It's already been a year since I posted Happy Halloween - Updated Audit Status of Canadian Cryptocurrency Exchanges. In continuing the annual tradition of bashing Canadian crypto exchanges for Halloween, I'll try to be gentler this time!
There is one main metric - the level of visibility to fund backing. We have 5 categories:
- Past Canadian Incidents - For fun, and to help illustrate the risks, reviews of past platforms that collapsed or lost funds in Canada. No disrespect to the real losses of Canadians who worked hard for their money.
- No External Verification - The platform doesn’t appear to give any indication of any external auditing or verification. You may want to avoid these platforms, but sometimes these are just because this information is not available easily.
- Apparent Verification - I was able to dig and locate some sort of claim or indication of external verification. Of course, some of these don’t mention who is performing the audit/verification or what is actually being checked. In one case, this verification is 7 years old.
- Full Backing Report - The platform has undergone a process where backing of customer assets was verified by a third party within the past year and a report was published. While compelling, it doesn’t stop a dishonest platform excluding customers, tricking the verification process, or colluding with the third party.
- Full Proof of Reserve - Proof of Reserves is a digital proof that the exchange holds customer funds. This cryptographic process has public wallet addresses, signing of transactions, and a public hash list or Merkle tree to allow customers to independently validate that the exchange in fact held the funds.
Past Canadian Incidents
FlexCoin - Claiming to be “the world's first bitcoin bank” that’s “not a true bank”, FlexCoin provides “a central location for all of your bitcoins”. “Bitcoins deposited with flexcoin will be stored on [thei]r secure servers” so you can “send bitcoins to non-technical individual[s] via e-mail”. Unlike blockchain, “flexcoin to flexcoin transfers are free”.
MapleChange - “A swift, reliable and to-the-point trading platform for veterans and newbies alike.” “One of [their] primary concerns is security for [their] customers'' which is why “keys are cryptographically encrypted”. "[W]ithdraws(sic) are next to instantaneous", "rel[ying] solely on the aspect of swiftness"!
Canadian Bitcoins - The highest level of courtesy and expediency in customer service! “With nothing more than a chat session and smooth talk, a crafty cybercriminal convinced an attendee at Rogers Data Centre to reboot the Canadian Bitcoins server in fail safe mode, bypassing all security measures.”
CoinTrader/NewNote - A “meticulously engineered Bitcoin Exchange” “focused on security and tak[ing] these risks seriously”. “[Y]ou don’t have to worry”, they have “90+% cold storage” and their “cold storage is fully insured by Xapo”. Plus, as “a registered Canadian corporation” they “leverage the good guys to fight the bad guys”.
Einstein - You can get “your money deposited and withdrawn faster than any other exchange”. As one customer said "With so many hacks and exit scams, it gives me confidence knowing Einstein is backed by hard-working people just like me." Check the user experience on their subreddit from their "220,000+ satisfied customers".
EZ-BTC - The world’s “most user friendly and bespoke crypto currency management platform”, with “strong security”. “All your coins are kept in cold storage. They’re safe.” The presence of physical ATMs was one of the strategies to build customer confidence for the promised 9% annual return.
QuadrigaCX - Operating since 2013, with “vast cryptocurrency reserves” right up to the end. "Bitcoins that are funded in QuadrigaCX are stored in cold storage, using some of the most secure cryptographic procedures possible." Even today most of the funds remain “100% secure” (including to customers)!
These are just in Canada. Globally, there are hundreds more events!
No External Verification
Bitvo - The Bitvo website hasn’t changed much in the past year. The Bitvo team has “come together to provide Canadians with the best experience (sic) in cryptocurrency exchange.” Bitvo’s cold storage “is located offsite in a third-party financial institution that is only accessible via multiple signatures of a select group of trusted individuals” and “not connected to the exchange platform or a network”. “As a percentage of customers’ funds, Bitvo holds 95% to 100% of customers’ funds in Cold Storage.”
