QuadrigaCX Revealed Giant Hole in Crypto Industry Storage Practices

Wednesday, 13/02/2019 | 11:57 GMT by Rachel McIntosh
  • Events in the recent past have served as a harsh reminder that crypto storage practices need improvement.
QuadrigaCX Revealed Giant Hole in Crypto Industry Storage Practices
FM

The cryptocurrency industry is growing a bit like a Great Dane puppy. One day, all of the parts will have proper proportions. For now, however - the industry is awkwardly clomping around on oversized paws; certain parts of the industry are growing quickly, while other pieces are taking longer to develop.

This was most recently demonstrated when the CEO of Canadian cryptocurrency exchange QuadrigaCX passed away, taking the keys to the exchange’s offline storage wallets with him to the grave. 115,000 people have been left without access to their funds, including one man whose life savings of over CAD$400,000 were locked into the exchange.

The scandal shone an uncomfortable spotlight on the fact that the technological and regulatory sides of cryptocurrency storage are vastly underdeveloped.

At the same time, on a more micro-level, hackers have continued to find new ways to pry their fingers into unsuspecting crypto hodlers’ wallets. In addition to the crypto jacking malware, clipboard lurkers, and phishing sites that have plagued cryptocurrency users since the beginning, hackers are beginning to use more sophisticated methods of theft, including SIM swapping.

The bottom line is that as the cryptocurrency industry continues to develop, threats to cryptocurrency storage continue to evolve.

Are storage security devices, services, and software evolving along with them?

A Quick Lesson in Crypto-Jargon

Before we dive into the deep end here, a quick TL;DR about cryptocurrency storage. Cryptocurrency storage methods are basically divided into two categories: “hot” wallets, which are pieces of software that are connected to the internet, and “cold” wallets, which keep cryptocurrency stored offline (in hardware or on paper.)

Both kinds of wallets protect “private keys,” which are long strings of characters that can be used to send cryptocurrency. He who controls the keys controls the coins--therefore, keeping the private keys guarded is extremely important.

Crypto Storage Has Seen Improvement in Ease-of-Use, But Baseline Security Threats Still Exist

Vamshi Vangapally, a co-founder of BearTax, sees forward motion in the evolution of cryptocurrency storage in the longer-term sense.

“The world has come a long way in just 10 years,” he said, adding that the options for cryptocurrency storage have vastly expanded. “In terms of cryptocurrency custody for retail investors, people store their assets on exchanges, desktop wallets, phone wallets, cold wallets like Ledger Nano devices, Trezor and some people might even tinker with their devices and make them air-gapped (the computer that cannot connect to any outside network),” he said in an email to Finance Magnates.

Portrait of Vamshi Vagapally, co-founder of BearTax.

Vamshi Vagapally, co-founder of BearTax.

However, Vagapally has noticed a slowing in development trends in the shorter-term past. The variety of the kinds of storage options available to retail investors “hasn't much changed in recent years,” he said, although he added that the quality of many existing and new products has vastly improved: “the ease of use on desktop wallets has been improving a lot in terms of number of assets that are supported, navigation, et cetera.”

Desktop wallets are just what they sound like--pieces of software that live on your desktop and store cryptocurrency. Some desktop wallets keep users’ keys on the computer (i.e., Exodus); others act as gateways to third-party services that store users’ keys for them (i.e. Coinbase).

Despite general trends of improved user-friendliness in these kinds of wallets, a bottom-line threat to safety exists for two simple reasons: first, human error, and second, most cryptocurrency holders’ computers are connected to the internet at least some of the time. “These wallets reside in your computer and prone to hacks if you lose the keys or the computer gets hacked,” Vagapally said.

2-Factor Authentication Isn't Enough

Additionally, common methods of preventing lost keys and hacks from causing coin losses are sometimes ineffective. “People use 2 factor authentication for safeguarding or having a 2 level security with google authenticators but again - this is not fail-proof as ‘losing a device’ and ‘not backing up your seed’ might cut off your own access to the assets,” Vagapally explained.

What’s troubling about this is the simple fact that most people who are new to cryptocurrency (that is to say, most people) tend to store their cryptocurrency in the easiest way possible.

Usually, this means that users store their crypto where they got it--on an exchange. For example, a person who buys a Bitcoin from Coinbase is extremely likely to store it in their Coinbase wallet, at least initially. And of course, Coinbase is FDIC insured--users of the service are entitled to up to $250,000 repayment of lost funds. But many similar services are not (ahem, QuadrigaCX.)

While some of these users may eventually go through the trouble of learning how to make a paper wallet or purchase a hardware wallet, there’s usually a window of opportunity for a hacker to slip in.

