2016-08-08

Avoiding Bitfinex scenarios with Voting Pools

This week, a high-profile Bitcoin theft took place at the Bitfinex exchange. The attacker reportedly stole 119'756BTC, worth about 70.5M USD. Those funds were held at a 2-out-of-3 multisignature wallet - one key was held at Bitfinex's server, another was kept by BitGo, and a third was a backup key held offline by Bitfinex. From what the reports say, the hacker was able to get their hands on the first key, as well as the API credentials required to authorise BitGo to process the withdrawal. With no additional safeguards, they were able to drain the hot wallet and land themselves around the number 2 spot of the biggest Bitcoin theft to date, after MtGox.

The scenario is still unfolding, so there are a lot of theories still floating around as to why the situation was allowed to take place. Some have speculated Bitfinex was forced to keep all of their coins in a hot wallet due to CFTC's ruling (as Bitfinex was not a registered futures trading platform), although it seems that the change was made before the ruling. Bitfinex also unveiled a plan for a "bail in", wherein everyone's assets would be devalued by about 36% so the exchange could continue operating.

Since Bitcoin's past seems to be littered with theft, I would like to have a look at one possible solution to minimise such high-profile hacks:

Voting Pools


Voting Pools is an idea proposed by Open Transactions, a Crypto 2.0 platform focused on notaries issuing IOU tokens and other financial instruments. The main issue such systems have to cope with is securing the cryptos, currencies and commodities underlying the assets circulating on the platform - an USD IOU is only useful if you can redeem it for real USD at the end of the day.

The way Voting Pools help secure users' funds is through shared responsibility from competing actors. Multiple exchanges of similar size would group together in a pool and secure one another's funds through multisig and a legal agreement to share responsibility in an event of a loss (be it from theft or one of the exchanges trying to run off with everyone's money). The multisig would be distributed in such a way that any one actor would not be able to control even their own money, and the system being robust enough to handle a loss of some keys (2-of-3, 3-of-5, 4-of-5, etc.).

This setup would make sure that a critical failure of one actor would not compromise the system. Even if one of the exchanges would burn down, get hacked, or the owner would decide to run away with all of the private keys, they couldn't do anything. The other exchanges would take over the responsibility and secure all of the funds to be able to pay all of the failed exchange's customers without suffering a loss of their own funds.

More importantly, however, this solution also forces every participating company to not only police themselves and ensure they have the most adequate security practices in place, but also to look at one another. When your own money is on the line, you will make sure everyone is keeping up with the rest of the pack in terms of keeping the money safe. Since the exchanges would still be competing with one another, they would have every incentive to expose other actors in the voting pool that are compromising the security.

Beyond that the full implementation of Voting Pools also necessitate that the exchanges would open up their transaction logs to one another to make sure everyone knows how much every customer is owed in case of a database wipe or the exchange vanishing from the face of the earth. This is pretty much automatic when it comes to gateways on a public ledger like Ripple or some shared permissioned blockchain, and it shouldn't be too hard to accomplish if an exchange already creates a strict and timely Proof of Solvency. That being said, it is pretty much unheard of for a normal Bitcoin exchange to do that currently, which might make it more problematic.

Having access to a full, real-time set of transaction logs the participants in a voting pool have everything they need to not only be able to settle with every customer in case the exchange goes under, but they can also police the exchange in real-time and raise flags in case of discrepancy. If exchange's liabilities exceed their assets, all withdrawals can be automatically haled until the matter is resolved. Large withdrawals, sudden market crashes and balance changes could similarly raise a lot of flags (to avoid another MtGox scenario, wherein a hacker crashed the market to be able to bypass the $1000/day withdraw limit).

Conclusions


All in all, voting pools would force a strong degree of transparency on every actor and couple that with multiple security teams making sure the system is secured against a growing number of hacks. While the participating exchanges would sacrifice their business data secrecy to their direct competitors, security through obscurity is never a good approach.

No comments:

Post a Comment