Bitvo assures customers that they operate “on a full-reserve basis”. The website says “[s]ecurity and transparency are important in your financial transactions.” Nothing indicates customer accounts to have been verified externally or even internally. Bitvo users only pay for withdrawals and are thus incentivized to keep maximal funds on the platform. Bitvo’s trading platform was (and may still be) a whitelabel of AlphaPoint, a service which was previously breached in May of 2019.
Recommendations: Multi-signature requires at least 3 of 4 signatures. Use company funds or self-insure the 5% balance they’re using for hot wallets. Use a third party to validate that all customer funds are backed.
CoinField - The "most secure trading platform in Canada", because “[m]ultiple layers of gateways are required to allow access to data and to conduct transactions”. They “use Multi-sig wallets that require more than one key to authorize a digital transaction”. However, funds are “only retrievable only if the two founders are present at the same time”. It's good to know one founder can force/hack the other to perform a withdrawal, and funds are lost if one founder dies, gets arrested, or is incapacitated. Of additional concern is their “one of a kind secret vault that’s been built from scratch”. In general, developing a custom cryptographic solution will result in a less secure solution than the widely used best practices. “Coinfield.com will not be liable, in any event whatsoever, for any loss or damage of any kind incurred as a result of the use of this site or the services found at this site.”
CoinField is apparently based in Estonia and may not have a Canadian office. They were “fully regulated” in “193+ countries”, except for the period between October 2019 and June 2020, when they weren’t even registered as an MSB. They are presently “[a]vailable in 186 countries.”. In full analysis of the website, we failed to locate any mention of audits or validation being performed.
Recommendations: Expand the multi-signature to require at least 3 of 4 signatures. A third party can validate the setup and that customer funds are backed.
CoinSmart - A “Crypto Trading Platform you can actually understand”. Their cold storage uses “Bitgo and Fireblocks”. The key item missing here is multi-signature technology. If large or repeated withdrawals can be run through an automated central system, or triggered by one person, as their terms state, “there is a risk that a similar cyberattack could affect the Services and result in the theft or loss of your crypto assets for which you cannot recover”.
According to their terms, “[t]he digital currencies held in trust in your Crypto Account are fully-paid assets beneficially owned by you and not by CoinSmart.” They will not “loan, hypothecate, pledge, or otherwise encumber any digital currencies in your Account”. According to their about page, they are “accountable to [their] customers, community and to each other” and “committed to being open and transparent with [their] customers”. Despite that, CoinSmart has not obtained or published any validation or audit by a third party.
Recommendations: Set up or clarify their multi-signature arrangement. A third party can attest to their setup and validate all customer funds are backed on the blockchain or in company accounts.
Coinut - The Coinut platform is “[t]rusted by 1,000,000+ global users”, and claims to be "the most secure cryptocurrency exchange". According to the website, they perform a “[r]eal-time internal audit”, however the details are not public for users. While they have a "[s]emi-manual process of big withdrawals'', it’s unclear if this involves a multi-signature wallet or if they could be vulnerable to an attack involving lots of smaller transactions. From the details observed on a previous version of the site last year, they protect customer assets “by storing cryptocurrencies offline” in a single “offline computer” and "not us[ing] USB drives, as the online computer may be infected with virus". In addition to removing that page, they’ve added a disclaimer on the website: “Please note that you may not be able to recover all the money you paid to Coinut Pte Ltd if Coinut Pte Ltd's business fails.”
Recommendations: Expand the team by two trusted individuals and set up a multi-signature wallet requiring at least 3 signatures. A third party should attest to the setup and validate all customer funds are backed on the blockchain or in company accounts.
NDAX - “[A] simple, easy and secure platform to instantly buy, and sell Bitcoin, Ethereum and other cryptocurrencies.” No longer, “Canada’s most secure trading platform”, “NDAX’s security standards are among the highest in the Canadian FinTech industry”. It’s good to see that “[t]ransferring funds out of cold storage requires multiple approvals from NDAX’s senior management team”, however it’s unclear how many approvals are needed.
