Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Is Your Online Bank Vulnerable To Currency Rounding Attacks?
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 10 Jan 2012 10:43:24 +1300

adam to Jeffrey Walton to Memory Vandal to Jeffrey Walton:

I believe the term is "arbitrage" (not rounding attacks).

Nope: https://en.wikipedia.org/wiki/Arbitrage
http://www.google.com/?q=currency+arbitrage. *sigh*.



Now, it may be fashionable to bag ACROS here due to their initially 
over-zealous description of the likely magnitude of the "binary 
planting" "vulnerability", BUT did any of you _other than Memory 
Vandal_ actually read the ACROS blog _at all carefully_?

If so _and_ you really understand what arbitrage is, you would 
recognize that Memory Vandal is right -- this aint arbitrage, at least 
not as classically understood.

Let's look at your own justifications of your incorrect positions...

To quote the first result in adam's search:

   The simultaneous buying and selling of securities, currency, or
   commodities in different markets or in derivative forms in order to
   take advantage of differing prices for the same asset

To quote the first result from Jeffrey's search:

   A forex strategy in which a currency trader takes advantage of
   different spreads offered by brokers for a particular currency pair
   by making trades. Different spreads for a currency pair imply
   disparities between the bid and ask prices. Currency arbitrage
   involves buying and selling currency pairs from different brokers to
   take advantage of this disparity. 

   For example, two different banks (Bank A and Bank B) offer quotes
   for the US/EUR currency pair. Bank A sets the rate at 3/2 dollars
   per euro, and Bank B sets its rate at 4/3 dollars per euro. In
   currency arbitrage, the trader would take one euro, convert that
   into dollars with Bank A and then back into euros with Bank B. The
   end result is that the trader who started with one euro now has 9/8
   euro. The trader has made a 1/8 euro profit if trading fees are not
   taken into account.

So, we see that arbitrage involves playing a difference in cross-rates 
_between two [or more] markets_.

As the ACROS folk carefully and clearly point out, _if_ you actually 
bothered to read the whole article at all closely, the issue they are 
describing is purely possible due to _the customer_ executing trades at 
one level of mathematical precision (as provided by the bank) and _the 
bank_ rounding the payout to the customer to a lesser degree of 
precision.  _If_ the customer is able to take advantage of this 
situation _at a small enough unit of currency_ the rounding "error" 
(it's not really an error, but it contributes to what the bank may 
consider an erroneous or undesirable outcome) will swamp the _loss_ 
that should be expected in the actual trade (ACROS went to some length 
to explain that the trade should actually make a loss -- that is, after 
all, how banks make a profit on currency trades -- _and_ explained the 
magnitude of this loss -- if you missed that, go read it again).

Also, notice that _if you already have USD_ (an entirely likely, even 
probable situation here) there is only one direction of trading 
necessary here, so clearly not arbitrage at all.

So, adam and Jeffrey, much as you may not be pre-disposed to accept 
what ACROS might say, you are wrong about this being simple arbitrage 
and ACROS is correct that it is all about rounding practices and banks 
trading currencies at different levels of precision from that at which 
they payout transactions (the latter is typically due to the fact that 
historically currency is always tracked in whole units of the smallest 
denomination,or perhaps more accurately, in whole single units of the 
smallest denominational breakdown -- in NZ, my bank tracks my accounts 
to the cent, but as NZ's smallest legal tender coin is now 10c, if I 
cash out an account, they will round the payout to a 10c boundary).


Nick FitzGerald

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]