Abstract
Cryptocurrency exchanges have a history of deploying poor security policies and it is claimed that over a third of exchanges were compromised by 2015. Once compromised, the attacker can copy the exchange’s wallet (i.e. a set of cryptographic private keys) and appropriate all its coins. The largest heist so far occurred in February 2014 when Mt. Gox lost 850k bitcoins and unlike the conventional banking system, all theft transactions were irreversibly confirmed by the Bitcoin network. We observe that exchanges have adopted an overwhelmingly preventive approach to security which by itself has not yet proven to be sufficient. For example, two exchanges called NiceHash and YouBit collectively lost around 8.7k bitcoins in December 2017. Instead of preventing theft, we propose a reactive measure (inspired by Bitcoin vaults) which provides a fail-safe mechanism to detect the heist, freeze all withdrawals and allow an exchange to bring a trusted vault key online to recover from the compromise. In the event this trusted recovery key is also compromised, the exchange can deploy a nuclear option of destroying all coins.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
ShapeShift is a match-making exchange and sends all customers coins in the corresponding cryptocurrency once the exchange is complete. For example, the customer may send ShapeShift bitcoins and shortly afterwards ShapeShift will send the customer ether.
- 2.
p2sh.info tracks the number of pay-to-script-hash outputs which are mostly multi-sig scripts.
References
Andresen, G.: Pay to script hash. Bitcoin Github (2012)
Bacca, N.: How to properly secure cryptocurrencies exchanges. Ledger Company (2016)
BBC: Bitcoin exchange Youbit shuts after second hack attack. BBC, December 2017
Belshe, M.: Bitfinex breach update. BitGo Blog (2016)
Bitfinex: Explanation. Reddit Post, December 2017
Brito, J.: What does the CFTC have to do with the Bitfinex hack? Coin Center, August 2016
Browne, R.: More than \$60 million worth of bitcoin potentially stolen after hack on cryptocurrency site. CNBC (2017)
Chavez-Dreyfuss, G.: Cyber threat grows for bitcoin exchanges. Reuters, August 2016
Dariusz: Slow withdrawals leave coinbase users annoyed. TheMerkle (2017)
Decker, C., Wattenhofer, R.: Bitcoin transaction malleability and MtGox. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8713, pp. 313–326. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11212-1_18
Gennaro, R., Goldfeder, S., Narayanan, A.: Threshold-optimal DSA/ECDSA signatures and an application to bitcoin wallet security. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 156–174. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_9
Goodin, D.: Bitcoins worth \$228,000 stolen from customers of hacked Webhost. Arstechnica (2012)
Hanson, R.: A \$50 million hack just showed that the DAO was all too human. Wired, June 2016
Higgins, S.: BTER claims \$1.75 million in bitcoin stolen in cold wallet hack. Coindesk, February 2015
Hildenbrandt, E., et al.: KEVM: a complete semantics of the ethereum virtual machine. Technical report (2017)
Kocher, P., et al.: Spectre attacks: exploiting speculative execution. arXiv preprint arXiv:1801.01203 (2018)
Lee, T.B.: Hacker steals \$250k in Bitcoins from online exchange Bitfloor. Arstechnica, May 2012
Lemos, R.: Bitcoin exchange Bitstamp claims hack siphoned up to \$5.2 million. Arstechnica (2015)
Lipp, M., et al.: Meltdown. arXiv preprint arXiv:1801.01207 (2018)
Luu, L., Chu, D.-H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 254–269. ACM (2016)
Martin, P.: Coinbase accused of technical incompetence after hoarding millions of UTXOs. Coinbase, January 2018
Meiklejohn, S., et al.: A fistful of bitcoins: characterizing payments among men with no names. In: Proceedings of the 2013 Conference on Internet Measurement Conference, pp. 127–140. ACM (2013)
Möser, M., Eyal, I., Gün Sirer, E.: Bitcoin covenants. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 126–141. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53357-4_9
Nilsson, K.: Breaking open the MtGox case, part 1. Wizsec, July 2017
O’Brien, W.: It’s time to end the cold storage ice age and adopt multi-sig. BitGo, September 2014
Palatinus, M., Rusnak, P.: Multi-account hierarchy for deterministic wallets. Bitcoin Github, April 2014
Palatinus, M., Rusnak, P., Voisine, A., Bowe, S.: Mnemonic code for generating deterministic keys. Bitcoin Github, September 2013
Perkin, M.: Bitfinex breach update. LedgerLabs (2016)
Sedgwick, K.: Coinbase Accused of Technical Incompetence After Hoarding Millions of UTXOs. bitcoin.com, December 2017
Shen, L.: Millions of dollars worth of ethereum got locked up. Here’s Why. Fortune, November 2017
Wuille, P.: Hierarchical deterministic wallets. Bitcoin Github, February 2012
Zurich, E.: Formal verification of ethereum smart contracts. Securify, January 2017
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
McCorry, P., Möser, M., Ali, S.T. (2018). Why Preventing a Cryptocurrency Exchange Heist Isn’t Good Enough. In: Matyáš, V., Švenda, P., Stajano, F., Christianson, B., Anderson, J. (eds) Security Protocols XXVI. Security Protocols 2018. Lecture Notes in Computer Science(), vol 11286. Springer, Cham. https://doi.org/10.1007/978-3-030-03251-7_27
Download citation
DOI: https://doi.org/10.1007/978-3-030-03251-7_27
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-03250-0
Online ISBN: 978-3-030-03251-7
eBook Packages: Computer ScienceComputer Science (R0)