Thursday, October 31, 2019

Happy Halloween! Audit Statuses of Canadian Cryptocurrency Exchanges

Halloween is a wonderful time of year!

Businesses and consumers alike dress up, children go door to door naively asking strangers for candy, and everyone parties celebrating things like death and evil.

In the spirit of Halloween storytelling, let me tell you a scary story.

There once was a Canadian cryptocurrency exchange. It had one of the simplest user interfaces, the CEO was well known in person and trusted throughout the country for over half a decade, and it had several deposit and withdrawal methods. It was the first to register as a money services business and for much of its history, it was one of the most legally compliant exchanges. It even looked to be headed for public listing on the TSX. The exchange operated for 6 years, assuring users that all funds “are stored in cold storage, using some of the most secure cryptographic procedures possible.” Unfortunately, while we celebrate Halloween by dressing up and wearing masks once a year, the wonderful people who brought us this exchange played “dress up” for over half a decade and time will only tell if there are any more “masks” to come off in this story.

There’s no better or more fitting time to explore one of the darkest realities of the Canadian cryptocurrency space - exactly what is backing any of the cryptocurrency on Canadian exchanges. It’s easy to lose sight that there are real people behind these funds. Most people spend most waking hours working for their money. It literally is their lives. Impacts to victims are not just financial, but psychological and social as well. Victims of exchange fraud go through depression, anxiety, and trauma. They lose their trust and faith in humanity. They withdraw from friends and family in shame and humility.

In the spirit of exploring dark and evil things, let’s examine exactly what evidence there is that any of your crypto is backed on any Canadian exchange. This is a continuation of research I’ve been working on since May/June. I hope it will be enlightening and help you better protect your funds that you worked hard for.

I’ve done a detailed analysis of all Canadian exchanges I could find that handle any sort of custody of funds, and grouped them into 3 categories:

  • Not Audited. The only assurance I was able to find that any crypto on the exchange is backed are their words. I was unable to locate any public audit or report of an audit.
  • Audited. This means that at some point in the past, the exchange invited someone with a reasonable level of credibility, who they showed the wallets to. This person/group, at that point, was sufficiently convinced that funds were actually held by the exchange.
  • Proof of Reserves. An advanced real time public audit algorithm. It shows that funds exist right on the blockchain, validates access to those funds, and uses a hash tree to enable any customer to verify that their balance is included in the total.

Non-Audited Exchanges (“trust us, we haven't spent your money, we promise")

Bitvo - The service “utilizes a proprietary cold storage solution”. Proprietary, as in, definitely better than established non-proprietary solutions. If you can’t withdraw, they “will credit your account for [their] withdrawal fee”. They’re not an MSB that I could find, nor are they audited.

Coinfield - MSB. No audit. Luckily it’s the "most secure trading platform in Canada" - though apparently not the other 150+ countries, including Estonia where they’re based. No matter which country you pick, the “Security” page still says "most secure trading platform in Canada".

Coinsmart - MSB. Not sure what "[i]ndustry leading cold storage" is, but luckily they’re so "accountable to [their] clients, community and to each other" and "committed to being open and honest" that they don’t need any audit.

Coinsquare - MSB. No audit. You can tell they live up to being "[t]he most secure trading platform" when everything is "100% proprietary". I’m sure the team at Coinsquare is smarter than established security standards by experts all around the world at protecting your funds.

Coinut - MSB. Also "the most secure cryptocurrency exchange platform". In addition to not using multi-sig and "not us[ing] USB drives, as the online computer may be infected with virus", they also don’t use audits.

Einstein - You can get “your money deposited and withdrawn faster than any other exchange”. As one customer said "With so many hacks and exit scams, it gives me confidence knowing Einstein is backed by hard-working people just like me." Just check the user experience on their subreddit from their "220,000+ satisfied customers".

EZ-BTC - As they said, “All your coins are kept in cold storage. They’re safe.” They have “strong security”. The supposed presence of physical ATMs was one of the strategies to build customer confidence and they promised 9% annual return on stored funds.

NDAX - MSB. Luckily also “Canada’s most secure trading platform” with "fast withdrawals". I couldn’t find any audit but at least there’s a full page risk disclosure and disclaimer. You can sleep peacefully knowing that they’re legally protected.

Netcoins - MSB. The best assurance I could find of solvency is that they “can process large transactions”. Although they don’t waste time with audits or links at the bottom of their website, apparently “[a]ll transactions happen quickly and securely” “within the same day”.

Newton - MSB. “No-fees”! Your funds are stored in the "professional custody" of Balance, which doesn’t appear to be a registered MSB. I couldn't find any audit of the funds but they "audit [their] policies and controls". They "publish the reports", but I couldn't find any reports. Simply storing funds somewhere else doesn’t give any assurance they cover customer balances.

QuadrigaCX - Operated since 2013, with “vast cryptocurrency reserves” right up to the end. "Bitcoins that are funded in QuadrigaCX are stored in cold storage, using some of the most secure cryptographic procedures possible." Their "cryptographic" procedures are so secure that nobody can access any funds, even now!

Shakepay - MSB. Many will trust the raccoon mascot promising “commission-free” trading. No audit found but the “majority of all digital assets on Shakepay are stored securely offline”. Whatever this means, it’s good to know that up to half might not be.

