As the cryptocurrency market has grown, so have the piles of loot plundered from exchanges, with £205 million stolen in 2017, £1.3 billion in 2018, and over £3 billion in 2019. These losses are often simply blamed on ‘hacks’, but in fact there are many different ways that cryptocurrency has been lost, including internal mistakes, […]
As the cryptocurrency market has grown, so have the piles of loot plundered from exchanges, with £205 million stolen in 2017, £1.3 billion in 2018, and over £3 billion in 2019. These losses are often simply blamed on ‘hacks’, but in fact there are many different ways that cryptocurrency has been lost, including internal mistakes, phishing attacks, and technical failures.
Each major hack event has shook the industry to its core. But the traumatic episodes have also served as learning experiences. In the aftermath of each major breach, preventative measures have been put in place, and custodial solutions have been rebuilt with improved fortification to guard against the possibility of repeat episodes.
The first major learning experience came in 2014, when Tokyo exchange Mt. Gox was the beating heart of bitcoin trading; handling over 70 percent of all trades.
In February, the exchange suddenly stopped all bitcoin withdrawals, later revealing that it had suffered losses of over $473 million, or an estimated seven percent of all bitcoin in circulation at the time.
This catastrophe generated hundreds of headlines pointing to the exchange’s demise as the end of bitcoin itself, and is widely credited with triggering a multi-year bitcoin bear market. So dramatic was the fallout that it even spawned a new word—’goxxed‘—to refer to the misfortune of losing money to a corrupt exchange.
But amidst the pain and the loss, lessons were learnt. The hack was closely analysed and attributed to both human and technical failures, and keen awareness of these failures spurred a new movement towards transparency. Several platforms responded almost immediately by implementing proof-of-reserves systems allowing traders to verify the existence of their holdings at any time.
More significantly, the loss also led to the widespread adoption of a new foundational custody infrastructure for cryptocurrency.
The Mt. Gox catastrophe made crystal clear that the single signature wallets used by the exchange were not fit for purpose. This led to the widespread rollout of multi signature technology—originally used by medieval monks to store ancient relics—which was now adapted to the cryptocurrency world with the likes of Coinbase, Circle and BitGo all switching to the new wallets.
By May 2014, multi-sig wallet adoption was so widespread that chief bitcoin scientist Gavin Andresen proclaimed 2014 as “the year of the multi-signature wallet.”
In the year following the Mt Gox hack, Ethereum was launched, and it wasn’t long before multisig wallets were encoded in smart contracts—the self-executing agreements written into lines of code on the blockchain.
Then in late 2017 as the price of Ethereum soared, the cat-and-mouse game of cryptocurrency security took another turn.
A user going by the name of ‘DevOps’ on GitHub found a vulnerability in the multi-sig wallet of Ethereum development shop Parity, and drained $31 million Ether out of the smart contract—an incident that was made even more embarrassing because the code was written by high-profile Solidity developer Gavin Wood.
This brought home the reality that although multi-sig wallets were more secure than single signature wallets, their implementation on new smart contract technology was still precarious, with even minor defects in the code leading to the possibility of irreversible losses.
After conducting a post-mortem, Parity re-architected its own platform, and also inspired a broader shift in the way smart contracts are developed, with “a greater degree of community ownership” over the code.”
Though this community-based approach is still maturing, it has prompted the creation of a new breed of smart contract auditing services, like Quantstamp, that are helping to alleviate the risks posed by smart contract vulnerabilities with independent third-party audits.
At the same time, we have also seen the blockchain development community move towards the creation of a shared set of standards and common architecture for smart contracts that could guarantee certain levels of security.
In January 2018, Japanese exchange Coincheck knocked Mt Gox off the top spot to become the victim of the biggest cryptocurrency hack ever. With $530 million in NEM tokens stolen, this set a disastrous new record, and was labelled as the ‘Biggest theft in the history of the world’ by by NEM foundation president Lon Wong.
Even worse, the emrassing episode could have been easily prevented.
Hackers took funds from a hot wallet that hadn’t been properly secured due to a silly mistake, showing that even if the technical solutions are available, losses can still come from basic human error.
To help prevent the recurrence of such a disaster, exchanges in Japan quickly came together to establish a self-regulating group—the JVCEA, Japan Virtual Currency Exchange Association—with the aim of promoting shared standards. The association now consists of 16 cryptocurrency exchanges, and has been granted self-regulatory status allowing it to enforce stricter regulations on hot wallet use.
As these episodes illustrate, each major security breach has gradually tamed the wild west of cryptocurrency—slowly transforming the frontier of bootstrapped startups and raw innovation into a financial landscape that more closely resembles the secure and familiar world of banking.