Avoiding the next Bitfinex

in #security8 years ago (edited)

The problem:

Bitcoins are notoriously difficult to store securely. The theft from Bitfinex shows that multisign is not a magic dust you can sprinkle over your wallet to render it immune from theft.

Bitcoins can be transferred around the globe irreversibly in minutes. This makes them very attractive to thieves. This also makes them very difficult to insure.

The requirements of the scheme that Bitfinex developed

Based on the scheme that Bitfinex and Bitgo put together, we can draw reasonable inferences about what their requirements were:

Proof of reserves:

Bitfinex's scheme would allow each customer to know for sure that Bitfinex held the number of bitcoins they were supposed to hold, with a specific set of them held aside for that particular customer. There was reasonable assurance both of how many bitcoins Bitfinex held and its total obligations to all of its customers.

High security:

While the scheme didn't actually provide high security for reasons not yet fully known, it's quite clear that Bitfinex and Bitgo intended the scheme to be extremely secure. Bitfinex was not reliant on Bitgo to make transfers. But the intent was that compromise of Bitfinex's hot systems would not be sufficient to compromise the funds.

Segregation:

The scheme was intended to provide segregation of assets such that delivery could be accomplished to the end user. The point was not that the user could actually transfer the funds or could recover them if Bitfinex collapsed. The point was to accomplish delivery of an actual asset to the customer to meet legal obligations. I believe they used a semi-separate entity as a firewall with this entity, rather than Bitfinex itself, acting as custodian through these accounts.

Controlled access:

The exchange had to know for sure that funds were available and users could not transfer funds without the exchange knowing in advance. This made it impossible to implement a scheme where the customer's signature was needed to transfer funds. This was not a storage scheme where the funds were under the customers practical control, only legal control.

Some ground rules

First, for large amounts of money, you must use hot and cold wallets. If you like multisign and want some additional security, then you can make the hot and cold wallets multisign if you want. But multisign is not a substitute for keeping keys offline.

Second, hot wallets do not hold customers' funds. Hot wallets can be compromised. That's why they only hold funds in flight that you can cover out of your capitalization. Hot wallets do not contribute to your proof of reserves. If you don't have enough capitalization to cover your routine funds in flight, you should not make a business having custody of other people's funds.

Third, if you sign a transaction, you take responsibility for it. There is a reason that transaction required your signature.

The design

Storage of reserves

Reserves are held in a cold wallet. The address of the cold wallet is well-known. Anyone can check the balance of the cold wallet to know the reserves. Only the funds in the cold wallet count as reserves.

If desired, more than one cold wallet can be used. At all times, the total funds in all cold wallets equals or exceeds the amount owed to customers. Period. This is where the security comes from.

The cold wallet can use multisign. However, it must be impossible to obtain a quorum of keys to any cold wallet without obtaining at least one key that is air gapped.

Segregating funds

Even though just using well-known cold wallets allows the exchanges reserves to be proven, that doesn't help much if you can't prove that you don't owe more than your reserves. To accomplish this, the operator must publish a list of customer identifiers paired with balances. The list must be public and signed. Each customer can then confirm that they are on the list with the correct balance. Auditors, or anyone who wants to, can total the list and ensure the cold wallet has enough funds to cover it.

This means that each customer's balance is public, though under an identifier that cannot easily be mapped to the customer. This seems to be what Bitfinex wanted, as it's what their scheme provided as well.

Accomplishing delivery of funds

To accomplish the legal delivery of funds, where needed to meet regulatory requirements, the cold wallet should not be operated by the exchange. I believe Bitfinex did substantially this for their US customers with their scheme as well.

The cold wallet operator would own the reserves and would owe them to the customers. When Bitfinex puts bitcoins in the cold wallet and updates the table of obligations, that would accomplish legal delivery of the funds. Bitfinex would not have them, another entity would, and that entity would owe them to the customer.

This should be no different from what Bitfinex's scheme did. The customer doesn't have control over the funds in either scheme. And, in any event, the timeline suggests that accomplishing this wasn't an object of Bitfinex's design anyway.

Conclusion

Bitfinex tried a completely new design that seemed to throw away best practices. Perhaps they wanted to prove that multisign alone was as good as a cold wallet. Truth be told, it is not a difficult mistake to make. But let's learn a valuable, if painful, lesson from this theft.

But overall, their design seems quite baffling. If it wasn't designed to meet a regulatory requirement to "deliver" the bitcoins to customers, why wasn't a cold wallet used? Why produce something that ultimately provided no greater security than a hot wallet?

Bitfinex still has a lot to answer for, and we'll know more as time goes by. But we now have the tools to design extremely secure storage systems for crypto-currencies. I'm a big believer in multisign schemes, but they have to be competently designed and everything we know suggests that this one wasn't. All three of the ground rules were ignored.


JoelKatz

  • Follow me on Twitter
  • Read this article about who is liable for the Bitfinex theft.
  • Read this Steem exclusive about how the regulations on banking violate rights, stifle innovation, and actually make it harder to fight crime.
  • Read this article about dissatisfaction with America's two-party system and what we can do about it.
Sort:  

I've posted this same comment on a number of these "problems with online exchanges" posts. Bitshares offers an exchange that is stored on the blockchain. Nobody holds your private keys except you so the only peron to blame for losing funds is yourself.

Unfortunately, a scheme like that would not have worked for what Bitfinex was doing. They had a requirement that the exchange be able to transfer out user funds and they know for sure that funds would be available at particular future points. (I'll add a note to the article.)

Unfortunately BitShares did a horrible job of marketing themselves in the early days. It felt like a pyramid scheme or MLM scam. They may yet recover though.

Yes but other than BTS , all the assets on BitShares have a counterparty risk , no?