Rethinking trust in digital currency exchanges

Don’t be a fearless warrior if you ever need to trust them with your money.

Photo by rawpixel.com on Unsplash

Digital currency exchanges and the question of trust

Over the last 4 years, the digital currencies worth more than $1 billion have been disappeared in major thefts, all of which are accused of deliberate hacking attempt consequence.

Many crypto enthusiasts will never forget the day exchanges like Mt. Gox or Coincheck halted their business. It’s when you woke up in the morning not seeing your familiar arbitrary chart but a plain “404 Not Found” section, a public apology, and sometimes a vague explanation for the so-called “theft”.

Deterring asset theft scenarios as above from happening again is something we cannot achieve since the entire cryptocurrency market has been trapped in an infinite loop of securing a platform and hacking into it. Hackers are not going to stop, they have seen exchanges nothing but the holy grail of their life — whoever seize an exchange secures a millionaire retirement.

The vast majority of exchanges wield ultimate control over our account, they know us, but we barely know them. We are in the market for money, so are they. We entrust our asset to them, on the other hand, they are not. Simultaneously, centralized exchange platforms especially unregulated ones are fragile. Firstly, it’s the limitation in design that makes them a Single Point of Failure: when hackers seize an exchange, they not only seize the asset but also information of thousands, even millions of people. Secondly, being unregulated means exchanges are not obligated to adhere to security best practices i.e. they don’t need to hold clients’ asset and their asset in separate accounts.

Try to remember the last time your exchange asked you to fill out that Know Your Customer form, and you uploaded an image of your passport/ID. What if the exchange was hacked and not only your Bitcoin but also your identity fell into the wrong hands? You probably cannot imagine a stolen identity is selling for a mere $21.35 on the black market.

Finally, have you ever wondered why you trust the exchange service you are using even if they are not willing to disclose their office address?

What make us trust in them?

Ten years ago, cryptocurrencies like Bitcoin disrupted the way we sent money and became a better version of bank wire. Bitcoin introduced blockchain distributed trust concept to replace centralized (instituions-based) trust so we no longer need any trustworthy middle parties like banks to facilitate a transfer from A to B.

Centralized model and Distributed model. Image courtesy of regisburin

People were so excited to adopt the new technology. Then the demand to exchange between fiat money and cryptocurrency surfaced, so did the wild speculation trend. Almost everyone wanted to own Bitcoin but not everyone know how to maintain their own wallet address and private key, furthermore, trading between parties was too risky and inefficient because it happened outside the scope (off-chain) of any particular blockchains.

On-chain transaction: a Bitcoin transaction was signed using the private key & broadcasted online, irreversible in the blockchain.

To resolve the issue, society have to utilize the centralized trust model one more time by sending our trade intentions to an exchange service who then aggregate the prices and match them among counterparts. An essential part in such process is we have to deposit our asset under their umbrella for them to facilitate the transaction. Therefore, willing or not, we put our trust in them from there, assuming they will fulfill their obligation as the middleman.

Will our trust ever be exploited?

Since “trust” is purely about belief, I would argue that anything involve trust could be exploited in many ways whether it is a computer system or a relationship. There is a reason that any formal deal need a contract, isn’t it?

We fill our mind with cautions as we experience the dark side of life, most of us do not get to adulthood without having been burned by people who we regarded trustworthy, at the same time, we are weak at defending ourselves against similar risk in the new contexts. For instance, given no difference between anonymous and unknown identity, a person who got phished by an anonymous online investment scheme in the past is still likely to trust an anonymous exchange who does not even reveal their leadership identity. Theorists have been investigating such phenomenon for years and here is what they found in layman’s terms: we fail at the same trap all over again because we feel guilty if we don’t trust people.

In regard to our the relationship with an exchange as client, let’s take a deeper look.

In hacking accidents

Aside from hacking accidents are unfortunate and often come with a catastrophic loss, you should have noticed the following “format” appears in almost news reports: exchange platforms being portrayed as victims.

Hacked exchanges are the first ones to announce on What, When, Where, and How the thefts happened, but most of us will never figure out the real Why. They make all sort of claims like hacker identity is anonymous, traces are limited, stolen funds are transferred to an wallet whose owner is unknown..etc. which mean we may interpret as they have de facto immunity in the accident. Check out the BTC-e case to gain an extra example on how they blame in such turbulent times.

However, if you have ever been in the same case, try to recognize this truth: clients often have no solid evidence to validate all information the hacked exchange is giving out. Make no mistake, I am not implying that hacked exchanges are lying, but the right to give a doubt on something is an essential step to keep your asset safe in foreseeable cases.

Volume manipulation

Irrational is embedded in human gene and it influences our preference regarding anything. Just like we often believe that brand-name aspirin is more effective at treating headaches than generic aspirin (disclosure: It isn’t so), when it comes to commit ourselves in new services we tend to trust our instinct by going with the bigger names.

It turns out many exchanges also share the same view with us. To address the massive new comers — who often have no prior investment experience but willing to invest their entire saving into the crypto market, exchanges try positioning themselves as established names. But instead of pursuing organic growth, unethical exchanges aggressively inflate themselves with non-existent volume using the tactic known as wash trading.

