It goes without saying that exchanges command significant influence over the cryptocurrency market, being the exclusive portals for fiat into the world of blockchain. Exchanges are also the most significant winners of the cryptocurrency craze, and bank billions by raking in fees and maintaining custody over sizeable crypto wallets comprised of their own funds but also those of the customers. In a largely unregulated environment, the latter idea comes with its own set of implications and risks.
Not every exchange uses its capital to reduce these risks adequately. Instead of reinvesting in a more secure custody service or establishing carefully administered audits, some exchanges may begin to act in their own financial interests. Traders keeping their coins in exchange wallets understand that the direct connection to the market and ability to trade into and out of fiat demands a steep price — and familiarity with this compromise is universal.
For a sector that is moving gradually toward improved compliance, customer safety and access to the crypto market shouldn’t be mutually exclusive. This is why breaches like that of Cryptopia are vital to pay attention to, as they also highlight the often-adversarial role that exchanges play with their customers.
With the news that Cryptopia is now being liquidated, several months after two major hacks, the reality may be setting in for optimistic crypto traders. Despite their best intentions and ambitious statements, exchanges are not always friendly places to customers, for more than one reason. For early investors, this scary reality tempers investment enthusiasm and represents an anchor on the market that, in 2019, is past due to be cut loose. But is the future really that bleak?
Thanks to the transparency of the ledger, websites like Etherscan, and watchdog social accounts such as Whale Alert, have already tracked the stolen Cryptopia funds to a handful of wallet addresses that moved the funds over to an exchange. However, this is far from identifying the perpetrators of the hack or even preventing them from using the crypto they stole.
Exchange hacks are an unfortunate yet predictable occurrence in cryptocurrency and add to its notoriety as a “Wild West” marketplace. Cryptopia is just one instance in a long history of hacks, which, as of April 2019, totaled over $1.3 billion lost or stolen in crypto since the origination of bitcoin in 2009. Of that $1.3 billion, 61% was lost in 2018 alone — and 2019 seems to have the ambition to surpass that figure.
The hack of New Zealand exchange platform Cryptopia was reported in January after several days of on-and-off maintenance, when it finally announced on Jan. 15 that, at the time, around $16 million had been stolen from over 76,000 different wallet addresses. On Jan. 29 the hacker struck again, siphoning a further 1,675 ethers (ETH) from a variety of 17,000 Cryptopia wallets.
“What surprises me the most is the negligence in relation to security of the entire chain of work with wallets,” Codex Exchange CEO Serge Vasylchuk told Cointelegraph. “Maximum isolation is necessary both from external influences and from accidental internal interference — on the developer’s part or anyone else’s, because each change in the system may entail a security breach. That’s why backups should be done regularly. Private key backuhereumps must be on a well-protected physical copy with no questions. This hack would have been prevented if they would have taken these must-have measures seriously.”
Also, the founder of Cryptopia, Adam Clark has seemingly moved on from the failed project and is now working on a new cryptocurrency exchange. It claims to be “New Zealands most advanced crypto trading platform,” offering fast and secure service. It is unclear if the exchange is fully operational at this point in time, several pages like “About Us” are blank and “Market Summary” displays zero activity.
Badly run exchanges demonstrate the need for decentralization
So, why did it take so long for Cryptopia to acknowledge the threat and then to deal with it appropriately? How could it have let its customers’ private keys become exposed?
Answers are still inconclusive, but some are of the opinion that the hack was an inside job, meant to drain the exchange of its funds before a scheduled audit. Though this would be incomprehensibly malevolent, it’s already bad enough that a platform with over 1 million customers would expose their private keys to intruders.
According to Hacken’s blockchain security team, “The Cryptopia hack is quite different from other exchange and wallet hacks. First of all, the funds were transferred from ethereum accounts. Hackers need to sign the transaction with an account’s private key to be able to transfer ether or tokens to their personal account. It could have happened that hacker somehow gained access to Cryptopia’s private key storage. The fact that a hacker gained access to private keys is confirmed by the fact that transfers continued several days after the breach was discovered.”
The lack of transparency on the part of Cryptopia, which remains tight-lipped about the ordeal and willing to let customers flail, also seems questionable. Centralized exchanges are able to rely on the legal system to some extent when it comes to repaying stakeholders, but it isn’t always the most elegant or satisfying solution, given that they still exist on the fringes of traditional finance. The embrace of decentralized exchanges is partly due to the idea that traders own their own private keys and therefore exercise true ownership of their cryptocurrency.
This is clearly demonstrable in other exchange hacks, all of which occurred on centralized exchanges exclusively. The largest hack of all time, in January 2018, saw Japanese exchange Coincheck hacked for over $500 million in crypto at the time, which appeared to have resulted from a lazily managed custody model. Not only was Coincheck not registered with Japan’s Financial Services Agency (FSA), it was also revealed that it had kept the entirety of its NEM in a single hot wallet as opposed to the hybrid hot-and-cold solution deployed by most modern exchanges.
And it also seems that the New Zealand exchange took no action for several days while it was being drained. Blockchain forensics firm Elementus said at the time, “Despite the hack, many Cryptopia users continue depositing funds into their ethereum wallets. In just the two hours since these breaches took place, many of the very same ethereum wallets that were just drained have already been topped with more ether.” The lack of transparency meant users lost much more than they should have, had Cryptopia been forthcoming.
After the liquidation announcement, however, the company did take to Twitter, asking users to stop depositing crypto onto the soon-to-be-defunct platform.
Do exchanges remain vulnerable despite efforts?
The recent Binance hack to the tune of $40 million was also catalyzed by error, but these instances could also be preventable if exchanges didn’t insist on being responsible for keeping customer funds safe. In its purest form, blockchain removes this necessity anyway. However, in the interest of profit, exchanges have decided to become “funds” rather than just service providers, despite not being technologically or legally capable of doing so in some cases.
Moreover, regulation remains fuzzy, even though there is a growing consensus that it is necessary to increase security and safety of traders and their funds. Even the likes of Mike Novogratz have advocated for greater external and self-regulation. According to him, the industry is leaning that way regardless, noting that “we think all the exchanges should go to a process where they can almost self-regulate, right? They do what the regulators want beforehand,” as a way of creating more transparency and improving the overall ecosystem.
Regardless, there are simply too many attack vectors for hackers to explore when it comes to cryptocurrency exchanges. From weak smart contracts to phishing and insecure storage methods, it’s clear that centralized exchanges need to adjust their approach and, at the very least, pour their profits into a security apparatus that will hopefully keep the platform safe.
Some exchanges, like Binance, even put away 10% of funds into a dedicated wallet for the express use of reimbursing hacked customers. Initiatives like these, although very welcome, should not be the safety net for billions of dollars stored in crypto, and by themselves indicate that the expectation of a hack is always present.
The Cryptopia hack and subsequent liquidation have reawakened the conversation about how safe crypto really is. The hack itself resulted in millions being lost, and the company proved unable to manage the aftermath and to respond to its users’ very valid concerns.
However, the increasing emphasis on regulation and a stronger focus on security means that, at the very least, the problem is likely to be mitigated soon. As exchanges learn from their rivals’ lessons and the market matures, it will likely weed out those exchanges that refuse to improve and leave only those that prioritize transparency and user safety.