They’ve switched from “95-98% of user funds in an offline, multi-signature wallet” to “a majority of user funds in an offline, multi-signature wallet.” Up to 50% of the funds may be in hot storage! “Both NDAX’s hot and cold wallet service providers are System and Organization Controls (SOC) 2, type 1 certified.” SOC 2 is an internal-only report. This certification only applies to their “service providers”, not the NDAX platform itself. While “NDAX has implemented Multi-Party Computation (MPC) technology”, there is no indication this applies to hot wallets.
While “[d]aily reconciliation of financial assets on and off the platform is performed to record assets’ integrity”, no visibility is provided externally. Existing funds are protected against “insurable incidents”, which include cold wallet “internal theft and Hardware Security Module (HSM) malfunction”. Without reviewing the insurance contract line by line, it’s nearly impossible to evaluate what level of protection is offered, what stipulations may apply, and the solvency of the insurance provider.
Recommendations: 3 of 4 signatures (or clarify). Use company funds for hot wallets, or self-insure the full amount. Get a third party to validate that all customer funds are backed on the blockchain or in company accounts.
Newton - “Newton is crypto as it should be: buy and sell on any device with access to some of the best prices for cryptocurrency in Canada.” “Most of our cryptocurrency is stored in secure locations with no internet connection.” Newton was one of the first to announce “[t]hird-party custody”. Newton stores customer funds with Balance. Newton’s custody page doesn’t exist anymore, but the old version is here. "Multinational companies trust” Balance. According to Dustin, “Balance does have an insurance policy in place currently as well - we/Balance will have more to say on that soon.” The Balance terms still state, “the digital assets you purchase via the Platform are not protected by any government or other insurance”. “All transfers require the coordinated actions of multiple signatories across our organizations.” It’s not clear if Newton themselves employ a multi-signature, and how many signatures are required. More on Balance can be found in last year's post.
In discussions last year, Newton was working on a feature “allowing you to login to Balance directly to verify your balance and move funds independently of Newton”. I wasn’t able to obtain further information from the Newton team, and searches performed did not find evidence this was launched. It’s unclear if this means that crypto-assets will be stored in distinct wallets, and how a customer could be certain that a given wallet is theirs.
Recommendations: Clarify their multi-signature wallet, and require at least 3 of 4 signatures. We need greater information to assess the insurance and backing visibility.
Apparent Verification
CoinBerry - “[T]he only Insured, OSC & FINTRAC registered & PIPEDA compliant crypto trading platform trusted by Canadian Municipalities.” After an unexplained incident in August of 2020, CoinBerry now has a “Financial Institution Bond”, against “financial losses due to dishonest acts and unethical behavior from Coinberry employees”. What about owners, contractors, system security breaches, or impersonation attacks? “200M in insurance coverage” is provided by “Gemini Trust Company LLC™”, to whom CoinBerry has generously transferred cryptographic ownership of “not less than 80% of the total value” of customer funds. Insurance is provided by “Nakamoto, Ltd. (Nakamoto), a captive insurance company licensed by the Bermuda Monetary Authority (BMA)” with limited detail.
Cold storage funds are now in “institutional-grade crypto storage”, an "offline, air-gapped Cold Storage system.” They “use a multisignature digital signature scheme (multisig)”, however it's unclear how many signatures are required. “CEO (Tyler Winklevoss) and President (Cameron Winklevoss) are unable to individually or jointly transfer cryptocurrency out of [Gemini's] Cold Storage System.” “We cannot and do not guarantee or warrant that the Site or the content on the Site are compatible with your computer systems or that the Site or the content will be free of viruses, worms, trojan horses or disabling devices.”
