As the infrastructure surrounding crypto trading has evolved, questions of Bitcoin security have become more complex. Once, the question of Bitcoin security was just a matter of understanding what public/private keys were and safely storing one’s private keys; today, sophisticated, multimillion-dollar crypto funds expect to be able to trade and store Bitcoin as efficiently and securely as they would any other asset.
With the crypto sector rapidly evolving, however, it’s not always clear what a given trading venue’s security services actually protect a trader against. To help funds and sophisticated traders understand and navigate their options, we’ve put together this list of security considerations that should be top-of-mind when selecting a trading venue—and we’ve broken down how SFOX has developed the best-in-class trading suite for serious institutions to address Bitcoin security at scale.
The Problem: “Bitcoin Security” Measures Can Be Vague or Misleading
The history of Bitcoin is riddled with stories that underscore the need for clear, auditable Bitcoin security. One of the first Bitcoin exchanges famously lost $480 million worth of BTC in 2014 (worth almost $9.5 billion by today’s prices); the CEO of the ultimately fraudulent Quadriga exchange allegedly died without sharing access to the exchange’s wallets, consigning customer funds to oblivion.
Perhaps the most challenging aspect of Bitcoin security, especially on the level of institutional trading, is that it combines the traditional concerns of fund security with technological concerns particular to the cryptographic infrastructure of Bitcoin and other cryptocurrencies.
Thus far, crypto trading venues have attempted to maintain Bitcoin security on two discrete levels: insurance and crypto infrastructure. We’ll consider the current challenges on both of these levels and note the questions serious traders may wish to ask about how their trading venue of choice handles Bitcoin security.
Bitcoin Exchange Insurance: A Matter of Fine Print
Especially in the last couple of years, there’s been avid, well-intentioned interest in bringing insurance to the world of Bitcoin security and crypto trading. The basic principle behind this is sound: especially when trading with an asset that’s historically experienced a number of different modes of theft, it may be worth considering measures to mitigate the risk of merely holding a significant amount of value in that asset.
However, crypto traders should be aware that it’s one thing to be able to say that a crypto exchange has millions of dollars in insurance, and another thing entirely to be able to spell out precisely how that insurance relates to customer funds. In some instances, the details of insurance policies furnished by trading venues are either buried or inaccessible, running the risk of traders misinterpreting the impact that the policy really has on them.
Here are some common questions to consider when a venue mentions “Bitcoin insurance”:
- Does the insurance apply to my funds or to the funds of the trading venue as a whole? Traders—especially those with large holdings who may expect sizable insurance—may assume that the multi-million dollar policies they see referenced apply to their specific funds on a trading venue. In some cases, however, these numbers refer to the total amount of assets for which the trading venue is insured, irrespective of any particular customer they may have.
- What kind of wallets does the insurance cover? There’s a difference in the crypto world between Bitcoin and other cryptocurrencies stored in “cold wallets,” which are not connected to the internet and therefore slower to transact with but less prone to attacks, and “hot wallets,” which are connected to the internet and faster to transact with but more prone to attacks. Trading venue insurance policies may only cover cold wallets, which essentially provides another layer of protection to a storage solution that’s relatively secure, while potentially leaving the more at-risk hot wallet coins uninsured.
- Who is underwriting or funding the insurance policy? Because cryptocurrencies are still an emerging asset class, there isn’t yet any kind of cost-effective industry standard for the insurance of coins. The result is that some of the insurance policies broadcast by trading venues are either self-insurance or captive insurance: in the first case, venues essentially just designate part of their balance sheet as an insurance fund; in the second case, insurance is provided by a wholly-owned subsidiary of the venue in question. Insurance policies of this kind inherently risk socialized losses in the event that the venue in question suffers a significant loss, meaning that insurance policies of this structure may not have the potential to entirely cover trader losses in the event of a venue-wide loss of the kind Mt. Gox and Quadringa experienced.
While some insurance policies in the crypto world may have some utility or at least be aspirational, those that can’t offer good answers to the above questions may potentially function more like marketing than the kind of robust risk-management tool traders expect when they talk about insurance in the financial services sector. With that in mind, while it’s less immediately intuitive than the concept of “insurance,” it may be useful to turn to the more foundational question of how crypto trading venues actually store BTC as a measure of Bitcoin security.
