Safe and Convenient Crypto Storage: Is It Possible?
Lessons from FTX and a hacked bitcoin developer.
A prominent Bitcoin developer recently had most of his bitcoin stolen, currently estimated to total 217 BTC, worth roughly $3.6m at the time.
Luke Dashjr describes himself as the longest contributing bitcoin core developer having been involved with the project since 2011. Core developers are considered masters in the fields of cryptography and software engineering. Their job is to code and implement the various upgrades that enable bitcoin to maintain its dominance in the space.
So how does such an expert fail to secure their crypto?
Luke was understandably distraught as he took to Twitter to reveal that his data encryption program, Pretty Good Privacy (“PGP”), had been compromised resulting in the draining of most of his wallets.
‘Not your keys, not your coins.’
If you’re familiar with crypto, chances are you have heard this slogan again and again. Never more so has this phrase been bandied about than recently with the ongoing fallout from the implosion of FTX.
If even the most skilled and experienced bitcoin developers can succumb to this rule and suffer losses, what hope do the rest of us mere mortals have?
How can we talk about banking the unbanked if we don’t have a custody solution that’s safe and convenient? From the biggest exchanges to the methods employed by the smartest developers, nowhere seems to be safe at the moment.
This post examines the various storage options available for your crypto, and why honestly, none of them are particularly secure or convenient.
Centralised Exchanges
Most beginners store their coins on exchanges like Binance or Coinbase. However, when these exchanges are hacked or go bankrupt, it becomes clear that those assets don't truly belong to the users. When storing on an exchange, what you really own is a ‘right’ to the underlying assets, hence the phrase “not your keys, not your coins”.
If an exchange goes bankrupt while holding onto your funds, it's even worse. You'll be treated as an unsecured creditor in the proceedings, meaning you'll be treated the same as any other entity that loaned them money and will likely receive little to no compensation.
In a filing with the SEC, Coinbase said that “in the event of a bankruptcy” the crypto assets that the company holds in custody for its customers “could be subject to bankruptcy proceedings and such customers could be treated as our general unsecured creditors.”
In 2022, FTX collapsed due to fraud and recklessness, leading to the loss of over $1 billion in customer funds. It's unlikely that these customers will ever see their funds again. If they do, it will take years and they will only receive a small percentage of what they are owed.
In addition to the risks of bankruptcy and fraud, there's also the threat of losing assets through hacking. FTX itself was hacked, and back in 2014, Mt. Gox, a Japanese exchange handling over 70% of all bitcoin transactions, announced that a large portion of their coins had been stolen. It's been eight years, and customers are still waiting to be made whole.
Hacks are alarmingly common and not limited to centralised exchanges. Here are some of the most significant to occur on various crypto bridges, protocols and exchanges:
Roin Network 2022: $625m
Poly Network 2021: $611m
FTX 2022: $600m
Binance 2022 $570m
Coincheck 2018: $534m
Mt. Gox 2011: $473m
Wormhole 2022: $325m
Bitmart 2021: $196m
Nomad Bridge 2022: $190m
Beanstalk 2022: $182m
Wintermute 2022: $162m
Hot Wallets
If exchanges can’t be trusted, you might be forgiven for thinking a desktop or online wallet such as MetaMask would be safer.
Hot wallets benefit from being easy to set up, accessible anywhere, and convenient for making transactions quickly. However, this convenience comes with a price.
What has been the most pressing concern for Elon Musk since his acquisition of Twitter? Bots.
The bot armies are so persistent and advanced that it feels like a game of whack-a-mole; as soon as Twitter closes one security gap, the bots return even stronger within a week or two.
The vast majority of these bots relate to crypto and specifically target tweets that mention hot wallets.
Why? Because hot wallets are much easier targets than exchanges. All a trickster needs to do is convince you to connect your wallet to the wrong website and *poof* - your coins are gone.
Hacks and phishing attacks surged in 2022. There are countless stories about people losing their NFTs after trying to claim a new NFT drop or entering their details into sketchy support websites.
Bored Ape Yacht Club (“BAYC”) NFTs were particularly appealing to bad actors. In August 2022, it was reported that 143 BAYC NFTs had been hijacked since the project began, totalling an estimated value of $13.5m at the time. The majority were stolen from hot wallets.
Cold Wallets
Hardware wallets, also known as cold wallets, try to resolve that issue. These devices, like those sold by Ledger and Trezor, stay offline which makes them more difficult to hack.
The problem with hot and cold wallets is that they require you to hold onto your own recovery seed phrase. A seed phrase is a set of words that can be used to recover the funds if you forget your password or lose access to the device. The phrase can be memorised, written down, or backed up elsewhere.
The problem is, it’s pretty easy to forget your 12 or 24 word seed phrase. Even the most dedicated memory expert could have a stroke one day, causing all recollection of their keys to fade away.
You could jot it down on a scrap of paper, but what if someone finds it? It doesn't matter if you have a hardware wallet, they can now plug your seed phrase in online and drain it in minutes.
What if a fire ravaged your home or storage, reducing the paper to ashes? Your crypto might as well have gone up in smoke with it!
Lost bitcoin is often celebrated, as this decreases the overall supply and boosts the value of individual holdings. However, the unfortunate reality is that most of those coins belonged to everyday people who invested and believed in the project. They have now lost access to their funds and find themselves penniless.
Stefan Thomas, a programmer in San Francisco, lost the password to a wallet that holds 7,002 bitcoin, which would be worth over $100m at today’s prices. He has two guesses left on his device that he lost the password to years ago.
Finally, imagine that a nefarious individual threatens you, coercing you into handing over your wallet or seed phrase. Whereas a typical mugger might only make off with a watch or wallet, this person could steal your entire net worth with nothing more than a $5 wrench.
Multi-sigs
Multi-signature (multi-sig) wallets require multiple keys to access. More than one person must give their approval before funds can be transferred. They are mostly used by organisations to ensure that funds are not accidentally or maliciously transferred without permission.
While multi-sigs improve security, they are costly and complicated. The fact multiple people are required also makes it slower to make transactions. If you are an individual wanting to regularly trade altcoins or NFTs, this solution just isn’t viable.
Which to choose
While it currently makes sense for institutions and high net-worth individuals to use expensive and complicated solutions to store their crypto, there’s no easy solution for the average Joe.
The main options are exchanges, hot wallets, and cold wallets. Exchanges go bankrupt, hot wallets get hacked, and people lose their keys to their cold wallets.
The biggest risk with self-custody is the seed phrase. Whilst there are companies out there offering alternative solutions, they are in their infancy and their products can be costly and difficult to set up.
Despite this, for the average crypto user, a basic hardware wallet like Ledger or Trezor is the way to go. These devices keep your crypto under your control and offer an extra layer of protection by keeping your wallet offline. Plus, they are the most user-friendly and convenient to use.
You should, however, consider diversifying storage through multiple wallets and exchanges, that way, if one is compromised, only a small portion of your assets can be lost.
Crypto is an amazing technology that can and likely will change the world, but asset custody comes with huge risks and issues preventing the mass adoption required to do so.
The right answer is staying the heck away from cryptocurrency. If my bank is hacked, I won't lose any money.