What we can learn from the QuadrigaCX saga | Blockchain Technology | Deloitte Netherlands


What can we learn from the QuadrigaCX fiasco?

Proper key management is essential for continuity

‘A Crypto-Mystery’ and a ‘$190 Million Disaster’ are only a few of the headlines around the QuadrigaCX story. Canada’s largest cryptocurrency exchange is on the verge of bankruptcy after its owner has died. What can we learn from this story?

By Jacob Boersma | February 19, 2019

The QuadrigaCX story

QuadrigaCX’s owner, Gerald Cotten, was the only one with access to the cold storage wallets of the company. The story is surrounded with conspiracy theories, but that is not why we as blockchain and cyber security experts follow this story with great interest. For us, the QuadrigaCX story underlines the importance of proper key management and recovery.

Proper key management is essential for trust in companies that operate in the evolving cryptocurrency market. It is not only necessary to ensure internal continuity, but also for investors and insurers that are looking for assurance that compromise of private keys is not a risk factor. In a market where not every organisation is transparent about how it handles its security, giving this assurance can be a distinctive factor in favor of well-organized crypto-companies. Especially now the QuadrigaCX story casts a shadow on this market again.

BlockNotes Newsletter

We would like to take you on the journey of blockchain technology. Sign up and join us!

Sign up

Struggling with key management

QuadrigaCX is not the only organisation in which only one or two persons have control over critical keys. We frequently talk to leaders of cryptocurrency exchanges and brokers, and a lot of them struggle with implementing proper risk management. They understand that it’s not an ideal situation to create a single point of failure for access to cold wallets, but given the circumstances they believe alternatives are not feasible or the problem doesn’t have high priority.

However, organising key management like this challenges the continuity of a crypto exchange and at the same time makes the person or persons that have access very vulnerable to those with dishonest intentions.

A multi-signature wallet or split knowledge

Fortunately, there are other, feasible solutions. A multi-signature wallet is an important option. In this setup you need three or more persons to access a wallet. Best thing is to set up a three out of five or five out of seven scheme: in this case five or seven persons take part in wallet control but only three or five are needed to access the assets of the wallet. In this scenario continuity won’t be at stake if one person loses their key or otherwise is no longer available.
Similarly, more classic ways to divide the key controlling the assets in a wallet can be used to spit the key into multiple parts. Here, schemes like three out of three are more common to reconstruct the key used.

Working with trustworthy third parties can give cryptocurrency companies extra assurances about their key management and recovery. We for instance already helped several organisations in the cryptocurrency market to design and review their cryptographic solutions. Offline secure key storage is another important aspect of proper key management. We have two facilities that have 24/7 monitoring, fortified physical barriers and safety procedures that adhere to requirements stipulated by regulatory bodies and payment industry standards (like PCI-DSS).

Review crypto key management

The QuadrigaCX story is far from over. We hope that the story at least forces other crypto exchanges to thoroughly review their risk assessments and disaster recovery procedures. This will not only help their own organisation, but also the reputation of the cryptocurrency industry as a whole.

More information

Cryptography is our cyber security team’s passion. Want to know more about how we can help you organise your key management and other aspects of your cyber security plan? Please contact Ruud Schellekens via his contact details below.

Did you find this useful?