And cold wallets aren’t totally fail-safe, either. As the world is seeing now with the QuadrigaCX scandal, private keys stored on even the most encrypted and remote devices can be lost without the proper precautions in place. Once they’re gone, they’re really gone; one can’t simply write a letter to Ethereum creator Vitalik Buterin begging him to restore access to their lost ETH coins. It just isn’t possible.

”Nobody Has Solved [Cryptocurrency Storage]”

What this seems to imply is that while storage practices for retail investors have improved in certain ways, baseline threats to the ways that most people store Cryptocurrencies are still real problems without solid solutions.

Indeed, “Nobody has solved [cryptocurrency storage],” said Kyle Asman, partner at BX3 Capital, in an email to Finance Magnates. “If it’s in a hot wallet, it's vulnerable to being sent away. If it’s in cold storage and the device is lost, it's gone forever. In order to be a mainstream method of investing or transacting, the custody issue needs to be solved."

Kyle Asman, a partner at BX3 Capital.

But how can it be solved? Andy May, director of custody at SALT Lending, says that in the shorter term, “those who oversee wallets must add appropriate layers of governance and security controls.”

“These may come in the form of operational processes, automated, and manual oversight,” he added. This could mean more extensive forms of multi-signature login practices--users could have multiple unique ways to access their wallets, including biometrics or geographical factors.

Some cryptocurrency custody services are also adding inheritance protocols into their products and services--processes for what should happen to a cryptocurrency holder’s funds if they should pass away (like QuadrigaCX’ Gerald Cotten.)

Blockchains With Built-In Recovery Protocols May Need to Become More Common

May added that cryptocurrency developers should consider building recovery and improved anti-hacking protocols into blockchains. “Longer term, we hope to see security features added to the base protocol of the crypto assets themselves,” he said.

“The industry is evolving, and it’s up to all participants to keep current with industry standards, assemble the correct mix of controls, and do appropriate diligence on the solutions we choose.”

However, the attitude toward building recovery protocols into blockchains has been controversial. There have been several major instances in which the creators of hacked coins have in some way modified blockchains or coins themselves in order to recover stolen coins or mark them so that they can’t be used.

The most famous example of this is the hacking of the DAO, in which the creators of Ethereum decided to create a “hard fork,” a kind of software update that became a new Blockchain . The new blockchain allowed for the funds to be restored.

The result was the creation of the Ethereum that we know today. The older version of the blockchain is now known as “Ethereum Classic” (ETC.)

Supporters of Ethereum Classic believe that adding a sort of “kill switch” to stop large-scale hacking attacks--while helpful for hodlers--means that a blockchain is not truly decentralized.

Bancor came under similar criticism when it enacted its own “kill switch” during a security breach in July.

However, Bancor co-founder Eyal Hertzog believes that the concept of decentralization can include protective measures for a cryptocurrency’s users. “If you have the ability to stop thieves when they essentially attack the community, then it doesn’t make sense not to have [the emergency mechanism],” he said in an interview with Finance Magnates last July.

“When they didn’t have it, with the DAO, they actually forked the entire blockchain. If the DAO had this emergency switch, they wouldn’t have forked Ethereum. That was their greatest mistake, and it’s important to learn from those mistakes.”

Regulations on Custody Providers Are Lacking

Indeed, a solution must be found--whether it comes on a micro-level or a more fundamental plane. Until then, cryptocurrency product and service providers must take the initiative to better educate cryptocurrency holders on how to effectively use the tools that are within their grasps.

And indeed, some companies, like Coinbase and eToro, have launched educational platforms and tools for their users. However, there’s a fine line between these companies shilling their own products and actually teaching customers what’s best for themselves as individuals.

Additionally, because the industry is so new, there aren’t really any standardized practices for how cryptocurrency should be stored. “Best practices are not yet solidified or agreed upon, so individuals and businesses store crypto according to their level of risk tolerance and technical aptitude,” May explained.

Therefore, “a reasonable rule of thumb would be to store small amounts of crypto in hot storage and large amounts in cold storage. As value grows larger, owners should become more even more selective.”

And indeed, there are a growing number of insured custody services for large-scale and institutional investors, which is a positive thing for the industry. However, these custody services themselves are not necessarily acting within the jurisdictions of any specific legislation--in other words, there’s no regulator that has declared exactly what kinds of insurance and other provisions these providers must have in order to be operational, although regulated custody options may come soon.

Therefore, as far as the cryptocurrency industry has come over the last ten years, its elements of ‘wild west’ territory are still present of ever. The real trouble is that we don’t know what we don’t know--as easy as it would have been to prevent the QuadrigaCX scandal from happening, nobody saw it coming. As Eyal Hertzog said, we can only hope to learn from past mistakes.

