Securing Blockchain: lessons learned from 2018
London Crypto Services Founder & CEO Jason Tucker-Feltham describes some of the larger crypto hacks that occurred in 2018 and provides an opinion on what can be achieved through improved cryptoasset security
Sometimes referred to as the “Internet of Value”, Blockchain technology is revolutionising the way in which data can be transmitted and value transferred. However, being an emerging technology with just over 10 years of use history behind it (Satoshi Nakamoto sent 50 Bitcoins to developer Hal Finney on 12 January 2009), there remain significant risks that must be addressed before blockchain is ready for institutional and mainstream adoption; most notably that of security.
Founded in 2014, Coincheck is one of the most actively used cryptocurrency exchanges in Japan, offering exposure to various cryptoassets including Bitcoin, Ether and NEM. On 26 January 2018 the exchange announced that they were restricting deposits and withdrawals of NEM tokens, and suspicions of a potential hack event echoed across social media platforms. Soon after the announcement, a press conference was held and fears were confirmed; roughly 500 million NEM tokens had been stolen by hackers, equating to around USD 530 million as at the time of the hack.
A key contributing factor to this debacle was in the exchange’s reliance on a single hot wallet to store the tokens, as opposed to utilising multi-sig contract smart signing storage methods, which had been recommended by NEM developers. In addition, the exchange had not registered with Japan’s financial regulator the FSA. Having witnessed the Mt. Gox Bitcoin hacking incident some years prior, Japan’s FSA would most undoubtedly have applied pressure to tighten the exchange’s security measures ahead of the hacking event were Coincheck to have registered with them prior to the event.
Astonishingly, and in stark contrast to Mt. Gox, Coincheck weathered the storm well. The 260,000 users affected by the hack were refunded in full and as at the time of writing the exchange is fully operational and regulated by Japan’s FSA. Nevertheless, the incident remains one of the largest cryptoasset heists of all time.
If something appears too good to be true, it most likely is. This proverb most certainly rings true for BitConnect, which was a crypto lending platform offering users BitConnectCoins (BCC) and boasting an interest rate averaging 1% per day when depositing Bitcoin on the platform. BitConnect was launched in 2016 and its cryptocurrency BCC soon saw a meteoric rise in value peaking at USD 463 in December 2017, in part riding the wave of a general crypto bull market.
Social media influencers, particularly on YouTube, successfully shilled BitConnect. The promise of high returns proved irresistible to many, and it has been reported that in some cases life-savings were deposited in the form of Bitcoin on the platform. As can be expected this story did not end well for those who were affected by the scam. Following enquiry by the UK government and a cease and desist from the Texas Securities Board, the platform shut down on 17 January 2018. It is estimated that customer losses amounted to over USD 1 billion.
Although subject of much ridicule during its operation (promoter Carlos Matos became and remains an enduring internet meme), BitConnect provides a stark reminder of the largely unregulated nature of the crypto space. BitConnect is widely regarded as a Ponzi scheme and it is surprising that the affair lasted as long as it did. One argument is that the laissez-faire approach afforded by regulatory bodies to crypto platforms provided room for BitConnect to not only exist, but to thrive. BitConnect aside, a more hands-on approach to crypto regulation is clearly required and regulators are in the process of consulting industry experts to better define regulatory perimeters.
On 12 January 2018 Vietnamese crypto firm Modern Tech launched an ICO for an ERC-20 based token called Pincoin. The ICO ran until 30 January 2018 and raised USD 660 million from approximately 32,000 individuals. The ICO drew in swathes of investors in part as a result of claims of high return rates; profits of 48% per month were promised. In addition, the multi-lingual white paper boasted lofty claims, and the website built for ICO fundraising was surprisingly well designed, which initially assisted to allay any concerns over the project’s intention.
In March 2018, the founders of Modern Tech vacated their Vietnam offices along with the entire ICO fundraising pot. The exit scam drew the attention of the Vietnamese government, who commenced an investigation, but by that time the founders had already left the country and have not been located since.
Although huge in scale, this ICO bore the hallmarks of a typical exit scam. In an increasingly digital age, a certain level of reliance is often afforded to one’s scrutiny of a website. In the case of Pincoin, the combination of a well-designed website, detailed white paper and lofty claims was enough the dupe thousands to part with their hard-earned cash.
Having read through our hack & scam examples, it’s easy to see why the nascent cryptocurrency industry is not for the faint-of-heart. Nevertheless, blockchain technology and its related applications in many cases shows much promise, which goes some way in explaining why the industry continues to grow even during a lengthy bear market. Let’s briefly run through our main takeaways.
It is always worth being mindful of related past events when making an informed decision. The Coincheck hacking event serves as a clear reminder to crypto exchanges in regard to the need for adequate security protocols, in particular for the safe custody of cryptoassets. Coincheck is by no means the only example of a crypto exchange having been hacked and assets stolen, and each hack shines a light on weak security practices; where possible cold storage and multi-signature withdrawal mechanisms should be in place for client cryptoassets. Sole reliance on hot wallets is reckless and it should go without saying that any exchange choosing to go down this route should be avoided like the plague.
With hindsight it’s fairly easy to identify BitConnect as a multi-layer Ponzi scheme. However, such behaviours are rife in the wild west of crypto, where regulation is in many jurisdictions at a very early stage of development. There is no one-size-fits-all approach to avoiding fraudulent projects, but when extraordinary claims are made, these should be backed up with watertight evidence, and third-party assessments such as those from a reputed crypto security audit firm. All crypto projects bear risk and even the most established ones may fail, and this needs to be at the forefront of one’s mind when reviewing projects.
Pincoin is a painful lesson in the anonymity afforded by certain crypto projects. Alarm bells should ring when stumbling on an ICO fundraising website that omits details of key individuals involved. Just because claims are delivered on a well-designed website does not necessarily mean that they are true. Scams can be basic in nature or highly organised, and Pincoin would appear to have fallen into the latter description. Once again, third-party reviews of the project may have dissuaded individuals from partaking in the scam, but of course organisers of a scam project would have little interest in such reviews hence the lack of one for this ICO.
In summary, each of our examples builds a case for improvements in crypto regulation and third-party reviews. Being little over 10 years old, the sector is evolving, with ever increasing risks attached to it. Security measures in place for any project need to be proportionate to the risks entailed; crypto security must never be treated as a side topic and should instead be an integral part of project delivery. Only time will tell as to whether the crypto industry will at some stage develop to the level of maturity as those of other asset classes, but one thing is certain: risks will continue to increase in sophistication and the need for strong security measures will never fade away.
This article contains general information and not a recommendation to act. Please seek independent investment advice before entering into any financial transaction. By entering into any financial transaction that involves cryptoassets, securities or derivatives puts your capital at risk.