mailing list archives
Re: Is Your Online Bank Vulnerable To Currency Rounding Attacks?
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 10 Jan 2012 10:43:24 +1300
adam to Jeffrey Walton to Memory Vandal to Jeffrey Walton:
I believe the term is "arbitrage" (not rounding attacks).
Now, it may be fashionable to bag ACROS here due to their initially
over-zealous description of the likely magnitude of the "binary
planting" "vulnerability", BUT did any of you _other than Memory
Vandal_ actually read the ACROS blog _at all carefully_?
If so _and_ you really understand what arbitrage is, you would
recognize that Memory Vandal is right -- this aint arbitrage, at least
not as classically understood.
Let's look at your own justifications of your incorrect positions...
To quote the first result in adam's search:
The simultaneous buying and selling of securities, currency, or
commodities in different markets or in derivative forms in order to
take advantage of differing prices for the same asset
To quote the first result from Jeffrey's search:
A forex strategy in which a currency trader takes advantage of
different spreads offered by brokers for a particular currency pair
by making trades. Different spreads for a currency pair imply
disparities between the bid and ask prices. Currency arbitrage
involves buying and selling currency pairs from different brokers to
take advantage of this disparity.
For example, two different banks (Bank A and Bank B) offer quotes
for the US/EUR currency pair. Bank A sets the rate at 3/2 dollars
per euro, and Bank B sets its rate at 4/3 dollars per euro. In
currency arbitrage, the trader would take one euro, convert that
into dollars with Bank A and then back into euros with Bank B. The
end result is that the trader who started with one euro now has 9/8
euro. The trader has made a 1/8 euro profit if trading fees are not
taken into account.
So, we see that arbitrage involves playing a difference in cross-rates
_between two [or more] markets_.
As the ACROS folk carefully and clearly point out, _if_ you actually
bothered to read the whole article at all closely, the issue they are
describing is purely possible due to _the customer_ executing trades at
one level of mathematical precision (as provided by the bank) and _the
bank_ rounding the payout to the customer to a lesser degree of
precision. _If_ the customer is able to take advantage of this
situation _at a small enough unit of currency_ the rounding "error"
(it's not really an error, but it contributes to what the bank may
consider an erroneous or undesirable outcome) will swamp the _loss_
that should be expected in the actual trade (ACROS went to some length
to explain that the trade should actually make a loss -- that is, after
all, how banks make a profit on currency trades -- _and_ explained the
magnitude of this loss -- if you missed that, go read it again).
Also, notice that _if you already have USD_ (an entirely likely, even
probable situation here) there is only one direction of trading
necessary here, so clearly not arbitrage at all.
So, adam and Jeffrey, much as you may not be pre-disposed to accept
what ACROS might say, you are wrong about this being simple arbitrage
and ACROS is correct that it is all about rounding practices and banks
trading currencies at different levels of precision from that at which
they payout transactions (the latter is typically due to the fact that
historically currency is always tracked in whole units of the smallest
denomination,or perhaps more accurately, in whole single units of the
smallest denominational breakdown -- in NZ, my bank tracks my accounts
to the cent, but as NZ's smallest legal tender coin is now 10c, if I
cash out an account, they will round the payout to a 10c boundary).
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/