As cryptocurrency ups and downs go, the story of Canadian crypto exchange QuadrigaCX is both sad and disturbing. When the exchange’s boss unexpectedly died last December, he took the passwords for the accounts of 115,000 clients to his grave, and now seemingly no one – absolutely no one – is able to unlock their crypto savings.
At stake is a bevy of cryptocurrencies worth CAN$250 million (£145m). But could this really have happened, and what can be done to prevent it from happening again?
This wasn’t just any old cryptocurrency exchange, but Canada’s largest. Despite this, it was apparently controlled by one person – Gerald Cotten, the CEO, who passed away two months ago at the age of 30, from complications of Crohn disease.
The firm, based in Vancouver, British Colombia, has now filed for creditor protection, with a preliminary court hearing in Nova Scotia already underway. Cotten’s widow, Jennifer Robertson, told the court that her late husband’s laptop contained all the company’s business records, that it is encrypted, and that she knows neither the password nor recovery key. A computer expert investigated, but managed to retrieve only some of the crypto coins.
Cotten was careful, perhaps too careful. The result? Millions of dollars is locked in a box for which nobody has the key.
According to Robertson’s affidavit, most of the users’ cryptocurrency was in a so-called cold wallet, an offline storage that allows owners to store their digital money in a way that reduces the risk of hacking and theft. To access it you need a key – but with Cotten’s death, that has disappeared. There are plenty of private keys for the individual accounts inside the cold wallet, and they can be restored even if you lose them, but without the Cotten’s master key, account holders are left out in the cold, just like their crypto savings.
But there could be more to this story than a tragic death. A year ago, Canadian bank CIBC froze CAN$25.7 million linked to Quadriga’s payment processor, because it couldn’t identify the money’s owners. Later that year, some of the company’s customers were venting on online forum Reddit that they were not able to access their funds.
And then, Cotten died, suddenly, while on a business trip to India. So why is it so tricky to access the bitcoins, ether and dogecoin stored away by Quadriga? After all, the crypto tokens are all registered against the public ledger of the blockchain.
The fundamental problem is that the owners of virtual currency are only in control if they also run a “full node” that records all transactions – the ledger – of the blockchain infrastructure for their cryptocurrency of choice. For bitcoin, that requires them to run and constantly update the full ledger as crypto miners add new blocks to the chain – and that runs to around 160GB, while for Ethereum it’s substantially more, around 400GB.
“Anyone wishing to store bitcoin, ether, dogecoin or any of the many other crypto tokens available would need to keep a copy of the related blockchain for each,” says Carsten Sørensen, an associate professor in digital innovation at the London School of Economics and Political Science.
This is unfeasible for most people who wish to store crypto tokens. That’s why there are so many crypto exchanges and wallet companies, which run the full nodes or connect with organisations that do. It makes life easier for the majority of cryptocurrency owners, as they need to maintain only a “light node”, which essentially only stores the cryptographic keys that verifies how much of the cryptocurrency you own.
That’s why hacks on crypto exchanges can be so devastating, as they target a central point of access that gives the criminals access to a lot of crypto tokens stored in so-called “hot wallet” run by the exchange.
Quadriga tried to go one better and stored most of its crypto assets offline, in a “cold wallet”. The problem? “Cotten has seemingly arranged the affairs of the exchange so he was the only one with the keys to the vault,” says Sørensen. “As opposed to a physical bank vault, which can be opened by brute force, Mr Cotten’s laptop that seemingly has been storing Quadriga exchange funds is encrypted and access requires a key, which he seems to have taken with him.”
It’s an unusual arrangement. Most crypto exchanges storing cryptocurrencies offline spread the assets across several cold wallets, and ensure that they are “multi-signature”, where it takes more than one user to access the funds.
That’s how Roger Benites, for example, operates his Bitinka crypto exchange in Peru. In addition to having several cold wallets, he says, there should be a requirement of more than two signatures to move funds or having management access to the private keys. “Even going crypto old school, there are paper wallets, where management can have access to it, it just needs to be locked in a safe the old-fashioned way,” he says.
Benites believes that it should be possible to retrieve the money stored with Quadriga, although it would require a security analyst to go over all of the deceased’s data to (hopefully) recover the private keys.
So what’s the best way of securing your crypto savings? Dickie Armour, partner at ICO consultancy Corre Innovation, says that to stay in control of your crypto, it's advisable to keep it in your own hardware wallet in cold storage. “One of the downsides of this new decentralised world is that people are still relying on the old centralised way of behaving: relying on middlemen to look after our funds.”
This article was originally published by WIRED UK