In a recent story published on Medium, Sylvain Ribes goes in depth to reveal how exchanges fabricated their volume using a mathematical model. He called the phenomenon “a crypto-plague” and just as much as I do, a predictor of future unsavory behavior. OKex — an exchange platform which is the no.1 ranked by volume of several trading pairs is the main offender in the story. The following exchanges are also listed for possibly provided untruthful numbers: Huobi, Lbank, Exx, RightBTC, CoinEgg, Zb, BitZ, Bibox, CoinEx, BTC-Alpha, HitBTC, and Binance.

You may not like doing math but the below table is an obvious evidence that you should take good care of narrative based on publicly unaudited data.

OKex data, and estimated % fake volume.

Flawed policy

Since data under single entity control is vulnerable if the custodian has poor internal policy, no custodian is perfectly safe to entrust our digital asset. One example is the recent Facebook scandal case (Cambridge Analytica) in which 50 million profile data was breached.

How Aleksandr Kogan leveraged Facebook to gather over 50 million profiles.

Obtaining data of Facebook users without their consent from the outside is an arduous task given the advanced security systems are in place and talented personnel Facebook hired to safeguard their database; but from the inside, Aleksandr Kogan had leveraged his position as the application developer to gather unauthorized data with ease.

Using the social network’s Requesting Permission function, Aleksandr Kogan requested his fellow users (who gave him permission to access their profile for a harmless quiz app) to allow him to know about the profile of their Facebook friends. The naive 270,000 people clicked on the Allow button, and Facebook believed it was alright when someone was willing to share their friends profile to the third party so they lifted off the data restriction. As a result, Facebook handed over 49,730,000 profiles of people in its database to Aleksandr Kogan regardless they did not give permission to him.

The horrifying detail is Facebook knew about the loophole in many years but they did nothing about it. This is how trusting someone or some system in which you are not fully aware of how the system operate in detail could backfire on you — an eye-opening analogy for us to reflect on because digital currency and Facebook profile are equivalent in a common sense (digital data) so digital currency could be stolen in somewhat identical scenario.

Strengthen our trust

The confidence in most exchanges are at all time low. Selecting an exchange we can trust wholeheartedly is a tough job, and personally I have dropped that idea long time ago given many have been shown to be unethical. It also explain why there is a trend which people seek to trade while still maintain asset under control, but moving towards the decentralized exchanges (DEX) might not an answer yet.

For now, DEX is not the feasible option for mass adoption because most DEX suffer severe constraints like lack of fiat support and poor liquidity. They are far less attractive compared to centralized exchanges. Even modest ones like CEX.io or Qryptos.com could outperform any popular DEX in terms of volume.

24h volume between some decentralized exchanges and smaller centralized exchanges — Qryptos.com & CEX.io. Data source: Coinmarketcap (4.4.2018)

Since fiat and liquidity issues are multifaceted problems, achieving high liquidity & fiat support while forking from centralization is almost impossible, especially during the time no bank want to deal with anonymous brands. I believe for DEX to progress further, it needs another 1–2 years for new stakeholders to appear and help them unleash their potential, until then we could witness a robust DEX taking the main stage.

After all, crypto enthusiasts like us cannot escape the reality that centralized exchanges are a clear dominance in our available options. It’s hard to imagine how the market will workout when people are obsessed with uncertainties once fund had left their wallet, and they realize most exchanges are dodgy; but I can definitively tell you that as time goes by, we will witness following problems of centralized exchanges continue to unfold:

• Questionable security system
• Fraudulent manipulation
• Flawed client protection policy

Therefore, for an informed investor to trust, any trustworthy exchange should at least satisfy the following three criteria:

• Prudent security practices
• Reasonable intervention
• Audit-able policy

The trickiest part of all, however, is how to objectively evaluate an exchange when we don’t have an insightful, insider view about their operation. In a broader sense, the criteria are only useful once it is enforceable on the exchanges. Perhaps the missing piece to resolve the issue is to check whether the particular exchange is regulated — only then we could safely assume an exchange is operating in our best interest.

“When you have an unregulated exchange, the ability to manipulate prices goes up significantly,” said SEC Chairman Jay Clayton.

Risk

When making an assumption, how much risk we should embrace depend on the jurisdiction of an exchange. We need to consider the risk since regulatory agencies, despite having recognized their shortcoming in protecting the public against crimes make use of blockchain, were not able to carry out law in the same fashion. Thus, jurisdictions where regulation is not fully implemented mean that confidence in “regulated” status should be weighted accordingly.

More specifically, among the G7 countries, only Japan has the comprehensive framework to regulate both cryptocurrency and cryptocurrency exchanges on a national scale; even big guys like Uncle Sam is stepping in with his hands tied as he lacks coherence between SEC, FinCEN and CFTC to oversee from federal level but still has state-specific law for businesses, or the E.U will not execute a full-fledged regulation program unless the threat is big enough, but they do grant exchanges like Coinbase an electronic money institution license.

Final words on attitude

Last year, I were blown away when Japan reveal world’s first in-depth regulation scheme, and I’m in the same feeling again after FSA proves they are watching exchanges very carefully. According to most public report, Japan want to take a proactive stance to protect the consumer, above anything else.

I have no concise explanation why they possess such attitude, may be after influential exchange hacks they are forced to calm the chaos, or may be it relates to the unique culture where they generally seek for sense of control before trusting a stranger; but I believe having such attitude in the crypto world seems to work out in the long run when people shall invest more as they feel protected.

Finally, even you don’t need a regulated exchange, always doubt the exchange you are using because if they have proofs for whatever they claim to be, it’s the sign they are in the game for the long run. Don’t be a fearless warrior. Don’t keep all of your digital asset on a single exchange.