Early in February, hackers breached into the money storage of Coincheck, a Tokyo-based cryptocurrency exchange, and stole $530 million. This is the biggest cryptocurrency theft to date. We've previously written about how hackers have penetrated the ICO Marketplace. Exchanges are no stranger to attacks as well. The hackers stole the money from the web-connected storage system generally known as the “hot wallet”. Surprisingly, the hack was not noticed for eight hours.
Coincheck sources, while confirming the theft, also said that they know where the funds went, and they are tracking them. Moreover, they also announced refunding over $423 million of the lost money, in a bid to address the investors’ concerns.
While the users may not be worried about the hack after the refund, this incident has strengthened the growing perception that cryptocurrency market is very vulnerable to hacking. To many analysts, this is a hard reminder that while the industry offers good ROI, there are many things that are yet to mature.
Even the mature organizations like Coincheck do not follow the best practices or have the best processes in place. Take this hack as an example and you’ll see some of the many creative ways that hackers are able to steal from people, businesses, and exchanges.
First, hackers have exposed the fact that Coincheck did not have basic security measures in place. The company sources confirmed (to media) that the stolen coins were stored in a web-connected hot wallet – while the best practice is to store the funds offline, or in the “cold” storage. While a few exchanges already claim to be keeping the customers’ funds offline, we believe that learning from the Coincheck episode, crypto-exchanges will make this a standard practice, and keep the currency/tokens in the cold storage instead of hot.
Secondly, every cryptocurrency account/address is associated with a private key or code, and funds cannot be moved from the account without using that key.
However, if someone could get access to those private keys, he/she can move the funds, and this is exactly what happened in the case of Coincheck. So, how do we secure the private keys and block unauthorized access?
One simple solution is multi-layer authentication process like we have a ‘phone and email verification’ in various services. In cryptocurrency perspective, this is called “multi-signature address” that requires more than one cryptographic keys to process a transaction. To boost security, investors (read partners) can create a shared wallet, where transactions are processed only when every partner signs on transactions.
While this is not the perfect solution, as hackers have breached into the multi-signature system as well. In that case, they stole $65 million from a multi-sig wallet at Bitfinex though the exact weakness is yet to be known – maybe there was some weakness in the implementation. Now, Japanese regulators are studying the effectiveness of multi-signature technology to boost the security of wallets.
In short, there are a number of areas where the industry is learning, and discussing the prospects. While the major part of the debate revolves around the future of blockchain and how it’ll revolutionize the way we do financial transactions, security and hacking are certainly part of the discussion.
At InWage, we help companies and investors in conducting successful and secure token launches. If you’re aiming at launching for an ICO, get in touch and we’ll help you conceptualization through completion. Subscribe below!