The cryptocurrency industry is growing a bit like a Great Dane puppy. One day, all of the parts will have proper proportions. For now, however - the industry is awkwardly clomping around on oversized paws; certain parts of the industry are growing quickly, while other pieces are taking longer to develop.

This was most recently demonstrated when the CEO of Canadian cryptocurrency exchange QuadrigaCX passed away, taking the keys to the exchange’s offline storage wallets with him to the grave. 115,000 people have been left without access to their funds, including one man whose life savings of over CAD$400,000 were locked into the exchange.

The scandal shone an uncomfortable spotlight on the fact that the technological and regulatory sides of cryptocurrency storage are vastly underdeveloped.

At the same time, on a more micro-level, hackers have continued to find new ways to pry their fingers into unsuspecting crypto hodlers’ wallets. In addition to the crypto jacking malware, clipboard lurkers, and phishing sites that have plagued cryptocurrency users since the beginning, hackers are beginning to use more sophisticated methods of theft, including SIM swapping.

The bottom line is that as the cryptocurrency industry continues to develop, threats to cryptocurrency storage continue to evolve.

Are storage security devices, services, and software evolving along with them?

A Quick Lesson in Crypto-Jargon

Before we dive into the deep end here, a quick TL;DR about cryptocurrency storage. Cryptocurrency storage methods are basically divided into two categories: “hot” wallets, which are pieces of software that are connected to the internet, and “cold” wallets, which keep cryptocurrency stored offline (in hardware or on paper.)

Both kinds of wallets protect “private keys,” which are long strings of characters that can be used to send cryptocurrency. He who controls the keys controls the coins--therefore, keeping the private keys guarded is extremely important.

Crypto Storage Has Seen Improvement in Ease-of-Use, But Baseline Security Threats Still Exist

Vamshi Vangapally, a co-founder of BearTax, sees forward motion in the evolution of cryptocurrency storage in the longer-term sense.

“The world has come a long way in just 10 years,” he said, adding that the options for cryptocurrency storage have vastly expanded. “In terms of cryptocurrency custody for retail investors, people store their assets on exchanges, desktop wallets, phone wallets, cold wallets like Ledger Nano devices, Trezor and some people might even tinker with their devices and make them air-gapped (the computer that cannot connect to any outside network),” he said in an email to Finance Magnates.

Portrait of Vamshi Vagapally, co-founder of BearTax.

Vamshi Vagapally, co-founder of BearTax.

However, Vagapally has noticed a slowing in development trends in the shorter-term past. The variety of the kinds of storage options available to retail investors “hasn't much changed in recent years,” he said, although he added that the quality of many existing and new products has vastly improved: “the ease of use on desktop wallets has been improving a lot in terms of number of assets that are supported, navigation, et cetera.”

Desktop wallets are just what they sound like--pieces of software that live on your desktop and store cryptocurrency. Some desktop wallets keep users’ keys on the computer (i.e., Exodus); others act as gateways to third-party services that store users’ keys for them (i.e. Coinbase).

Despite general trends of improved user-friendliness in these kinds of wallets, a bottom-line threat to safety exists for two simple reasons: first, human error, and second, most cryptocurrency holders’ computers are connected to the internet at least some of the time. “These wallets reside in your computer and prone to hacks if you lose the keys or the computer gets hacked,” Vagapally said.

2-Factor Authentication Isn't Enough

Additionally, common methods of preventing lost keys and hacks from causing coin losses are sometimes ineffective. “People use 2 factor authentication for safeguarding or having a 2 level security with google authenticators but again - this is not fail-proof as ‘losing a device’ and ‘not backing up your seed’ might cut off your own access to the assets,” Vagapally explained.

What’s troubling about this is the simple fact that most people who are new to cryptocurrency (that is to say, most people) tend to store their cryptocurrency in the easiest way possible.

Usually, this means that users store their crypto where they got it--on an exchange. For example, a person who buys a Bitcoin from Coinbase is extremely likely to store it in their Coinbase wallet, at least initially. And of course, Coinbase is FDIC insured--users of the service are entitled to up to $250,000 repayment of lost funds. But many similar services are not (ahem, QuadrigaCX.)

While some of these users may eventually go through the trouble of learning how to make a paper wallet or purchase a hardware wallet, there’s usually a window of opportunity for a hacker to slip in.

And cold wallets aren’t totally fail-safe, either. As the world is seeing now with the QuadrigaCX scandal, private keys stored on even the most encrypted and remote devices can be lost without the proper precautions in place. Once they’re gone, they’re really gone; one can’t simply write a letter to Ethereum creator Vitalik Buterin begging him to restore access to their lost ETH coins. It just isn’t possible.

”Nobody Has Solved [Cryptocurrency Storage]”

What this seems to imply is that while storage practices for retail investors have improved in certain ways, baseline threats to the ways that most people store Cryptocurrencies are still real problems without solid solutions.

