Crypto fans remain bewildered as to why cryptocurrency exchanges continue to get hacked. Just recently, the Italian exchange Bitgrail lost $195 million in cryptocurrency to hackers. And last month, hackers targeted Japan-based crypto exchange Coincheck and made away with $532 million in the altcoin NEM. As NEM Foundation president Lon Won remarked, it was “the biggest theft in the history of the world.” Unfortunately, such large thefts are not isolated incidents. Moreover, they’re unlikely to stop until cryptocurrency exchanges begin implementing better security measures.
Why Are Exchanges Vulnerable?
Cryptocurrency exchanges are designed to offer investors a safe, encrypted, and anonymous way to retain deposits and conduct transactions. As such, they’re designed to hold currencies long enough for an online transaction to occur and even longer for traders who value convenient access to their funds at all times.
Consequently, the accounts that exchanges offer their users are hot wallets. This is in contrast to the cold wallets investors use to secure their own currency (a cold wallet is any wallet offline or disconnected from the internet. As such, hackers cannot access them). Since exchanges must hold adequate funds to enable trading, they store these funds in hot wallets located on servers. By being continuously connected to the the internet, hot wallets allow traders to quickly and easily access their funds. Unfortunately, skilled hackers can sometimes access them this way as well. The technology protecting these hot wallets is hardly robust enough to offer adequate protection. Many traders place undue trust in an exchange and fail to recognize this risk.
We are not, after all, talking about chump change here. Investors are trading billions of dollars worth of Bitcoin and altcoin on these exchanges daily. None of these exchanges are backed by governments or central banks, and the individual exchanges are not fully liable for these losses. Whatever hackers can steal is therefore theirs to keep. The cryptocurrency market has yet to come up with uniform solutions for tracing/recovering stolen crypto (tagging crypto reinstates the notion of a centralizing authority, what crypto has materially sought to avoid). And thus, for better or worse, crypto remains the Wild, Wild West of financial markets.
Problems & Solutions
Governments have proposed more oversight, including inspections of unregistered exchanges and more stringent regulations for those that are already registered within their countries. As losses mount, governments may consider holding exchanges liable for stolen funds. Unlike banks, cryptocurrency exchanges do not have the luxury of relying on the FDIC. That is, they do not insure against loss (or make promises about restitution). And given blockchain technology, even determining which entity is responsible for loss can be highly complicated (as illustrated by a recent spat between BitGrail and Nano)
Moreover, any desire to insure crypto is complicated by its highly volatile nature. The present infrastructure for regulating financial markets is ill-equipped to deal with cryptocurrency trading. And not incidentally, cryptocurrency markets are designed to work around – rather than with – government regulatory bodies.
How might exchanges promote greater security? One idea is an industry-wide movement to make multi-signature wallets a commonly-accepted security measure. For those not yet familiar with this technology, multi-sig wallets employ two-factor authentication (2FA) for a user to access wallet funds. That is, they require a user to verify wallet ownership via email verification and a text message. Multi-signature wallet security would have prevented hackers from raiding Coincheck. Unfortunately, only about 10% of Bitcoin funds, or approximately 1.5 million Bitcoins, are held in multi-sig wallets. This means 90% of Bitcoin is much more vulnerable to hacking and theft. While multi-signature wallets are not a panacea (they cannot prevent embezzlement), they’re very effective at preventing theft from outside hackers.
Perhaps a better security system for cryptocurrency exchanges would combine multi-signature wallets with cold storage procedures. This would ensure that funds remain inaccessible to hackers, as funds not in immediate use must be taken offline. For all other funds (such as those required by investors for trading), multi-signature wallets offer investors an effective layer of security. Until cryptocurrency exchanges implement more stringent security protocols, more losses – and more user frustration – will likely follow.
Failure to take security concerns seriously will ultimately leave cryptocurrency exchanges out in the cold. Public perceptions about their security continues to harden with every new hacking episode. Meanwhile, decentralized exchanges that are infinitely more secure are right around the corner. It may be that developers can create a hack-proof protocol in the near future (as XTRABYTES is in the process of doing with their Proof-of-Signature consensus method). Otherwise, their best bet is to try to save themselves by adopting stringent industry-wide security standards. Crypto investors will not simply accept assurances about adequate security at face-value when viable options become available.