The recently discovered vulnerability of the Bitfinex trading platform encouraged users to question the security measures of the multi-signature technology and companies offering such protection to exchanges.
While BitGo and other exchanges including Bitstamp reassured users of their multi-signature protected platforms, bitcoin experts reinstated that regardless of the add-on security measures of a platform, exchanges are subjected to hacking attacks because of their reliance on hot wallets.
Essentially, an exchange is an instantaneous trading platform which is required to send and receive funds immediately upon the settlement of orders. To carry out these orders, an exchange often handles the private keys of user wallets, providing the other private key to the user and/or to a third party multi-signature protection platform like BitGo.
Most times, this security measure is sufficient to prevent major security breaches and money laundering, as the exchange and third party protection platform conduct secondary and tertiary authentication before signing any funds.
However, a sophisticated malware or attack on even a slightly vulnerable platform such as Bitfinex can allow hackers to gain control of the funds, leading to the loss of user funds.
Cold Storage Solution
When storing large sums of bitcoin, it is important to understand the vulnerability of certain exchanges and wallet platforms.
Each wallet platform and exchange in the bitcoin market implements their own unique security protocol and infrastructure. Thus, users must evaluate the platform’s security measures before storing any funds to that platform.
For instance, the Bitstamp team clarified to its users that their security protocols and implementation differ from the multi-signature technology behind Bitfinex’s setup. “We would like to reassure all customers that Bitstamp’s implementation of multi-sig is fundamentally different from the one at Bitfinex”, Bitstamp said.
So, if wallet platforms and exchanges each have unique security measures, what is the safest and most ideal method storing large sums of bitcoin?
Cold storage refers to various methods of storing bitcoin offline. Conceptually, anything that is connected to the internet is vulnerable to cyber attacks and potential hacking attempts. But, if funds are locked in an offline wallet and are disconnected, hackers have no method of gaining control of the funds.
Trezor, a company that is often referred to as the pioneer of bitcoin cold hardware wallet, recently published a report to provide a few simple methods regular bitcoin users can utilize to secure their funds.
The Trezor team identified the three following methods:
- Using a cold hardware wallet like Trezor (there are other hardware wallets such as ledger and keep key) to store large sums of bitcoin.
- Connecting hot wallets to cold storage wallet service providers to secure funds.
- Using passwordless login offered by cold storage wallet service providers.
Considering the Bitfinex security breach as an example, an implementation of a multi-signature technology loses its merits when the platform only utilizes two of three keys when securing the funds. Although the Bitfinex exchange was connected to BitGo, the software was designed to automatically sign funds settled by users, reducing the advantage of using a third party multi-sig protection service.
“With the recent Bitfinex hack, it came to light that all of the exchange’s bitcoins were stored in a 2-of-3 multi-signature hot wallet. With full automation, though, multi-sig loses its security advantage. It was sufficient to compromise one signature in order to empty the wallets,” the Trezor team explained.
Thus, Trezor suggests relying on cold storage wallet service providers like themselves to secure funds. Trezor also utilizes the multi-signature technology to secure user funds. The core difference is, Trezor and most cold storage wallet providers don’t allow automation.
There are already a few wallet platforms and exchanges which adopted this security arrangement of Trezor. Some examples are Slush Pool and the European bitcoin exchange Coinmate.
“A good portfolio analysis would determine an appropriate percentage of the liquidity to be withdrawn to the safety of a TREZOR (also capable of multi-sig). However, for the best security, TREZOR allows no automation. Instead, it requires the responsible fund manager to verify each transfer between cold and hot wallet with their own eyes and a physical button press — something a hacker could never do,” the Trezor team added.
Bitcoin, like traditional money, requires user’s attentiveness and full understanding of its nature to keep it safe. It is important for users to identify the security measures of the platform or exchange being used to prevent from losing funds like many users did in the Bitfinex exchange.