Indeed, “Nobody has solved [cryptocurrency storage],” said Kyle Asman, partner at BX3 Capital, in an email to Finance Magnates. “If it’s in a hot wallet, it's vulnerable to being sent away. If it’s in cold storage and the device is lost, it's gone forever. In order to be a mainstream method of investing or transacting, the custody issue needs to be solved."

Kyle Asman, a partner at BX3 Capital.

But how can it be solved? Andy May, director of custody at SALT Lending, says that in the shorter term, “those who oversee wallets must add appropriate layers of governance and security controls.”

“These may come in the form of operational processes, automated, and manual oversight,” he added. This could mean more extensive forms of multi-signature login practices--users could have multiple unique ways to access their wallets, including biometrics or geographical factors.

Some cryptocurrency custody services are also adding inheritance protocols into their products and services--processes for what should happen to a cryptocurrency holder’s funds if they should pass away (like QuadrigaCX’ Gerald Cotten.)

Blockchains With Built-In Recovery Protocols May Need to Become More Common

May added that cryptocurrency developers should consider building recovery and improved anti-hacking protocols into blockchains. “Longer term, we hope to see security features added to the base protocol of the crypto assets themselves,” he said.

“The industry is evolving, and it’s up to all participants to keep current with industry standards, assemble the correct mix of controls, and do appropriate diligence on the solutions we choose.”

However, the attitude toward building recovery protocols into blockchains has been controversial. There have been several major instances in which the creators of hacked coins have in some way modified blockchains or coins themselves in order to recover stolen coins or mark them so that they can’t be used.

The most famous example of this is the hacking of the DAO, in which the creators of Ethereum decided to create a “hard fork,” a kind of software update that became a new Blockchain . The new blockchain allowed for the funds to be restored.

The result was the creation of the Ethereum that we know today. The older version of the blockchain is now known as “Ethereum Classic” (ETC.)

Supporters of Ethereum Classic believe that adding a sort of “kill switch” to stop large-scale hacking attacks--while helpful for hodlers--means that a blockchain is not truly decentralized.

Bancor came under similar criticism when it enacted its own “kill switch” during a security breach in July.

However, Bancor co-founder Eyal Hertzog believes that the concept of decentralization can include protective measures for a cryptocurrency’s users. “If you have the ability to stop thieves when they essentially attack the community, then it doesn’t make sense not to have [the emergency mechanism],” he said in an interview with Finance Magnates last July.

“When they didn’t have it, with the DAO, they actually forked the entire blockchain. If the DAO had this emergency switch, they wouldn’t have forked Ethereum. That was their greatest mistake, and it’s important to learn from those mistakes.”

Regulations on Custody Providers Are Lacking

Indeed, a solution must be found--whether it comes on a micro-level or a more fundamental plane. Until then, cryptocurrency product and service providers must take the initiative to better educate cryptocurrency holders on how to effectively use the tools that are within their grasps.

And indeed, some companies, like Coinbase and eToro, have launched educational platforms and tools for their users. However, there’s a fine line between these companies shilling their own products and actually teaching customers what’s best for themselves as individuals.

Additionally, because the industry is so new, there aren’t really any standardized practices for how cryptocurrency should be stored. “Best practices are not yet solidified or agreed upon, so individuals and businesses store crypto according to their level of risk tolerance and technical aptitude,” May explained.

Therefore, “a reasonable rule of thumb would be to store small amounts of crypto in hot storage and large amounts in cold storage. As value grows larger, owners should become more even more selective.”

And indeed, there are a growing number of insured custody services for large-scale and institutional investors, which is a positive thing for the industry. However, these custody services themselves are not necessarily acting within the jurisdictions of any specific legislation--in other words, there’s no regulator that has declared exactly what kinds of insurance and other provisions these providers must have in order to be operational, although regulated custody options may come soon.

Therefore, as far as the cryptocurrency industry has come over the last ten years, its elements of ‘wild west’ territory are still present of ever. The real trouble is that we don’t know what we don’t know--as easy as it would have been to prevent the QuadrigaCX scandal from happening, nobody saw it coming. As Eyal Hertzog said, we can only hope to learn from past mistakes.

About the Author: Rachel McIntosh
Rachel McIntosh
  • 1509 Articles
  • 58 Followers
About the Author: Rachel McIntosh
Rachel is a self-taught crypto geek and a passionate writer. She believes in the power that the written word has to educate, connect and empower individuals to make positive and powerful financial choices. She is the Podcast Host and a Cryptocurrency Editor at Finance Magnates.
  • 1509 Articles
  • 58 Followers

More from the Author

CryptoCurrency

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}