In fact, digital assets are a major security risk. The three biggest cybersecurity risks are currently cryptocurrency miners, but beyond that, the business of keeping extant digital currencies secure isn’t simple or trivial.
The risks to digital assets
Are digital assets at risk? Unequivocally, yes. Alongside warnings over market volatility, there are plenty of cautionary tales. The Consumer Finance Protection Bureau and the Securities and Exchange Commission has warned that some exchanges are outright fakes; investors submit money to these exchanges and are simply robbed. Then there’s the QuadrigaCX effect, where the exchange’s owner apparently died suddenly in sole possession of the cryptographic keys to $190m of the exchange’s customers’ digital assets.
The threat profile across the whole space is well summed-up in this graphic:
By far the leading causes are ‘application vulnerability,’ ‘server hot wallet breach,’ and ‘unknown,’ with ‘hot wallet breach’ leading by some way.
Hot wallets are virtual wallets that contain digital assets, and are connected to the internet. They make up one side of the current best-practice method of keeping digital assets safe across the space. Cold wallets, on the other hand, are used to store funds long term, disconnected from the internet.
When the two tools are used together, they create a system where some digital assets are available but vulnerable, while another body of assets is secure, but unavailable. Some exchanges find they need several days to move assets between hot and cold wallets.
What does a hot wallet breach look like?
Zaif, the Japanese digital asset exchange, suffered a loss of $59m in BTC, ETH and MONA and BCH due to a hot wallet breach “from the outside,” suggesting a possible infrastructure breach. There’s a criminal case undergoing, and the exchange has asked for any information that might help the police.
Application errors occur when the web applications used to manage digital assets fail or are attacked or exploited. While the blockchain might be virtually unhackable, web app APIs are not.
An attack along these lines was carried out against the Bitfinex exchange; it seems likely that this incident was able to happen because Bitfinex had used a third-party security tool, BitGo, incorrectly. Rather than using cold and warm wallets together, Bitfinex used the Bitfinex API as its main security tool, leaving crypto keys behind just a single layer of protection. That explains why their users’ BTC was so catastrophically vulnerable, and showcases the inadequacy of the current security model.
The solution: Technology, structure, expertise
The biggest threat to digital assets is the reliance on cryptography to solve essentially human problems. We can’t comment on the ‘unknown’ threats in the graphic above, but social engineering, hot wallet breaches, application failures and insider attacks, which taken together account for the overwhelming majority of failures, are to some extent all human problems.
Instead, we recommend combining the safeguarding structure of a trust, with a technological solution to storage.
Trusts divide ownership between the legal owner, which is the trustee, and the beneficial owner, the person whose assets are placed in trust. A trustee who also handles custody, the physical possession of an asset, is said to “self-custody.”
Legacy Trust Company has over 25 years’ experience in managing trust arrangements for all kinds of assets, and is now working in partnership with Ledger Vault to provide a full-stack digital asset security solution.
To learn how Legacy Trust Company can help you keep your digital assets secure, while still being able to trade them, get in touch with us!