[Bitcoin Now] How To Prevent a 'Second Bithumb Incident'

The fallout from the mistaken 60 trillion won-scale Bitcoin payout incident at Bithumb, the second-largest virtual asset exchange in Korea, is rapidly expanding. As the financial authorities have announced an intensive investigation, Bithumb is expected to be unable to avoid future sanctions. It is also expected to affect the Basic Act on Digital Assets (the second-stage legislation on virtual assets) currently under discussion in the National Assembly. Experts stressed that, to prevent a recurrence of such incidents, it is most important to further sophisticate systems and establish a legal and regulatory framework.

In connection with Bithumb's erroneous payout incident, the Financial Supervisory Service has already signaled a high-intensity investigation. According to the financial authorities and the financial sector on the 10th, the Financial Supervisory Service gave Bithumb prior notice of the commencement of an inspection the previous day and launched a full-scale inspection starting today. This means the on-site check that began on February 7, the day after the incident occurred, was upgraded to a formal inspection just three days later.

Financial Supervisory Service Governor Lee Chan-jin said earlier, "In relation to the Bithumb incident, we are examining the adequacy of how internal controls are operated, and if we discover any violations, we plan to switch to an on-site inspection," adding, "To prevent similar incidents from recurring, we will also review other exchanges' status of holding and managing customer assets and their internal control systems."

Given the seriousness of the matter, the Financial Supervisory Service plans to deploy additional inspection personnel and focus on investigating how payouts came to be made in an amount that far exceeded Bithumb's actual Bitcoin holdings.

The possibility of stronger regulation is also being raised. Governor Lee said, "I wonder whether it will be possible for virtual assets to become part of the legacy system (be incorporated into the institutional framework) if we do not resolve, in some form, the problems with virtual asset information systems," and added, "If this issue is not resolved, we need a regulatory and supervisory framework that can even give rise to licensing risks." He also remarked, "The inspection results have brought to light tasks that must be strongly reinforced in the second-stage legislation on virtual assets," suggesting that regulation could be tightened under the Basic Act on Digital Assets now under discussion.

As this incident has sparked controversy over so-called "book-entry transactions" at virtual asset exchanges, Upbit, the largest virtual asset exchange in Korea, has moved to prevent unnecessary misunderstandings. According to Upbit, book-entry transactions refer to a method of managing assets through an electronic ledger (database). This is a system commonly used not only by all digital asset exchanges worldwide but also by traditional financial institutions such as banks and securities firms. Under this method, in order to process large volumes of transactions quickly, changes in account balances are reflected electronically before the actual movement of the underlying assets, or simultaneously with such movement.

An Upbit representative explained, "However, for the book-entry method to be trustworthy, procedures to verify 'accuracy' and 'consistency' are essential," adding, "For this reason, financial institutions such as banks and securities firms typically go through a separate settlement process after market close to check whether the figures on their systems match the actual assets they hold." The representative continued, "Because, by nature of blockchain technology, the balance of a wallet (on-chain) for digital assets can be confirmed publicly, Upbit uses this to continuously compare and manage consistency between (i) the quantity of digital assets actually stored in blockchain wallets (actual holdings) and (ii) the total quantity of digital assets recorded in Upbit's internal account ledger (ledger total)."

Upbit also disclosed a three-layer safety mechanism designed to fundamentally block incidents in which digital assets that are not actually held are paid out, thereby countering concerns that digital asset exchanges are structurally vulnerable. First, it periodically compares on-chain wallet holdings with the internal ledger total through continuous numerical reconciliation (Diff Monitoring). In addition, by operating accounts dedicated to events, adhering to a principle of securing payout quantities in advance, and establishing a multi-step internal approval and cross-checking system, it prevents system errors and discrepancies in event payout amounts. An Upbit representative said, "If, due to a system error or other reason, any attempt is made to record or pay out an amount exceeding the actual holdings in an event account, the continuous numerical reconciliation function immediately detects it and triggers an alarm, making it possible to implement control measures such as reporting to the responsible department and, if necessary, suspending the system," and explained, "In other words, it is a structure in which both people (internal controls) and systems (continuous monitoring) operate simultaneously."

Experts agree that, to prevent a recurrence of this kind of incident, it is necessary to advance systems and strengthen internal controls. Hwang Seokjin, a professor at the Graduate School of Information Security at Dongguk University, said, "When company assets go out, they must be verified in two or three layers, but that did not happen. It is a serious problem that, even though a large volume of coins was paid out within a specific time frame, it was not filtered out through monitoring," adding, "To prevent a recurrence, the most important thing in book-entry transactions is to match coins on-chain with coins on the ledger and ensure consistency." Moon Chulwoo, a professor at the School of Business at Sungkyunkwan University, said, "There is a need to inspect the kinds of system errors exposed by this incident that could be repeated," and added, "In the case of Bithumb, it needs to demonstrate efforts in terms of reinvesting in its systems and protecting customers."

There is also the view that legal regulations must be strengthened. Professor Hwang said, "There is not only a problem with the systems but also a regulatory vacuum at the institutional level," adding, "The ripple effects of the wrongful conduct were quite large, and someone has to be held responsible. But to hold someone responsible, there must be a legal basis, which has not yet been established, and that is a limitation. When enacting the basic law, the regulations should directly incorporate these issues so that compliance can be mandated."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.