Smart Storage: How Anchorage Provides Crypto Investors Greater Security and Usability
Diogo Mónica
Digital asset custodians take different approaches to securing clients’ assets, and to making them usable for online operations. Custody architecture can have major consequences for your investments, determining:
- how much risk your assets are exposed to while in custody
- how much risk your assets are exposed to when used
- how quickly you can use your assets, and
- whether you can safely participate in on-chain activities like staking and voting.
The most common crypto custody architecture combines “hot wallets” and “cold storage.” These two components are used for different purposes: hot wallets hold assets online for on-demand accessibility, and cold storage holds assets offline for maximum security. According to this model, security and accessibility are at opposite ends of the same spectrum:
This model is so widespread that many crypto investors may not realize that security and accessibility are independent variables, and shouldn’t be regarded as a trade-off. It’s possible to hold assets accessibly with no compromise to security (as we do at Anchorage), and it’s also possible — and all too common — to hold assets offline while still exposing them to risk.
Here’s how hot wallets and cold storage compare:
If security and accessibility aren’t directly connected, then why are they so often linked together?
The origins of “hot” and “cold”
Hot and cold didn’t always refer to security — they used to refer only to degrees of online availability. In traditional web architecture, “hot” and “cold” describe the speed at which an online request can be fulfilled. Some web content is cached on a front line server to be available on demand, and is therefore “hot.” If a user requests something that’s not in the cache, the request will take longer to fulfill, and the requested content is therefore “colder.” Outside of crypto, “cold storage” refers to storing content offline. In digital asset custody, cold storage can take several forms, such as printing out private keys (or seed phrases, or QR codes) on paper, or holding private keys offline on specialized hardware devices.
Most major crypto breaches are hot wallet breaches
Digital asset exchanges commonly allocate a portion of their holdings to liquid hot wallets in order to meet daily trading demand. Time and again, these exchange hot wallets have proven vulnerable. For example: in January 2018, the Japanese exchange Coincheck suffered a hot wallet breach that resulted in the loss of over $500M USD. Hot wallet server compromise was also behind the breaches of Zaif ($59M), Tether ($31M), Bitcoinica (18,547 BTC, or $96M as of this writing), and others. Hot wallets, even when engineered by experts, may expose private keys online and therefore are simply not safe for holding crypto assets.
This is how “cold storage” came to be viewed as a security measure: because online availability became synonymous with risk, and cold storage became viewed as the opposite of both.
Cold does not mean secure
Most crypto custodians attempt to safeguard clients’ assets using some form cold storage, in order to protect against online attacks. Holding assets offline does greatly reduce certain kinds of risk, such as the risk of a remote hacker compromising the assets, or the risk of private keys being accidentally exposed to the public internet.
Other categories of risk remain. Cold storage depends on human operations, and human operations are error-prone. Consider surgeons, for example: surgeons are highly trained experts with thousands of hours of practice, but they still make mistakes. It’s estimated that in the United States, medical error results in over 250,000 deaths per year. The people handling cold storage operations will be no less prone to error than surgeons, and therefore digital assets are exposed to risk whenever they’re exposed to any manual human process — even when executed with surgical precision.
Cold storage mismanagement has resulted in real-world asset losses, including such notable cases as Coinsecure, Gatecoin, and Trade.io.
There are secure and insecure ways to use HSMs
If cold storage has operational vulnerabilities, then what should custodians do to modernize their approach to custody? In order to keep private keys safe while also making them usable, many financial services providers, and a growing number of crypto custodians, use hardware security modules (HSMs) as part of their security architecture. An HSM is a specialized device that can generate and hold private keys securely, and can use those keys to sign and approve transactions. Used properly, HSMs can be the safest place in the world for investors’ private keys, but most custodians don’t use HSMs to their full potential and leave them vulnerable to compromise.
One important note: to transfer digital assets from one key to another, the sender must authorize the transaction by signing with their private key. The signature is all that’s needed. This is why HSMs can be both secure and vulnerable at the same time: an HSM may hold a private key completely securely, but if the HSM is compelled to sign a malicious transaction, the assets can be stolen without extracting the keys themselves.
For example, imagine your keys are held in an HSM connected to a server, and whenever the server receives a request, it passes the request to the HSM for signature (see Figure A below). Since the server could be compromised over the internet, the HSM could be forced to sign malicious transactions.
A key held in an HSM without custom business logic is no more secure than a key held in a hot wallet, because the HSM can be made to sign if the server is compromised.
How Anchorage enables secure usability
The Anchorage approach to digital asset custody architecture is unique, because we’ve strengthened our HSMs with custom business logic that runs inside the hardware (see Figure B). This ensures the HSM will process a given transaction only when certain criteria are met.
Our HSMs’ custom logic verifies that all sensitive requests (withdrawals, policy changes, new user additions, etc) are approved by a valid quorum of client users, and also approved by Anchorage. Each user has a unique user key, and the user key can be used to approve a transaction only following multiple layers of biometric authentication. This rigorous authentication standard, combined with Anchorage’s transaction review system, means we can provide on-demand private key accessibility for any operation once fully approved.
The Anchorage approach to custody allows clients to use their keys for transactions, audits, staking, voting, delegation, and more, in real time and without ever being removed from safe storage.
To learn more about why Anchorage is safer than cold storage custody, please get in touch.
Services are offered either through Anchorage Hold LLC, a Delaware limited liability company and registered Money Services Business, or Anchorage Trust Company, a South Dakota-chartered trust company. Anchorage Hold and Anchorage Trust Company are not registered with the SEC. Services are not yet offered to residents of New York. Anchorage Hold and Anchorage Trust Company do not engage in the offer or sale of securities or digital assets, and do not provide legal, tax, or investment advice. Anchorage Hold LLC and Anchorage Trust Company are wholly-owned subsidiaries of Anchor Labs Inc., a Delaware corporation headquartered in San Francisco, California.