Bitcoin Storage: Hot Wallets, Cold Wallets, and Key Accessibility
When it comes to the matter of coin storage, the buzzwords in Bitcoin security are “hot wallet” and “cold wallet.” As we mentioned above, these terms distinguish whether a wallet storing BTC or other cryptocurrencies is connected to the internet or not; hot wallets connect to the internet to allow faster transactions at the cost of a heightened risk of hacking and other attacks, while the reverse is true of offline cold wallets.
In practice, many crypto trading venues utilize a combination of hot and cold wallets in an attempt to balance same-day deposits/withdrawals (the hot-wallet part of the equation) and fund security (the cold wallet part of the equation. The balancing of these systems, however, may be relatively opaque, in which case it can be a challenge to determine how safe one’s funds are at any given time. This is part of why it’s become a common refrain in the crypto sector that one ought not to keep significant crypto holding on crypto exchanges—but of course, that ethos is completely counterproductive if one is trying to efficiently deploy capital and scale one’s trading strategy as much as possible.
A less common yet arguably more pressing issue in the world of crypto trading is the question of how wallet information is stored. In recent years, watchdogs have called companies out in disbelief for storing sensitive user data in plaintext within their databases rather than encrypting that data. The result of this is that a hacker who gains access to those databases could theoretically have a broad swath of user data at their fingertips; in contrast, encrypted user data makes it much harder for hackers to abuse a user’s sensitive information even if they gain access to a company’s databases.
This issue is all the more critical in the realm of financial information: if wallet keys are exposed in a trading venue’s database—even if they are only exposed for a short time (e.g., created in plaintext and subsequently encrypted)—then there is a heightened risk that hackers could access the funds in those wallets if they were to get into the venue’s database. If a venue doesn’t provide a clear and third-party audited accounting of encrypted wallet data, traders might do well to ask themselves what the risk of fund theft is in the event of a successful hack.
The Solution: Rethinking the Hot/Cold Bitcoin Security Paradigm
Trying to bridge the gap between traditional trading-venue security and Bitcoin security through offerings like nominal insurance and vague hot- / cold-wallet balancing runs the risk of earning a trader’s peace of mind while running roughshod over the fine details that actually impact fund security. But this isn’t the only way to approach crypto fund security: at SFOX, we’ve been protecting the funds of some of the largest crypto hedge funds since 2014 with a fundamentally different security approach. The key to this approach is the SFOX warm wallet, a combination of the best aspects of hot and cold wallets, which we layer on top of traditional cold storage solutions.
SFOX warm wallets park traders’ funds within a storage solution that is online—allowing for fast transactions—with geographically distributed keys. The keys to SFOX’s wallets are broken down into components that are encrypted from the time of their creation; they are never represented in plain text, and the totality of a key is never possessed by any single SFOX officer nor present in any single location. This means that there is no single point of failure in SFOX’s storage system—whether we’re imagining a founder “dying” or a hacker gaining access to company accounts—mitigating security risks while simultaneously keeping transaction speeds fast.
It bears repeating that SFOX traders’ funds are parked: once trader crypto and fiat funds enter SFOX’s walled garden, they are stored in warm wallets and uniquely custodied bank accounts—SFOX uses the company’s own funds, not traders’ funds, in order to facilitate SFOX customers’ trades across the 20+ trading venues to which SFOX is connected. In the event that something goes wrong with any particular trading venue to which SFOX is connected, traders’ funds remain safely parked within SFOX’s institution-grade ecosystem.
SFOX’s unique, third-party audited crypto custody and bitcoin security infrastructure constitutes the nuts and bolts that make possible SFOX Atlas, a full-service crypto suite for financial institutions looking to custody and transact crypto on behalf of their clients. The story of crypto, as we see it, is one of innovating fully compliant and ruthlessly reliable, scalable solutions for major institutions and traders to reap the benefit of the future of finance; with 5-millisecond transaction time and 99.99% platform uptime, that’s what we’re making possible every day.
Interrogate the Substance of Bitcoin Security
Especially for seasoned funds and traders who may be newcomers to crypto, it’s easy to get distracted by the new technology and buzzwords and lose the forest for the trees. Security of funds remains fundamental, and knowing the right questions to ask of one’s trading venue—not to mention what basic standards to expect—are table-stakes for a scalable crypto strategy.
SFOX’s perspective on Bitcoin security is the foundation for all the trading tools we offer, whether you’re a trader looking for smart-routing-powered order types or a fund looking for separately managed account infrastructure. When you’re ready to understand the SFOX edge for yourself, open your account and discover the full suite of tools you’ve been missing in your crypto trading playbook.