Audited Exchanges ("so and so swears we didn't spend your money, you can trust them, we showed them once before")

Bitbuy - MSB

  • “So and so” is Cipherblade, a security consultant group founded by a guy named Richard Sanders.
  • The audit was conducted on March 18th and 19th of 2019 and the full report is here.
  • Overall assessment: Bitbuy has a long history of buying/selling bitcoin without custody, and is likely too new to offering custody to have been hacked yet. The fact they have taken proactive steps shows promise.

Coinberry - MSB

  • According to the site, they "undergo annual 3rd party financial statement audits", but don’t mention by whom. According to “Newswire”, it’s a firm called MNP LLP.
  • I was unable to find any published report on the audit, which was completed prior to January 17th, 2019.
  • Overall assessment: It’s hard not to be a fan of Medium articles describing proactive steps that a company is taking, however without an actual report it can be difficult to assess the integrity of the reserves.

Kraken - Not a registered MSB in Canada (that I could find)

  • “So and so” is Stephan Thomas, CTO of Ripple.
  • The page literally says the audit was done "over the past several weeks", and since the page doesn’t have any date you might assume it’s recent. But look closely at the screenshot and you’ll see a date in 2014! Yes, that’s 5 years ago!
  • Overall assessment: While it certainly feels good to know an audit was done, the opinion of one individual from 5 years ago doesn’t say much about the state of anything today and they openly admit all kinds of limitations.

Proof of Reserves ("here's your money, right here right now on the blockchain, and here's a proof that we included your balance in that total")

Rather than depend on outdated audits (or lack thereof), it’s actually possible to use the blockchain and cryptography to enable a public real-time audit. This can give assurance to every customer that their balances are fully backed. Giving everyone the ability to check the integrity of balances will keep us all safer. It immediately exposes any fraud, and in most major hacking cases there was advanced hacking that went unnoticed ranging from months (Bitgrail), or years (Mt. Gox). Having an aware public reduces the number of people trading on fraudulent exchanges, and can pressure the exchange to shut down trading or resolve the hack faster, so less funds are permanently lost.

To help explain exactly what this is and how it works, I’ve started a detailed tutorial. I did not come up with this algorithm - it was created in 2014 by a guy named Gregory Maxwell. Sometimes cryptography can be hard to understand. Hopefully this tutorial is simple:

< < Take Our Proof of Reserves Tutorial > >

Given what can often be at stake, I had hoped that maybe one of the “audited” exchanges might embrace Proof of Reserves. Sadly I haven’t had any such luck.

Bitbuy:

  • Actually they reached out to me in response to one of my posts on Reddit July 14th, asking for detailed feedback on their services.
  • I provided an extensive summary of my research (I’d just put together descriptions of every exchange for a business plan.)
  • As of today, that response, which included Proof of Reserves among a multitude of other suggestions, is still unanswered.

Coinberry:

  • On the 4th of July I actually got a response from them to a casual mention where I was recommending their exchange (based on the Medium articles).
  • Their response, which didn’t address the Proof of Reserves, included the statement “All coins on our platform are 100% secured offline in cold storage“. On their site, Coinberry shows 15 minute withdrawal times in one of the screenshots. Perhaps they have a team standing around “offline” and ready to service withdrawals 24/7.
  • My subsequent response to them was not answered.

Kraken:

  • On their website they expressly give reasons why they don’t want "public knowledge of exchanges’ or wallet providers’ bitcoin wallets and total holdings".
  • They claim it has an effect on security, however public keys do not enable any access to funds - only private keys can. One would hope that their security of funds doesn’t depend on not knowing which wallets they own, since the blockchain is pretty public.
  • They also claim an effect on user privacy, which is important. Nobody should have any illusion that transactions to or from an exchange are secret in any way. I would highly recommend using privacy coins and setting up new wallets regularly, given that transactions are completely public on the blockchain already.
  • I was unable to get any clarification, either in live chat or multiple Reddit posts. Understandable, given the size of their operation.
  • Given that this was their stance after Mt. Gox, it seems unlikely to change based on recent events half a decade later affecting a much smaller exchange.

As such, the bottom line is that present exchanges don’t want to share public keys and offer the kind of transparency which is necessary to enable customers to know their funds are backed. Attempting to get answers doesn’t reveal them, and I’m left with an unnerving silence not unlike the end of Halloween night, like I’m asking questions nobody should ask.

Having spent the last 8 months of my life watching and being part of a large group of people suffer through a grueling bankruptcy, where we’ll be “lucky” to only lose 90% of our funds, I want this fixed. I don’t want to live in a reality where fraud can happen just buying/selling on the largest and most trusted exchanges. Especially now that I’ve learned blockchain provides the capability for even greater transparency and a level of public audit far beyond even what's possible with fiat.

If you feel the same way, I invite you to join Quadriga Initiative, where we are fighting for a Proof of Reserves future and also enabling businesses to help Quadriga victims with an innovative token recovery project. Every sign-up helps us reach our goal and launch the project!

If any information in this post is incorrect, please let me know so I can fix it! Thanks! I’m happy to update the audit status of any exchange given reasonable evidence, or provide a review of any other custodial exchange I might have missed.


No comments:

Post a Comment