The details of the OSC arrangement can be found here. CoinBerry "has provided and will continue to provide audited annual financial statements in accordance with section 12.10 of NI 31-103." Past audits appear to have been conducted by the accounting firm MNP. Despite a stated goal of “demonstrating a rigorous commitment to trust, security and transparency”, no information is publicly available and customers of the platform have no evidence of inclusion of their funds.
Last year saw multiple issues with withdrawals, including one affecting hundreds of customers. Fees increased from 0.5% to 1%. The fee is now “between 0% and 2.5%”. “We are proud to offer fully transparent pricing with NO hidden charges and NO additional fees.” “Coinberry shall be entitled to charge to any Dormant Account a monthly fee of $5.00, either in Funds or any form of Crypto Assets, plus any other additional costs as Coinberry may, in its absolute discretion, apply.” “You agree to indemnify and hold us, and our subsidiaries, affiliates, officers, agents, co-branders or other partners, and employees, harmless from any claim or demand”.
Recommendations: Clarify multi-signature structure requires at least 3 of 4 signatures at all levels. Use company funds for hot wallets, or self-insure the full amount. Get a third party to attest the setup and validate customer funds are backed on the blockchain or in company accounts.
CoinSquare - CoinSquare is “[t]he world's home for digital currency”. “Everyone in the world deserves a safe, easy-to-use way to access digital currency markets.” Their “100% proprietary system”, “[b]uilt in-house with proprietary technology”, has so far apparently “never (ever, since 2015) lost a single coin”. “[Y]ou are aware of and accept the risk of, and agree not to hold Coinsquare responsible for any loss resulting from any operational challenges to which the Services may be subject, such as malicious cyberattacks, exploitable security system flaws and other security breaches”.
CoinSquare has grown a lot! Only last year they received a multi-million dollar fine for inflated trading volume, and only the year before when CoinSquare mysteriously went offline and suffered “a data breach of...approximately 5,000 records of customer...data.” They have a “95% cold storage” policy. The site still doesn’t appear to mention whether multi-sig is being employed. Their regular audits by an undisclosed “national accounting firm” are not published. They’ve previously described themselves as solvent rather than fully backed. They presently state that “Digital Assets held in trust will be fully-paid assets beneficially owned by you and not by Coinsquare.”
Recommendations: Multi-signature setup with at least 3 of 4 signatures. Use company funds for the 5% in hot wallets, or self-insure the full amount from funds in cold storage. A third party can attest the setup and validate all customer funds are backed.
Kraken - “Kraken is a crypto exchange for everyone.” Kraken recently achieved the momentous accomplishment of becoming the first cryptocurrency exchange to be a regulated bank in Wyoming. Kraken calls itself the “most trusted cryptocurrency exchange” and apparently “provides world class financial stability by maintaining full reserves, healthy banking relationships and the highest standards of legal compliance”. “95% of all deposits are kept in offline, air-gapped, geographically distributed cold storage.” No specific details of whether a multi-signature arrangement is in use.
According to alleged court papers, Kraken operated illegally in the state of New York and previous staff have been legally silenced. Kraken’s website features a Proof of Reserve page, stating that “[o]ver the past several weeks, Kraken has successfully developed and completed an industry-leading, independent, cryptographically-verified audit.” But the page was written in 2014 and among the long list of limitations, there are no wallets. Kraken assures users that “[w]e keep full reserves so that you can always withdraw immediately on demand.” However, one of the former employees for Kraken alleges wrongful dismissal and that the bank accounts of Kraken are actually running millions of dollars short of where they should have been.
Recommendations: A multi-signature setup with at least 3 of 4 signatures. Use company funds for hot wallets, or self-insure the full amount from funds in cold storage. Get a new third party attestation to validate that all customer funds, as the previous assessment is 7 years old.
