As the infrastructure surrounding crypto trading has evolved, questions of Bitcoin security have become more complex. Once, the question of Bitcoin security was just a matter of understanding what public/private keys were and safely storing one’s private keys; today, sophisticated, multimillion-dollar crypto funds expect to be able to trade and store Bitcoin as efficiently and securely as they would any other asset.
With the crypto sector rapidly evolving, however, it’s not always clear what a given trading venue’s security services actually protect a trader against. To help funds and sophisticated traders understand and navigate their options, we’ve put together this list of security considerations that should be top-of-mind when selecting a trading venue—and stay tuned for next time, when we’ll take you under the hood of SFOX’s best-in-class solutions to these issues.
The Problem: “Bitcoin Security” Measures Can Be Vague or Misleading
The history of Bitcoin is riddled with stories that underscore the need for clear, auditable Bitcoin security. One of the first Bitcoin exchanges famously lost $480 million worth of BTC in 2014 (worth almost $9.5 billion by today’s prices); the CEO of the ultimately fraudulent Quadriga exchange allegedly died without sharing access to the exchange’s wallets, consigning customer funds to oblivion.
Perhaps the most challenging aspect of Bitcoin security, especially on the level of institutional trading, is that it combines the traditional concerns of fund security with technological concerns particular to the cryptographic infrastructure of Bitcoin and other cryptocurrencies.
Thus far, crypto trading venues have attempted to maintain Bitcoin security on two discrete levels: insurance and crypto infrastructure. We’ll consider the current challenges on both of these levels and note the questions serious traders may wish to ask about how their trading venue of choice handles Bitcoin security.
Bitcoin Exchange Insurance: A Matter of Fine Print
Especially in the last couple of years, there’s been avid, well-intentioned interest in bringing insurance to the world of Bitcoin security and crypto trading. The basic principle behind this is sound: especially when trading with an asset that’s historically experienced a number of different modes of theft, it may be worth considering measures to mitigate the risk of merely holding a significant amount of value in that asset.
However, crypto traders should be aware that it’s one thing to be able to say that a crypto exchange has millions of dollars in insurance, and another thing entirely to be able to spell out precisely how that insurance relates to customer funds. In some instances, the details of insurance policies furnished by trading venues are either buried or inaccessible, running the risk of traders misinterpreting the impact that the policy really has on them.
Here are some common questions to consider when a venue mentions “Bitcoin insurance”:
- Does the insurance apply to my funds or to the funds of the trading venue as a whole? Traders—especially those with large holdings who may expect sizable insurance—may assume that the multi-million dollar policies they see referenced apply to their specific funds on a trading venue. In some cases, however, these numbers refer to the total amount of assets for which the trading venue is insured, irrespective of any particular customer they may have.
- What kind of wallets does the insurance cover? There’s a difference in the crypto world between Bitcoin and other cryptocurrencies stored in “cold wallets,” which are not connected to the internet and therefore slower to transact with but less prone to attacks, and “hot wallets,” which are connected to the internet and faster to transact with but more prone to attacks. Trading venue insurance policies may only cover cold wallets, which essentially provides another layer of protection to a storage solution that’s relatively secure, while potentially leaving the more at-risk hot wallet coins uninsured.
- Who is underwriting or funding the insurance policy? Because cryptocurrencies are still an emerging asset class, there isn’t yet any kind of cost-effective industry standard for the insurance of coins. The result is that some of the insurance policies broadcast by trading venues are either self-insurance or captive insurance: in the first case, venues essentially just designate part of their balance sheet as an insurance fund; in the second case, insurance is provided by a wholly-owned subsidiary of the venue in question. Insurance policies of this kind inherently risk socialized losses in the event that the venue in question suffers a significant loss, meaning that insurance policies of this structure may not have the potential to entirely cover trader losses in the event of a venue-wide loss of the kind Mt. Gox and Quadringa experienced.
While some insurance policies in the crypto world may have some utility or at least be aspirational, those that can’t offer good answers to the above questions may potentially function more like marketing than the kind of robust risk-management tool traders expect when they talk about insurance in the financial services sector. With that in mind, while it’s less immediately intuitive than the concept of “insurance,” it may be useful to turn to the more foundational question of how crypto trading venues actually store BTC as a measure of Bitcoin security.
Bitcoin Storage: Hot Wallets, Cold Wallets, and Key Accessibility
When it comes to the matter of coin storage, the buzzwords in Bitcoin security are “hot wallet” and “cold wallet.” As we mentioned above, these terms distinguish whether a wallet storing BTC or other cryptocurrencies is connected to the internet or not; hot wallets connect to the internet to allow faster transactions at the cost of a heightened risk of hacking and other attacks, while the reverse is true of offline cold wallets.
In practice, many crypto trading venues utilize a combination of hot and cold wallets in an attempt to balance same-day deposits/withdrawals (the hot-wallet part of the equation) and fund security (the cold wallet part of the equation. The balancing of these systems, however, may be relatively opaque, in which case it can be a challenge to determine how safe one’s funds are at any given time. This is part of why it’s become a common refrain in the crypto sector that one ought not to keep significant crypto holding on crypto exchanges—but of course, that ethos is completely counterproductive if one is trying to efficiently deploy capital and scale one’s trading strategy as much as possible.
A less common yet arguably more pressing issue in the world of crypto trading is the question of how wallet information is stored. In recent years, watchdogs have called companies out in disbelief for storing sensitive user data in plaintext within their databases rather than encrypting that data. The result of this is that a hacker who gains access to those databases could theoretically have a broad swath of user data at their fingertips; in contrast, encrypted user data makes it much harder for hackers to abuse a user’s sensitive information even if they gain access to a company’s databases.
This issue is all the more critical in the realm of financial information: if wallet keys are exposed in a trading venue’s database—even if they are only exposed for a short time (e.g., created in plaintext and subsequently encrypted)—then there is a heightened risk that hackers could access the funds in those wallets if they were to get into the venue’s database. If a venue doesn’t provide a clear and third-party audited accounting of encrypted wallet data, traders might do well to ask themselves what the risk of fund theft is in the event of a successful hack.
The Solution: Stay Tuned
Trying to bridge the gap between traditional trading-venue security and Bitcoin security through offerings like nominal insurance and vague hot- / cold-wallet balancing runs the risk of earning a trader’s peace of mind while running roughshod over the fine details that actually impact fund security. But this isn’t the only way to approach crypto fund security: at SFOX, we’ve been protecting the funds of some of the largest crypto hedge funds since 2014 with a fundamentally different security approach—which is what we’ll be digging into in our next article of this series.
If you’re looking to better understand and benefit from the SFOX edge in the meantime, open your account and discover the full suite of tools you’ve been missing in your crypto trading playbook.