After the shocking findings that north of $1.7bn worth of cryptocurrency was stolen in 2018, crypto security keeps getting worse.
The answer most experts give to prevent hacks is to use cold storage. But what happens if that cold storage gets lost or damaged? Losing your personal hardware wallet can be devastating, but what about losing $190mn in users’ funds like QuadrigaCX, Canada’s largest crypto exchange?
Sorry, sir, I’ve lost my cold storage wallets
QuadrigaCX shocked the crypto world last month by announcing that it had lost more than $190mn in cryptocurrency funds held in cold storage wallets. These wallets were under the sole control of CEO Gerald Cotten.
So what did he have to say on the subject? Well, not a lot actually. Unfortunately, he passed away suddenly in India, as announced on the QuadrigaCX Twitter page on January 14th:
Please see our statement regarding the sudden passing of our @QuadrigaCoinEx founder and CEO, Gerry Cotten. A visionary leader who transformed the lives of those around him, he will be greatly
— QuadrigaCX (@QuadrigaCoinEx) January 14, 2019
Certainly, his contribution to Bitcoin in Canada will be sorely missed. But sadly, what will be missed even more is the 116,000 users’ funds, the location of which he’s supposedly taken to his grave.
The tweet from QuadrigaCX about the death of their CEO provoked a flurry of condolences along with a barrage of anger and abuse, with some conspiracy theorists even suggesting that he may have faked his own death:
How much does it cost to acquire an "authentic" death certificate in India? How much is a plastic surgery to get a new face? Are you able to show the grave of Gerry, so that an independent DNA test can prove that its his body? The whole thing stinks of a major cover up and fraud
— Wlodek Laskowski (@wlodekl) February 5, 2019
That one person should have sole access to the cold storage wallets for an entire exchange does seem somewhat improbable – irresponsible at best. And if the company is to be believed, it leaves the crypto industry looking rather ridiculous.
QuadrigaCX said in a statement:
“For the past weeks, we have worked extensively to address our liquidity issues, which include locating our very significant cryptocurrency reserves held in cold wallets required to satisfy customer cryptocurrency balances on deposit and sourcing a financial institution to accept the bank drafts being transferred to us. Unfortunately, these efforts have not been successful.”
Did QuadrigaCX actually have cold storage in the first place?
Rumours began to start about whether the exchange even had cold storage in the first place. According to the Wall Street Journal, security analysts were not so sure.
Last Thursday, they reported on the astounding possibility that the missing cryptocurrencies from QuadrigaCX may not be locked in cold wallets after all. They may simply be missing… which leads to a whole range of possibilities.
According to a report by Chain Analysis published by Zerononcense:
“It appears that there are no identifiable cold wallet reserves for QuadrigaCX.”
The findings were based on several factors, but this theory is mainly due to the fact that the main wallets identified thus far recorded transactions not usually settled through cold wallets.
Cold wallets are typically for large transactions
For an exchange to use cold wallets, they must go to extraordinary lengths to ensure the safety of their customers’ funds. And that means that transaction sizes are usually very large. When a cold wallet transaction is initiated, it typically involves millions of dollars, worthy of the need for additional protection.
Yet the types of transactions on QuadrigaCX wallets were small, making it hard to justify that they were held in cold wallets in the first place.
WSJ analysed 50 accounts of QuadrigaCX clients and could not find any link to the cold storage that the company is referring to.
Talk began to abound over whether the exchange was pulling off a huge exit scam. And more movers and shakers joined in on the conversation, with MyCrypto’s CEO Taylor Monahan suggesting that there were also no cold wallets for their Ethereum transactions.
“I’m seeing NO indication of Quadriga ever having cold/reserve wallets for ETH,” she said.
Looked into 0xb6aac3b56ff818496b747ea57fcbe42a9aae6218 more. Not much new information. Same addresses keep appearing. No sign of cold storage.
One new thing: 0x6aac sent 59k ETH to 0x0b9defea64d1808bcdec76d532984dd24fb8bcff, which sends heaps of TXs to ShapeShift, like 0x7ea5. pic.twitter.com/hjeGyVG1bi
— Taylor Monahan (@tayvano_) February 5, 2019
She even went further to point out that the owners of QuadrigaCX had all the necessary KYC data on their customers to move the money and open an exchange account.
Oh, and just in case you weren't shaking your head enough,
don't forget that Quadriga ran an exchange with KYC. They have a piles of user's KYC data. They could turn around and open an exchange account with any of that KYC data to move money. Having fun yet?
— Taylor Monahan (@tayvano_) February 4, 2019
What does this mean for crypto security?
Clearly, the QuadrigaCX exchange debacle has many takeaways for the crypto industry. The first (which applies to any security incident) is not to keep your funds on an exchange. Users should always be in charge of their own funds.
But exchanges can also learn from QuadrigaCX by practising good governance and ensuring a multi-signature process to protect funds.
Ledger is the most secure hardware wallet provider in the world. Yet CEO Eric Larchevêque understands that hardware wallets are not a practical solution for enterprises. After all, who do you give the wallet to? It’s like handing over the keys of the safe to just one person. He said:
“A set of rules must be enforced by certified secure hardware. For instance, payment requests should be subject to multi authorisations of approved officers. It is critical to build governance in a way that ensures funds won’t be put at risk if an officer is compromised.”
To that end, the company has a solution for enterprises dealing with large amounts of cryptocurrency called the Ledger Vault. It is a multi-authorisation cryptocurrency self-custody management solution that requires multiple individuals to confirm a transaction.
Crypto can learn from the banks
Panxora is another firm responsible for holding its clients’ funds in cold wallets. CEO Gavin Smith believes that crypto exchanges are naive, and he also echoes Larchevêque’s sentiments:
“Events like these show that many in the crypto industry are still naive when it comes to setting up their security systems. It all comes down to common sense. While cold wallets are certainly the best option for protecting customer assets, the fund withdrawal process also needs to be taken into account.
“There is a lot to learn from traditional banking here. Crypto exchanges are just as capable of setting up a process where withdrawing funds requires multiple parties to sign a transaction, and passwords are stored in secure offline locations.”
And as for QuadrigaCX and their story?
It seems that there is one way the QuadrigaCX team could prove their story and clear their names over time. As pointed out by Deadal Nix on Twitter, if what they say is true, they should publish the addresses to prove that the funds in the alleged cold wallets stay there.
If @QuadrigaCoinEx 's story is correct, they should publish the adresses of their cold storage. Over time trust will build as the coins remains untouched.
If they cannot do this, their story is not credible, and it is an exit scam.
— Deadal Nix (@deadalnix) February 2, 2019
If they can’t do this, then it is likely one of the most elaborate exits scams that crypto has seen so far.