illegally move out more than USD 27 K from BuyCoins Africa to their Binance accounts, Binance was yet to act.
“Their response (and lack of support) has been surprisingly disappointing, especially considering that Binance is no stranger to such issues (even on their own platform),” Ajiboye had lamented in a series of tweets.
“Very shocking considering how passionate about Africa/Nigeria they (Binance) present to be (they initiated many convos with BuyCoins about collab and the market, prior to launching here),” he had added.
The CEO, however, assures BuyCoins users of the safety of their funds, stating that all user funds have been replaced and that the vulnerability has since been fixed while also declaring that a lot of internal re-architecture is being undertaken to make sure the glitch doesn’t reoccur.
WeeTracker reached out to BuyCoins Africa for specific information on the extent of the damage done and exactly how much had been carted away. The company said it “did not have further comments to make about this outside of Timi’s Twitter Thread.”
On their part, Binance told us that they are “already in touch with BuyCoins and both companies are working together to resolve this issue.”
The company also commented on why it appears to have taken much more time to act on the BuyCoins issue than it did with Upbit, hinting that both cases aren’t exactly the same. A Binance representative told WeeTracker that its CEO, Changpeng Zhao (CZ), has “already responded to Timi on Twitter and addressed the misconceptions around the Upbit issue.”
Indeed, CZ has since responded to Ajiboye, stating that the Binance team is up to speed with the matter but the expected swift action was not feasible in this case.
“Our team is looking into it. Please understand we can’t freeze accounts just because someone asked us to. We have to go through proper verification procedures. The Upbit case was public and fairly conclusive from blockchain analysis,” CZ tweeted at Ajiboye.
However, BuyCoins Africa has opted to not sit on its backside and wait. The fast-rising Nigerian crypto exchange has taken some stiff action targeted at virtually all of its users since the heist. And many users — some of whom were already outraged because of the abrupt stoppage of the startup’s referral programme — are now incensed.
Between BuyCoins and its “angry” users
African countries have the highest cryptocurrency adoption rates in the world. South Africa ranks 3rd globally in terms of crypto adoption with 13 percent of its internet users owning or using cryptocurrencies. Nigeria occupies 5th spot with 11 percent of internet users owning digital assets. The worldwide average for the same stands at 7 percent.
These are some of the findings from a recent report titled: The State of Crypto: Africa, put together by Arcane Research. The report also suggests that the unique combination of Africa’s economic and demographic trends makes the continent a potentially enormous crypto industry. And true to that, crypto has been on a roll in these parts in recent years.
BuyCoins Africa is one of the startups fuelling the continent’s new-found fondness for crypto. The company kicked off operations as BitKoin Africa in 2017 and after a rather slow start, it has recently morphed into one of the fastest-growing crypto exchanges on the continent.
BuyCoins Africa takes a hybrid approach to the buying and selling of cryptocurrencies, allowing users to buy from the regular exchange interface or the peer-to-peer platform. In May 2020, over USD 17 Mn was traded on the platform — by far surpassing its monthly all-time-high of USD 7.6 Mn.
For context, the entire volume traded on BuyCoins in 2018 was less than USD 4 Mn. Throughout 2019, the total volume traded was approximately USD 28 Mn. But in 2020 so far, the startup claims over USD 35 Mn has already been traded. This implies that the first 5 months of 2020 has already outdone the two previous years combined.
In fact, BuyCoins’ CEO did recently say he found it “weird (in a good way) that the volume the first version of BuyCoins (Bitkoin) did in a whole year is less than what we do every day.”
The growth, which is in spite of the devaluation of the local currency and zero ad spends on the part of the startup, is indicative of a crypto boom in Nigeria and beyond.
However, BuyCoins Africa seems to be having a sour moment. A few months ago, the startup created a referral program for its peer-to-peer service. It was a way for BuyCoins to reward its users for inviting people to use the BuyCoins app.
That referral programme was cut short just days before the system breach happened because it was discovered that a number of users were trying to game the referral system by creating multiple accounts with multiple identities in order to earn referral rewards.
“There were over a thousand user accounts involved in this and we had to restrict all the accounts involved while we conducted further investigation,” the company stated in a post. “Because of this, we decided to end the referral program on Saturday, 6th of June 2020, and suspend the payment of referral bonuses.”
This declaration didn’t go down well with many users who were convinced that they had been two-timed.
Then, two days later, the heist happened and BuyCoins had to restrict many more user accounts, suspending all trading activity even though some users were still allowed to fund their wallets and only learned of the restriction after.
At the moment, it is understood that many accounts (both innocents and culprits potentially) are still restricted on BuyCoins as the company carries out a compulsory ID sweep in an attempt to nab the perpetrators of the Monday night heist. And many users are fuming.
Featured Image Courtesy: TheEconomicTimes