Do We Store Your Crypto Assets Securely?
Max Sapelov, CoinLoan Co-founder and CTO explains assets and platform security
In today’s always-‘on,’ always-connected reality, security has become a primary concern in the crypto world. Just in the first quarter of 2019, $356 million in cryptocurrency was stolen.
Further, hackers recently stole a sum of $40 million in bitcoins from Binance, one of the largest reported trading volume cryptocurrency exchanges worldwide. Sadly, in practice, supposedly secure blockchain technology often proves to be the opposite.
Metaphorically speaking, an ‘unpickable’ front door lock doesn’t mean your house is fully protected, especially when you’ve left your windows wide open. It’s one facet to speak about the technology itself and another to understand how assets are stored and managed. For instance, crypto-exchanges are desirable targets for hackers because these platforms keep hot wallet private keys on network-connected machines to allow for instant withdrawals.
Currently, marketing slogans and headlines about security are popular. However, thefts proving these claims false are just as common. Remember when John McAfee’s ‘unhackable’ Bitfi wallet got hacked?
Another recent noteworthy incident occurred in late-March 2019. CoinBene exchange, who claimed user funds were 100 percent secure, lost $100 million worth of cryptoassets.
Unfortunately, the inner workings of security systems aren’t visible, making it impossible to confirm or deny a company’s security claims. This leaves us in a position where we just have to take these companies at face value until a theft happens.
CoinLoaners consistently ask us about security issues, and they are right to do so. When you think about where to lend, you want to make sure the people behind the company are good custodians of your assets. To show you that we fit that standard, today, we’re giving the floor to Max Sapelov, Co-founder and CTO here at CoinLoan.
Unique security features and unique vulnerabilities go hand in hand, which is why it does not make sense to start off talking about CoinLoan’s ‘unbreakable’ protection. Instead, it is critical to explain how CoinLoan ensures the integral safety of our users and their assets. By explaining these systems, you are then able to draw your own conclusions about our security-first mindset.
- Today, we will talk about assets security on CoinLoan;
- Respond to a frequently-asked question regarding third-party custodian services;
- And discuss our ten-level approach on platform security.
CoinLoan’s Assets Security Framework
Any technology has its weak points and attack vectors. In terms of cryptoassets, the security of our private keys is paramount to securing cryptocurrency funds.
Generally, hot wallets are crypto-exchanges main vulnerabilities; however, this is not the case with CoinLoan. As a security expert, I have created this simple rule:
“If the system can process crypto-withdrawals automatically, then it’s vulnerable to hacks — without exception.”
Due to this principle, we are not storing any private keys on network-connected devices, and that is why we are processing all the withdrawals manually. However, manual processing means that small processing delays may occur. While this may be confusing, please note that we are not a wallet service, and your security is our top priority.
Alternatively, we are processing deposit operations automatically because this can be done with public keys (addresses) only on our servers. Further, I can confirm that we have one of the fastest crypto-deposit processing systems on the market.
CoinLoan’s Assets Security Principles:
- All cryptoassets are stored in offline, cold, multi-signature wallets.
- Transaction signing only happens offline on separate devices that have never been connected to the network, and this process involves several people.
- The multi-signature process involves several keys (N) with a required quorum of any (M) keys. For example, you need 3 out of 5 keys or 5 out of 8 keys to conduct a transaction. Thus, it’s not possible to sign the transaction using a single individual. Also, this system ensures that, if you lose one of the multi-sig keys, you will never lose control over your assets completely.
- We store encrypted parts of the keys in a geographically-distributed manner in the banks’ safe deposit boxes to prevent potential loss of the keys due to natural disasters, including floods, earthquakes, fires, etc.
Our Most Frequently-Asked Question
Why not store each loan’s collateral in a multi-sig wallet that requires 2 out of 3 keys — with the first from a borrower, the second from a lender, and the third from the platform?
The answer is pretty simple. We have to liquidate the collateral as fast as possible in case of a margin call to prevent potential losses caused by market price fluctuations. Obviously, this is not possible if we do not have custody and lack full control of collateral.
Our Perspective on Outsourced Custodial Services
An external custodial solution can be relatively safe by itself. However, it is critical to recognize that the mere use of such an instrument cannot ensure security because the effectiveness of an external custodial solution depends on how its architecture is implemented by a particular company or individual. Such services might be even misleading if the project security management neglects other protective measures because of their false sense of security.
Like with the locked front door scenario, an outsource custodian acts as a robust lock. This tool useful only if it’s installed correctly and if the keys are stored and managed responsibly. Overall, the general configuration matters, since security can be easily violated based on how the system is built around the lock.
There is no question that some custodial solutions for blockchain-based currencies provide reliable service that is indispensable in some cases.
However, we should be clear what we mean when we use the term, “custodian:”
What does custodian mean in terms of BitGo, for instance? In this case, the term includes only managing and holding the private keys for cold wallets. They’re providing a wallet service and not regulating the deals on a platform. Thus, BitGo is NOT responsible for deals on a platform.
One more topic we would like to clarify is BitGo’s insurance:
What does it mean for end-users of the exchanges and lending platforms? Despite the “ambiguous language” in public statements, it ensures users from internal theft, fraud, and technical problems that result in the loss of the customer’s assets.