NetCoins - "Canada's easiest, most trusted way to buy and sell crypto." Mitchell Demeter remains president although he no longer appears on the team page. He “co-founded Cointrader Exchange, one of Canada’s earliest online digital currency exchanges”, which shut down after “an internal audit showed “a deficiency of bitcoin" in company wallets that was causing a delay in withdrawals”. There does not appear to be any blog post on the matter, although we found one about how "crypto is plagued with a bad reputation". “At Netcoins we understand that sentiment. We know of people, and heard of countless others, who have lost their investments and been burned by the industry.”
Their “customer funds are held in cold storage” “and insured with Bitgo”, with no policy information. “Accessing these funds requires a specific number and combination of video calls from our top executives.” (See their team page for the list.) “We do our best to protect our users by putting all the right bells and whistles (ex: warning signs) within our emails, website and platform.” For example, heavily advertising on TV to less experienced users who are less likely to "take possession of the crypto they’ve bought through us by transferring them to a crypto wallet that they are in direct possession of.". BIGG Digital Assets (the parent company of Netcoins) is audited by Manning Elliott LLP, with no outside visibility into what portion of funds are backed.
Recommendations: Use a multi-signature setup requiring transactions to be signed by the physical possession of keys. A third party to validate that all customer funds are backed.
Full Backing Report
BitBuy - "Bitbuy is Canada's trusted and secure platform." The platform has operated since 2016, and was the very first to get a “Proof of Reserve and Security Audit Report” from third party CipherBlade. Since that time, they’ve continued to get third party validations, with the second and third ones from Blockchain Intelligence Group. BitBuy now has three independent reports from two different third parties, more than any other platform.
The site states that “99% of your crypto is kept secure in our Cold Storage, and covered by a comprehensive insurance policy.”, contradicting the June 2021 report which showed levels as low as 96.29% on some crypto-assets. It is unclear from the website whether a multi-signature wallet is in use and how many operator signatures are required to authorize withdrawals.
Mentions of custodian Knox have disappeared from the new BitBuy website. More detail on Knox’s security model can be found in the 2020 post. While their new CoinCover policy is publicly verifiable on the BitBuy website, it gives high-level features only, with no details. At the moment, there's no visibility to the actual policy details.
Recommendations: A multi-signature setup with at least 3 of 4 signatures. Provide details on insurance policies. While the validations are awesome, we recommend not repeating validators within a 14 month period, and to generate a hash list enabling customers to independently validate their inclusion.
ShakePay - “At Shakepay, we make the security of your account, personal information, and money a top priority.” Rather than be upfront, ShakePay lists one price and promotes the service as “commission-free”. The profit model is only found by clicking through to a separate page. Spread/pricing information is only available within a registered account.
ShakePay was analyzed by CipherBlade over a year ago. CipherBlade found that reserves appeared to be fully backed including extensive analysis of the transactions. ShakePay states that the “majority of all digital currencies are stored securely offline”. The CipherBlade report found this ratio was at “93% of Bitcoin and 91% of Ethereum” in cold storage at the time of the report, though it “var[ies] periodically to some degree throughout the day”. The report refers to a “multi-signature wallet interface”, which they later call a “service to access its sending and receiving multi-signature wallets”, which apparently also “does not have control over cryptocurrency in the hot wallets”. Apparently, this “not mentioned” service is “without any known security risks”.
“The vast majority of digital currencies are held offline on air-gapped, cold storage wallets.” However, the majority of funds are no longer stored with ShakePay but given to an undisclosed “trust company registered under the NYDFS”. While ShakePay won’t identify the third party, “CipherBlade can confidently conclude that Shakepay controls these cold wallets” even though “they are controlled by [the] cold storage provider” and “the cold storage provider ultimately holds the private keys”. “Multiple people are required to authorize transactions. Neither of the two founders, Jean or Roy, are able to perform withdrawals from our cold storage wallets.” It's unclear how many signatures are required.
