After the shocking findings that north of $1.7bn worth of cryptocurrency was stolen in 2018, crypto security keeps getting worse.
The answer most experts give to prevent hacks is to use cold storage. But what happens if that cold storage gets lost or damaged? Losing your personal hardware wallet can be devastating, but what about losing $190mn in users’ funds like QuadrigaCX, Canada’s largest crypto exchange?
QuadrigaCX shocked the crypto world last month by announcing that it had lost more than $190mn in cryptocurrency funds held in cold storage wallets. These wallets were under the sole control of CEO Gerald Cotten.
So what did he have to say on the subject? Well, not a lot actually. Unfortunately, he passed away suddenly in India, as announced on the QuadrigaCX Twitter page on January 14th:
Certainly, his contribution to Bitcoin in Canada will be sorely missed. But sadly, what will be missed even more is the 116,000 users’ funds, the location of which he’s supposedly taken to his grave.
The tweet from QuadrigaCX about the death of their CEO provoked a flurry of condolences along with a barrage of anger and abuse, with some conspiracy theorists even suggesting that he may have faked his own death:
That one person should have sole access to the cold storage wallets for an entire exchange does seem somewhat improbable – irresponsible at best. And if the company is to be believed, it leaves the crypto industry looking rather ridiculous.
QuadrigaCX said in a statement:
“For the past weeks, we have worked extensively to address our liquidity issues, which include locating our very significant cryptocurrency reserves held in cold wallets required to satisfy customer cryptocurrency balances on deposit and sourcing a financial institution to accept the bank drafts being transferred to us. Unfortunately, these efforts have not been successful.”
Rumours began to start about whether the exchange even had cold storage in the first place. According to the Wall Street Journal, security analysts were not so sure.
Last Thursday, they reported on the astounding possibility that the missing cryptocurrencies from QuadrigaCX may not be locked in cold wallets after all. They may simply be missing… which leads to a whole range of possibilities.
According to a report by Chain Analysis published by Zerononcense:
“It appears that there are no identifiable cold wallet reserves for QuadrigaCX.”
The findings were based on several factors, but this theory is mainly due to the fact that the main wallets identified thus far recorded transactions not usually settled through cold wallets.
For an exchange to use cold wallets, they must go to extraordinary lengths to ensure the safety of their customers’ funds. And that means that transaction sizes are usually very large. When a cold wallet transaction is initiated, it typically involves millions of dollars, worthy of the need for additional protection.
Yet the types of transactions on QuadrigaCX wallets were small, making it hard to justify that they were held in cold wallets in the first place.
WSJ analysed 50 accounts of QuadrigaCX clients and could not find any link to the cold storage that the company is referring to.
Talk began to abound over whether the exchange was pulling off a huge exit scam. And more movers and shakers joined in on the conversation, with MyCrypto’s CEO Taylor Monahan suggesting that there were also no cold wallets for their Ethereum transactions.
“I’m seeing NO indication of Quadriga ever having cold/reserve wallets for ETH,” she said.
She even went further to point out that the owners of QuadrigaCX had all the necessary KYC data on their customers to move the money and open an exchange account.
Clearly, the QuadrigaCX exchange debacle has many takeaways for the crypto industry. The first (which applies to any security incident) is not to keep your funds on an exchange. Users should always be in charge of their own funds.
But exchanges can also learn from QuadrigaCX by practising good governance and ensuring a multi-signature process to protect funds.
Ledger is the most secure hardware wallet provider in the world. Yet CEO Eric Larchevêque understands that hardware wallets are not a practical solution for enterprises. After all, who do you give the wallet to? It’s like handing over the keys of the safe to just one person. He said:
“A set of rules must be enforced by certified secure hardware. For instance, payment requests should be subject to multi authorisations of approved officers. It is critical to build governance in a way that ensures funds won’t be put at risk if an officer is compromised.”
To that end, the company has a solution for enterprises dealing with large amounts of cryptocurrency called the Ledger Vault. It is a multi-authorisation cryptocurrency self-custody management solution that requires multiple individuals to confirm a transaction.
Panxora is another firm responsible for holding its clients’ funds in cold wallets. CEO Gavin Smith believes that crypto exchanges are naive, and he also echoes Larchevêque’s sentiments:
“Events like these show that many in the crypto industry are still naive when it comes to setting up their security systems. It all comes down to common sense. While cold wallets are certainly the best option for protecting customer assets, the fund withdrawal process also needs to be taken into account.
“There is a lot to learn from traditional banking here. Crypto exchanges are just as capable of setting up a process where withdrawing funds requires multiple parties to sign a transaction, and passwords are stored in secure offline locations.”
It seems that there is one way the QuadrigaCX team could prove their story and clear their names over time. As pointed out by Deadal Nix on Twitter, if what they say is true, they should publish the addresses to prove that the funds in the alleged cold wallets stay there.
If they can’t do this, then it is likely one of the most elaborate exits scams that crypto has seen so far.
Singapore, Singapore, 19th September 2024, Chainwire
Grand Cayman, Cayman Islands, 12th September 2024, Chainwire
Warsaw, Poland, 20th August 2024, Chainwire
Singapore, Singapore, 20th August 2024, Chainwire
Grand Cayman, Cayman Islands, 26th July 2024, Chainwire
As usual, the crypto market is keeping everyone guessing what could happen next. After an…