Risk #1: No exchange can be 100% bulletproof against hackers
Every time a cryptocurrency exchange uses a private key for one of its wallets to accommodate a customer withdrawal, there’s a risk it could be compromised.
The risk is tiny, even inﬁnitesimal. But it’s not zero. So, when you multiply that risk by millions of transactions, suddenly it’s not so tiny after all. Robust security policies and procedures can greatly reduce the risk. But they can never extinguish it. Reason: The process for withdrawing cryptocurrency from an exchange requires the use of a private key via an online process. That’s inherently risky. Technology is always evolving, but clever hackers are constantly on alert for new ways to score.
The Hacker News
Risk #2: Too many exchanges are not audited
Security experts at the exchanges know that, no matter what they do, they could ultimately be vulnerable to Risk #1. So as backup plan, they normally keep only a small fraction of their total funds in the online wallets they use to transact with customers. It’s like a neighborhood grocery store that keeps just enough change in the cash register to cover the business on an average day, plus maybe some extra to cover any spikes. The bulk of the money is moved oﬀsite. In the crypto world, the equivalent mechanism is called “cold storage.” Are cold storage wallets safer than online wallets? Sure. In-and-out transactions are less frequent. So, there are a lot fewer chances for private keys to be compromised. And, needless to say, if they’re not even connected to the internet, it’s much harder for hackers to gain access in the ﬁrst place. However, this solution to risk #1 also creates risk #2: Most exchanges aren’t audited, and there is no way to know how much crypto they have, or how much they are supposed to have. We know about some wallets that belong to exchanges, but the full picture is rarely disclosed. Here’s the issue in a nutshell:
The distributed ledgers that support cryptocurrencies are transparent and fully auditable. But once the assets are sent to an exchange, only the exchange staﬀers know how much they actually hold.
You’d think customers would demand more disclosure. But most are satisﬁed just so long as their transactions are executed eﬃciently, and they can get their crypto out on demand. In the meantime, the opacity of exchanges can conceal a multitude of sins. This researcher claims Quadriga never even held the Bitcoin it supposedly lost, and depended on inﬂows from new customers to cover withdrawal requests by existing customers. Investigators recently interviewed by the Wall Street Journal reached a similar conclusion. It suggests Quadriga was a crypto version of the Ponzi scheme that convicted fraudster Bernie Madoﬀ ran for decades.
How to protect yourself
For most crypto investors, doing business without an exchange is almost impossible. Accordingly …
- Always remember, no exchange is 100% hack-proof.
- Seek to keep the bulk of your crypto holdings safely stashed away in oﬄine, cold-storage wallets of your own — those that only you have the private keys to.
- With all crypto investing, never risk more than you can aﬀord to lose.