Insights

Hiding your digital assets in your digital mattress

19/06/2019

The Binance exchange was hacked in early May with 7000 Bitcoin taken from its hot wallet, which at the time had a value of $42 million. A "hot wallet" is essentially a digital wallet which is connected to the Internet, commonly used for purchasing; conversely a "cold wallet" is a method of storage which is not connected and so is not vulnerable to attacks. The theft was undertaken by hackers who were able to get the cryptocurrency not through cracking the keys used to validate transactions, but in the more mundane way of getting access to information which allowed access to user accounts.

While only the hot wallet was impacted, and the vast majority of the currency kept safe, this incident highlights the importance of security for digital assets. The underlying technology, the blockchain itself, is secure. For example, the technology underpinning Bitcoin has two fundamental components which the MIT Technological Review points to as ensuring each transaction on the chain is valid: a "cryptographic fingerprint" which identifies each block, and a “consensus protocol", in which each other computer in the network verifies that the fingerprint is valid and update their own records to show any new blocks. In short, even if you can generate a false but acceptable fingerprint, there is no guarantee that the other computers will actually accept it and add it to the chain.

Those who invest in cryptocurrencies should be well aware of the potential losses that their investment might face. It's barely been a year since the value of large chunks of the market fell by around 80%, so investors are used to the concept of volatility. However, what is only just getting more media attention is that the storage of cryptocurrencies and other digital assets is a fundamental part of the security question.

The Binance hack mentioned above is only the latest large exchange to have suffered such an attack, and it's not a new phenomenon. Mt Gox in 2014, Poloniex also in 2014, and Bitfinex in 2016 all suffered significant attacks. Some, like Binance, were vulnerable due to the hot wallets' retention of private keys in an easy-to-crack or even unencrypted format; others simply had flaws in their code exploited.

Given the nature of blockchain transactions, once an asset is sent out from an account, it cannot simply be recalled. In many cases, an asset can be traced, but under the protocol described above, it would need to be sent from the account holding back to the breached account. Understandably, those undertaking these attacks would be unlikely to do so. Fortunately for investors, the exchanges affected so far have often covered the losses of the investors, but it's not a vote of confidence in these platforms if they cannot keep assets securely.

We're familiar with the call to keep crypto-keys safe so holders can access the asset, but investors also need to make sure the platforms are secure too. When looking to invest, individuals and their advisors will need to look at more than how safe the investment is; they will need to look at how safe the platform is too. While digital assets cannot just be stuffed under a mattress for protection, investors should at least consider keeping hold of their assets themselves in "cold storage" until needed for a transaction.