Cryptocurrency investors still run a high risk of losing their cash to theft or loss, experts warn.
Canadian crypto exchange QuadrigaCX hit the headlines after its founder died, leaving customer cash trapped in the company.
Gerald Cotten, QuadrigaCX’s 30-year old co-founder, was apparently the only person with the password to the exchange’s digital safe. As a result, the roughly C$190m (£110m, $142m) of customer money is now likely lost forever.
Industry experts agree that the way QuadrigaCX security was particularly bad and not reflective of the wider industry.
“What this exchange has done is an incredible level of poor risk management,” Axel Pierron, managing director of financial services consultancy Opimas, told Yahoo Finance UK. “It’s a nonsense.”
But observers say crypto remains prone to these kind of massive investor wipeouts, either through hackings or poor risk management.
‘There are going to be other’
Michael Jackson, a general partner at Mangrove Capital Partners, told Yahoo Finance UK: “I find it hard to believe that one is an outlier within that ecosystem. There are going to be others.
“It’s unusual for the founder to die, but there are certainly going to be instances where the founder loses the key. There’s no reason this should be a one off as long as people are this cavalier with these assets.”
Cryptocurrency is stored in so-called digital wallets, which can only be unlocked by a string of incomprehensible letters and numbers. Many investors find this too troublesome — what if they lose the password? — and so instead leave their crypto in an account on the exchange they buy it from.
It’s a little like leaving your cash in the bank rather than taking it out and storing it in your safe at home. The problem is most exchanges don’t have bank grade security.
“A lot of these exchanges were basically startups and they had very little understanding of what market participants want,” Pierron said.
The multi-sig approach
There are two main ways exchanges can lose your money: misplacing the keys to the vault or being hacked. Protecting against one can often increase the risk of the other, according to Aron van Ammers, the CTO of crypto-focused investment firm Outlier Ventures.
“If you protect really, really well from theft, it’s easy to lose [the password],” he said. “That would be like having one single key that only I remember. Well if I die or forget it, then I’ve lost [the crypto].
“On the other hand, if I have many back-ups and give them to my friends who store them in many places, then the risk of loss is small but the risk of theft is much larger because there would be much more opportunity for someone to steal one of those keys.”
The majority of exchanges chose some form of the later approach, known as multi-signature or just “multi-sig” in the industry. Wallets will have to be unlocked with three out of a total of four keys, for example, meaning that the cash can still be accessed in the event of an unexpected death or even just a falling out.
Prioritising this risk has its costs though. An estimated $1bn-worth of cryptocurrency was lost to hacks in 2018 alone, according to Chainalysis.
“The number of hacks we have seen in this industry show that most of the exchanges are not at the level they should be on operational risk management,” Pierron, who has authored reports on cryptocurrency, said.
He said he knows of a company that employs so-called “white hat” hackers to try and find security vulnerabilities in exchanges and storage systems. They regularly find backdoors and loopholes, but Pierron said the findings are not always heeded by the companies.
‘We will keep seeing it’
Both Jackson and Pierron think crypto businesses should look to traditional financial services for inspiration when it comes to safeguarding customer funds.
“The systemic solution is coming from the professional world where you have something called a custodian,” Jackson said. “In private equity, venture capital, we never see the money, it goes to a custodian and we instruct him to do something with the money.”
He highlighted custodian services from crypto company Coinbase, Blockchain.com, and Bitgo. Pierron noted that established financial companies Fidelity and Nomura are also working on their own crypto custody products.
“There’s fairly normal procedure for accessing physical goods — guns, gold, nuclear codes, this sort of thing,” Jackson said. “It’s not new. In fact, it’s an old as anything really.
“We tend to have a way in crypto to imagine we’ve reinvented things. We don’t just think about how things have been done for a million years.”
Van Ammers said most crypto exchanges now use some form of custody solution.
“In 2019, it’s very much an outlier for an exchange of significant size to have a very unprofessional way of storing and accessing their funds,” he said.
But for now though, security and risk management remains a big issue in crypto and cases of lost of stolen funds remain all too common.
“It’s happened a lot of times and we will keep seeing it,” said van Ammers.
Oscar Williams-Grut covers banking, fintech, and finance for Yahoo Finance UK. Follow him on Twitter at @OscarWGrut.