BitGo insurance provides NO protection in the following cases:
1. Human Factors
A financial officer of a client platform may send the funds to the wrong wallet using BitGo’s system.
2. Hot Wallet Hack
In cases where a malicious hacker gets into the infrastructure of an exchange or a lending platform, they can obtain the keys and use BitGo’s hot wallet API to steal all the hot wallet’s assets.
3. Database Hack
When a malicious hacker gains access to a database of a client platform, they can replace all the deposit addresses to addresses that the hacker controls. Thus, any deposits that are supposed to be sent to the client’s platform will be sent into the hacker’s wallet instead. This particular case can lead to a massive loss of assets far beyond the amount stored on a hot wallet.
4. Financial Officer’s Computer Hack
For example, someone may get access to the computer of a client platforms’ financial officer using a spear-phishing attack with backdoor malware. An attacker can install malware to monitor the clipboard on the computer.
If it finds a crypto-wallet address, the malware will replace the correct address with a hacker-controlled address. Now, when a financial officer initiates a transfer from a BitGo wallet, the malware replaces the destination address to a hacker-controlled one.
5. Other Attack Vectors Not Listed Here
Our Frequently-Asked Questions
Why not use an SEC-approved, certified, and insured custodian, like BitGo, when storing assets?
We like and respect BitGo services, and they work well in some business cases. For example, when a company doesn’t have an experienced team in cybersecurity and blockchain technologies or doesn’t have enough time for developing custom solutions. Fortunately, this is not the case with CoinLoan.
We have developed our platform and all the infrastructure for operating blockchain assets, processing transactions, and storing assets on multi-signature cold wallets from scratch. We have no reason to outsource security to a third-party given that we have a unique threat model of crypto-backed lending and know how to manage cryptoassets securely.
Also, other obstacles prevent CoinLoan from using third-party wallet services like BitGo. For example, we don’t want to be stuck with the limited list of currencies that are supported by BitGo.
Based on the current market with dozens of liquid coins, we like to be as competitive and flexible as possible to list any coins we choose. For example, we have recently listed Monero, which is not supported by BitGo or our competitors.
Finally, we don’t want to pay extra service fees for storing the assets and processing transactions.
Do you have any insurance coverage for assets?
Currently, like other prominent players on the crypto-market (exchanges, wallets, lenders, etc.), we do not offer insurance coverage for assets. If a company claims that they provide asset insurance, we recommend verifying this information by asking for some documentation as well as specific insurance details regarding coverage.
We also recommend that you check any provided information with the insurance company. Our experience supports that these statements are often false marketing.
The Ten Security Layers of CoinLoan’s Platform
In safety, what matters is not the presence of strengths, but the absence of weaknesses. As soon as a single weak point can be exploited by malicious hackers, the entire system becomes susceptible, which is why I am not going to waste time creating a slogan to try to summarize our complex security system. Instead, I’m going to lift the veil of secrecy surrounding our ten security measures:
1. Secure Cloud Infrastructure
We use the best-on-the-market cloud services provider that is certified by the world’s strict security standards and is trusted by major banks and financial institutions.
2. Modern Encryption Standards (SSL with TLS 1.3, DNSSEC, HSTS)
Traffic between a client browser and server uses the most advanced encryption algorithm that is approved for use within banks and credit card processing companies. The domain is protected from DNS man-in-the-middle attacks by DNSSEC. All the browser requests are encrypted (HSTS).
3. Web Application Firewall (WAF) and DDoS Protection
The top player in the web application security market analyzes server requests. Hacking attempts, bots, and DDoS attacks are filtered out meticulously to prevent a service breakdown. None of our servers have direct access to the Internet.
4. Regular Vulnerability Scans
The CoinLoan infrastructure is checked daily with the number-one vulnerability scanner to discover weaknesses of any given sub-system. The list of tests for our scanner is updated regularly.
5. Secure Software Development Life Cycle (SSDLC)
According to this methodology, every coding change made and new feature implemented is inspected by developers, tested by QA specialists, and analyzed by security experts.
6. Bug Bounty Program
We have a partnering program for white hat hackers and welcome ethical specialists to collaborate with us in analyzing vulnerabilities and enhancing the security of services infrastructure. We react immediately to any reports, and in cases where bugs or vulnerabilities are discovered, we issue an update ASAP. It should be noted that no serious problems have been reported to date.
7. PCI DSS Certification
Currently, we are passing a security certification designed for banks and other financial institutions that process card payments. This procedure includes multiple independent security audits, penetration tests, and other phases of control.
8. Account Takeover Protection
Our system blocks attempts to brute force passwords and one-time two-factor authentication (2FA) codes. Beyond this block, at each log-in, we notify the user via an email with details regarding the browser and geolocation used at log-in.
Our email system helps detect attempted intrusions at a glance. Each session is linked to the browser and IP address, and it protects from cookies theft and session hijacking.
9. Infrastructure Monitoring
Monitoring of CoinLoan infrastructure continues around the clock for the rapid identification of abnormal activity and system errors.
10. Two-Factor Authentication
We use TOTP technology for 2FA to confirm each log-in attempt, funds withdrawal, password reset, and other crucial account actions. You can read more on how 2FA works on CoinLoan here.
Also, here is a bonus video for those who get to the end of this long read: