Did you hear about the battle over GameStop between Reddit-based stock traders and big hedge funds during January? You better know how the vulnerabilities in your app can hurt you and cost lives for some.

This is about how the vulnerabilities and limitations of a popular stock trading app, Robinhood, were exploited by a group of stock gamblers on the subreddit r/wallstreetbets to not only gain profits for themselves but hurt Robinhood financially and eventually strike a blow at the heart of Wall Street finance itself. It is a lesson to devs, testers and company owners that in the ages of social media, financial vigilantism and doing things just to troll, the costs of lack of vigilance and underestimating your user base are far more costly than ever before. Robinhood’s experience also shows that the costs associated with bugs and limitations are amplified infinitely when social media and highly visible trolling are taken into account.

The Medium – GameStop

Over January 2021 the 4 million members of the retail stock trading subreddit r/ wallstreetbets did something utterly incredible that caused major ripples throughout the US financial system.

The US bricks and mortar computer games retailer Gamestop had been struggling for several years. The COVID-19 lockdowns then hurt it badly such that it closed 300 stores at a loss of $165 million, its prospects looked bleak and its share price was in the doldrums. 

Some US hedge funds, notably Melvin Capital and Citron Research decided to take advantage of Gamestop’s continuing decline. They did this by short-selling its stock – borrowing stock from other financial services institutions to sell and push down the share price, repurchase later and pocket the difference. The short-selling was enormous, with at one point more than 140% of the total shares issued being shorted.

Instigated by the update posts of a member of r/wallstreetbets, Keith Gill aka Reddit user u/DeepFuckingValue, members of the subreddit and associated Discord decided that this situation could be reversed by buying cheaper Gamestop (known as $GME) shares or put options (options to buy the stock at a specific price at a later date) to force up the price. Since shares borrowed for short selling have to be bought back and returned by a certain date, the buying by r/ wallstreetbets users put pressure on the funds shorting the stock to buy it back (thus forcing up the price further) at a loss. This is a common technique known as a short squeeze. Similar short squeezes were done against the similarly short sold cinema chain AMC and phone companies Nokia and BlackBerry.

WallStreetBets users had various motivations. The subreddit, calling itself “Like 4chan found a Bloomberg terminal.” has a great irreverence of usual risk-based trading and investing approaches favoured by Wall Street and antipathy and meme-based mockery of Wall Street institutions. It also has a culture of heavily leveraged options trading, taking large gambles to make profits (known as “tendies”) quickly (and in this case, there were great profits to be had), with heavy wins and losses frequently shown off in posts. Members often see themselves as the vanguard of the common trader against the powerful elites of Wall Street, a democratizing force in finance. However other commentators like Bloomberg’s Matt Levine put the motivation down to boredom and trolling – just “utter nihilism, a story perhaps best told with rocket emojis”.

The Robinhood Mobile App and Brokerage

To explain how it provides a warning for testers and tech teams it is necessary to provide some history. The most popular brokerage and trading platform for retail and small traders was the mobile app startup Robinhood. Charging no brokerage fees and allowing small purchases of even fractional shares, was an extremely easy way for young people with time on their hands and only small amounts in their pockets to get started in the world of share investment and trading.

For this reason, it was the preferred app for the US-based WallStreetBets crowd and heavily used for the short squeeze.

WallStreetBets uses Robinhood to Attack the Hedge Funds

With the sheer numbers of retail traders piling in (especially after a supportive tweet by Elon Musk) the share price of $GME rocketed from $19.95 per share to $347 per share in just over two weeks. Melvin Capital was forced to close its short position at a 30% loss to its entire portfolio, requiring a $2.7 billion investment by other companies to keep Melvin Capital afloat. Overall an estimated $6 billion was lost by investment firms and hedge funds who were shorting Gamestop and the S&P 500 fell by about 5% over the course of about three days as nerves spread through the market. Meanwhile, Keith Hill’s investment of $52 000 in options was worth $42 million by the share price’s peak.

Robinhood, Brought to its Knees, stops all trading in GameStop

The sheer numbers of Reddit traders taking part in the short squeeze also brought Robinhood to its knees. Clearing houses used by the trading platforms started asking for higher amounts of collateral for the trades than the platform could afford. This is important as trades are not instantaneous (usually taking a few days) and are usually backed by collateral. Robinhood had to raise $1 billion from its backers and debt facilities to maintain collateral for its trades. Also, Robinhood makes 40% of its revenue from a data selling arrangement with the hedge fund Citadel LLC, which part-owns the attacked hedge fund Melvin Capital, and the short squeeze was a conflict of interest that was starting to unravel that agreement.

On January 29th the Robinhood app along with other online trading platforms such as WeBull and IMC Markets took the unprecedented decision to ban or limit trading of $GME and other heavily shorted stocks. Retail investors subsequently turned viciously on Robinhood. Over a hundred thousand poor reviews were given against the Robinhood app on Google Play Store lowering its overall star rating to 1 star, requiring Google to remove them.

Criticism of the attacks on r/WallStreetBets and Robinhood’s decision came from politicians, media and entrepreneurs across the political divide – Alexandria Ocasio-Cortez tweeting –

“Gotta admit it’s really something to see Wall Streeters with a long history of treating our economy as a casino complain about a message board of posters also treating the market as a casino.”

along with Donald Trump Jr. tweeting

“It took less than a day for big tech, big government and the corporate media to spring into action and begin colluding to protect their hedge fund buddies on Wall Street. This is what a rigged system looks like, folks! “

What does this have to do with software and quality?

The answer is a great deal. This is far from the first time that Robinhood and its app have been put to the test and found wanting by members of WallStreetBets and other new retail traders. The risk of large scale attacks and exploitation via social media opens up a new frontier in what business experts and testers have to watch out for.

 

Check this post by u/Moonyachs showing a $1 million equity position leveraged from just $4000 deposit.

A much worse problem with the Premium Gold service of the Robinhood app was exploited later by around twenty r/WallStreetBets members in November 2019. As described by Business Insider it involved the following exploit –

  • “Users who pay a premium for Robinhood Gold sell call options with money borrowed in the app (a loan know as a margin or leverage).
  •  Robinhood incorrectly adds the value of the options sold to the user’s cash pile.
  • This gives the user more capital to trade with, and the more a user borrows, the more the app adds to their buying power.
  • There seems to be no limit to how much a user can exploit the trick.

Call options (in the above case “covered” call options) are contracts that allow the buyer to purchase a stock at a set price at future expiry date. A seller (or “writer”) sells for a fee the right to buy the stock (which they must sell if the buyer asks for it), the hope being that the underlying stock will always remain below the agreed purchase price (known as the exercise price) and thus the option will expire unused – the seller pocketing the cash made from selling the option and retaining the stock.

The bug in this case was that the more the user borrowed to sell call options, the more the app added this to their balance and thus the more the app allowed them to borrow. The original discoverer of the bug, u/ControlTheNarrative, used the flaw to write $50000 worth of Apple put options from a $2000 deposit. One user, u/MoonYachts, was able to borrow a margin of at least $1 million for an original sum of $4000! The user u/Cal_Warrior went even further, turning a $3000 deposit into a position of $1.7 million! They wrote, “After seeing people on the almighty wallstreetbets wager a timid 50k or so on average with this new feature available, I thought it was only a clear choice to raise the average for the good of all.”

Overall about twenty members used the bug to borrow larger sums than were allowed, getting the cue from posts in the subforum. A user u/SocioButt even posted a “Hall of Fame” of users exploiting the bug. It took days for Robinhood to find out and release a patch to fix the bug and communicate with customers and there was no guarantee that it could claim losses from people who used the exploit and lost money. Robinhood also ran the risk of falling foul of regulators such as the SEC and FINRA along with the costs required to take legal action to claim back the funds.

Badly Displayed Losses Resulting in the Suicide of Alex Kearns

In June 2020 the student and budding retail trader Alex Kearns tragically committed suicide after seeing a negative cash balance of $730 000 in his Robinhood Margin (i.e. loan) account. According to his family, later that night the company sent an automated email demanding Alex take “immediate action,” requesting payment of more than $170,000 in just a few days.

A note left by Kearns to his family stated the following – “How was a 20-year-old with no income able to get assigned almost a million dollars worth of leverage? There was no intention to be assigned this much and take this much risk, and I only thought that I was risking the money that I actually owned. If you check the app, the margin investing option isn’t even ‘turned on’ for me. A painful lesson.”

Bill Brewster, a relative and analyst at Sullimar Capital, publicly criticised how the app displayed temporary debt exposure, stating “I’d like them to fix the way that they’re showing exposure — I want them to act as a financial platform should act. When you’re dealing with retail money and actively soliciting traders under 30 years old to have errors like this is inexcusable and at the minimum negligence.” Robinhood responded by offering to make changes to their in-app messages and history page to make the mechanics of trading options clearer, along with providing more stringent eligibility requirements and better educational resources for new investors. However, William Galvin, the chief financial regulator in the state of Massachusetts, found over 600 instances of people in the state who should never have been approved for options trading by Robinhood’s own standards but were. CBS News confirmed how easy it was to get around Robinhood’s eligibility checks by simply “upgrading your experience”.

Alex Kearn’s family have since filed a lawsuit for wrongful death against Robinhood.

Implications for Testers, Quality and Risk Management

The badly displayed temporary debt in the UI and poorly written automated messaging created a tragedy for a brand new trader like Alex Kearns. Robinhood app created the situation where easy access to risky options trading resulted in tragic consequences as well as permanently damaging the company’s reputation. That such a thing was allowed to happen and not flagged up by Robinhood’s internal processes is nothing short of disgraceful and a moral failure.

One way that could have improved the interface such as to prevent the above would have been to apply persona-based tests – testers creating personas to study the app interface, emails and warning messages from the perspective of new retail traders lacking experience and financial expertise.

The “Infinite Leverage” flaw, in particular, highlighted the speed at which bugs are made public and exploited in online forums along with the motivations in which anonymous exploiters use the bug to one-up each other online. Suddenly issues that may carry one risk if an individual does it are much graver when social media is taken into account and lots jump on the bandwagon. They also carry new reputational and regulatory risks when forum posts go viral and are reported in the press.

In effect, brokerages and companies reliant on traders in groups like r/wallstreetbets need to be aware that the spotlight is always on them and mistakes and errors will be found out and the word spread quickly. The costs of failure are thus potentially enormous and testers and developers working on these apps have to always be “on the ball”. They also need a real understanding of the users coming to their apps, along with their levels of experience, and the social media worlds they inhabit and are influenced by.

The lesson gained from r/wallstreetbets and other groups of small retail traders in their Gamestop short squeeze is that they are realising their immense latent power and acting in ways that institutions on Wall Street would never have predicted. This includes using apps and brokerage tools to make incredible purchases together which makes collusion difficult to prove and police. This does not just affect shorting hedge funds but the tools they use – online brokerage apps now need to allow groups of small retail traders to make large moves en masse at individual stocks and always have the collateral to manage it, otherwise be punished by these same users.

For the rest of us, this is a parable about the power of social media to allow groups of ordinary individuals to troll and exploit – whether it be as anger against the elites, for financial gain or simply because they were bored and it is a funny thing to do. It is a lesson in that just because ordinary people take part in an activity or use your service doesn’t mean you control them, predict what they will do or think they will act (in your definition of) rationally. We have to think again about what we expect of users and the online communities they dwell in. For those of us making and testing products to be used by the masses, this is a wake-up call to all.

*Thanks to the great editing work and support of JeanAnn Harrison, without whom this article would have been a poor shadow of itself.

Paul Maxwell-Walters

A British software tester based in Sydney, Australia with about 10 years of experience testing in agriculture, financial services, digital media and energy consultancy. Paul is a co-chair and social media officer at the Sydney Testers Meetup Group, along with having spoken at several conferences in Australia. Paul blogs on issues in IT and testing at http:// testingrants.blogspot.com.au and tweets on testing and IT matters at @TestingRants