“Shakepay holds an insurance policy on the digital currencies held in cold storage. This policy covers most damages, theft, and loss of private keys.” It's unknown in any “quite unlikely” events what “the cold storage provider’s policy and Shakepay’s own policy” would cover. ShakePay does receive “an account statement” “which includes applicable wallet addresses and balances held” and “[d]ata found on the blockchain was also in line with information found on these statements.”. Shakepay does not provide customers any tool to validate inclusion in the report published August 2020.
Recommendations: Use a multi-signature setup with at least 3 of 4 signatures. Provide greater details of the insurance policies. Obtain a new report to provide certainty funds are still backed.
Full Proof of Reserves
More information and definitions can be found on Nic Carter’s blog, who has been working on these concepts far longer than any of us. He’s confirmed that “what [Canadian exchanges] are doing is not a full PoR”. All platforms in Canada have failed to publicize wallets. All verifications have been against data provided by the platform with no ability for customers to validate they were included.
Preventing Future Disasters
All past crypto-exchange disasters have at least one of three factors in common:
- Funds were stored online. Crypto OPSEC 101! They think their system is super secure or (like Liquid) get enamoured with buzzwords like MPC. If your line of defense against a hacker is a smart contract, firewall, or proprietary control logic, be sure you are ready to fully cover funds.
- Funds in the hands of one person. I get it’s your CEO who has X years of experience but if he can single-handedly authorize a transaction to take funds, even if 100% perfect, the next CEO may not be. Multi-sig! Don’t use the same hardware for all keys. Train. Background check.
- No proof of asset backing. A page saying the customer has X bitcoin and Y ethereum is as valuable as the trust in the author. Even showing a wallet with X bitcoin, who owns it? At minimum, periodic independent reports are needed, or better a full Proof of Reserves.
Insurance Is Inadequate
After many months, I was able to view an example crypto-asset insurance contract. (This one is for Ledger Vault “specie insurance”.) As I expected, it was hilarious! Here are a few excerpts:
- “covering the theft of certain Crypto Assets safekept with the Vault Solution if such theft is resulting from specific events such as physical intrusion by a third party in a Vault data center”
- “neither Ledger, its Affiliates or any of the insurers under the Specie Policy provide any assurance or guarantee to Customer that (i) a theft of Crypto Assets safekept by the Vault Solution will be covered or indemnified under the Specie Policy”
- “determination shall be made by Ledger in its reasonable discretion.”
Regulators Being Unreasonable
A sense of the complexity and cost for which the OSC is requesting of a simple platform to “buy, sell, hold, deposit and withdraw crypto assets” just “for time-limited relief” “with the objective of fostering innovative businesses in Canada” can be read from their decision on CoinBerry.
Despite the overkill, the end result still gives investors no proof their funds are backed, requires insurance that’s misleading in what it protects, creates complexity/obscurity around how customer assets are secured, and has no obligation for CoinBerry to publicly disclose hacking events like August 2020. It places Canadians in a permanent position of trust and dependence on regulators for their ongoing safety, and adds increasing costs, complexity, and expense to every transaction.
Simplified Solution
Our simplified framework of just 15 policies prevent/mitigate the entire history of global crypto-exchange incidents. We can have certainty of platform security and asset backing through a simplified ruleset. The proposed industry self-insurance fund is cost effective, not dependent on third parties, and aligns incentives with the interests of Canadian crypto users and platforms. The framework runs transparently on an ongoing basis without regulatory dependence. It’s flexible and adaptable to new technologies and innovations, and offers the possibility to fully protect Canadians against a greater range of platform loss events in the future.
I’d like to thank Jay, Jason, and Gustavo for taking many hours to help review the post, and also appreciate Ethan (TxQuick), Dean (BitBuy), Jean (ShakePay), Dustin (Newton) and many others for past discussions. We hope to have more discussions with platform operators and regulators in the future and welcome all feedback!
Thanks so much for reading! If you’re tired of sitting back and want to help create a future of innovation and security for Canadian crypto-asset platforms, join us any Thursday at the CryptOasis meetup!
No comments:
Post a Comment