By: Jesse AbramowitzBlockchain Developer
In what seems stranger than fiction, earlier this week, Quadriga, admitted that they are unable to recover access to $145 million of BTC and other digital assets. This was announced after 30 year old founder Gerald Cotten was reported dead following complications arising from Crohn’s Disease.
As it turns out, Cotten was the only one with access to Quadriga’s funds in cold storage and the password was lost along with his life.
It is a a very sad end to the story, both for the friends and family of Cotton, but also users of Quadriga.
In the wake of this story, it seems crazy for anyone to keep a significant amount of funds on exchanges, yet this isn’t the first time and this won’t be the last time. For example, Mount Gox. At the very least hopefully, I can make a strong argument in the meantime and maybe change some minds.
Let’s start at the beginning.
What does owning a Bitcoin mean?
The Bitcoin (I mean most cryptocurrencies for the purposes of this article, we’ll use Bitcoin for default) network acts as one giant distributed ledger. It lives on multiple computers, and you can read or update the blockchain on anyone of them. In this trusted environment, how do we guarantee identity? More specifically, how do you know what belongs to whom?
This is accomplished through cryptography. As a user, you generate a private key, from this number, some mathematical magic occurs and voila! you get a public key. From the public key, you hash it and get an address. On the blockchain your funds belong to this address.
The only way to access them is by telling the blockchain what you want to do and signing that message with your private key. Through mathematics, your private key can stay secret but there is proof that the owner of that key generated the message.
Thus the owner of any bitcoin is the person who holds the private key.
In these situations, let’s take look at where your private key usually lies and analyze the possible vectors of attack.
Centralized Exchanges
This one is the big troublemaker in the industry. The owner of your private keys is not you. It is the exchange. Your ownership extends to a number on a piece of paper.
Think about it like this: when you go to a bank and give them your money, you no longer own that money, you are just a number on a paper. Now, if we completely ignore the argument of runs on a bank, and we look at North America, for the most part your funds will be safe. Also, the Government (of Canada) does insure our funds up to $100 000.
Exchanges do not have those same protections.
Now, for the most part the people running exchanges do not want to take your funds. This is because that would be illegal and altough they do make money off of you, it makes more sense to provide an exemplary service.
However, as we can see negligence and unfortunate events can sink some of the biggest exchanges.
Negligence and human error is but one vector of attack.
What about something more malicious?
There is a quote I like from an unknown source:
“If you have a safe that has $500 in it make sure it costs $501 to break in.”
To understand the relationship let’s explore the following metaphor: Imagine there is a town and everyone has a small amount of gold. Securing that gold isn’t too hard you put it in a safe, as it isn’t very valuable persay. However, pooling resources and sharing the security with everyone in the town can buy an epic vault with armed guards. This is no doubt more secure but now the potential reward for breaking into that vault has increased drastically.
You have just created a honeypot for criminals to try their hand.
Advantages
- Convenient
Disadvantages/Vectors of Attack
- You do not own your coins
- Negligence
- Hacks due to honeypot
Best Practices
- Don’t keep your funds on an exchange unless you are actively trading
Examples
- Quadriga
- Mount Gox
- etc.
Holding your Own Private Keys
This is one hundred percent recommended. There is more to it than increased security. There is the idea of the blockchain that as an individual you are responsible for yourself, do not blindly trust authorities.
There are many ways to store your own keys and I am not here to tell you how or what to use. I will give you some best practices and a framework for how to think about key management.
Hot wallet
This would be something like a phone or desktop wallet. Something that without having to pass through unreasonable steps you can read and write to the blockchains (as in you may have to login but you can still use it).
Advantages
- Convenient , I always have control can check and see it.
- You hold your own private keys (make sure that this is true, you will have to do some research)
Disadvantages /vectors of attack
- Since it is connected to a network it can be insecure
- If it is in your phone if you lose your phone and don’t back up your keys it is gone
Best Practices
- Use a hot wallet like a regular wallet
- Something to cover me for a few days but eventually I am going back to the bank to refill
Examples
- Trust
- Jaxx
- Metamask
Cold Wallet
This is in essence what it sounds like. Pretty much a piece of paper that is not connected to a network. You keys are printed on them. You can receive funds with your address no problem but to move funds you have to connect back to the network.
Advantages
- More secure (to extents)
Disadvantages /vectors of attack
- Your keys are only as secure as the method you store them with. As in if you email them to yourself they are only as secure as your email. If you generate them on a computer, they are only as secure as that computer. If you print them out and hide them in a file cabinet then they are as secure as the cabinet…..and the printer etc.
- When you want to access your account again they are only as secure as the what you use to access them
- Inconvenient
Best Practices
- If you are going to generate keys, do it offline. As in copy the source code remove your computer from the internet then generate the keys, remove them from your computer and sign back on.
- Try not to “heat back up” your wallet until it is necessary then do research on what you are using. In fact you can use the same technique by generating a transaction offline and send the raw transaction
Examples
- MyEthereumWallet
- MyCrypto
Hardware Wallets
A hardware wallet is a tool you can buy for $100–300 ish. In my opinion it would be optimal for storing larger amounts. It holds your private keys on the device then signs your transactions on the device and sends it to the app you are interacting with.
Advantages
- More secure
- You can have an insecure computer or connection and still not lose your funds
Disadvantages/Vectors of attack
- Inconvenience
- Phishing attacks (personal mistakes)
- Recovery phrase and pin digit are still vulnerable
Best Practices
- Store your recovery phrase in a safe place
- Use a hardware wallet when dealing with a lot of funds
- Don’t buy from third parties
Example
- Ledger
- Trezos
- Keep key
Conclusion
Security can be done, have redundancies, if you are storing a lot of funds it is worthwhile to buy a hardware wallet. Do not ever give out your private keys unless you fully trust an individual with your finances.
What best practices do you use to protect your digital assets? Let us know in the comments below!
Jesse Abramowitz is a Blockchain Developer at BlockX Labs. He has worked on multiple DApps, projects, and Blockchain Networks. Currently, he is also a lab assistant at a local college and is always looking to help, teach and build on the blockchain.
You can reach him at: [email protected]