Avoiding QuadrigaCX’s $190 Million Disaster: How Do the World’s Largest Crypto Exchanges Store Funds and How Can You Really Protect Your Funds

Canada’s largest crypto exchange QuadrigaCX lost more than $190 million worth of user funds and is unable to reimburse its users.

On February 1, the founder and CEO of QuadrigaCX passed away in India with sole control over the company’s cold wallets containing more than $150 million in cryptocurrencies like Bitcoin and Ethereum, and $40 million in cash stored with a third party.

How do the world’s largest digital asset exchanges such as Binance and Coinbase store funds to avoid a tragic situation like QuadrigaCX?

CEO should never have sole access to crypto on an exchange

A common criticism against the Canadian exchange, which now faces the risk of bankruptcy and bank default, was its structure.

Meltem Demirors, an executive at CoinShares, said that QuadrigaCX lacked continuity planning and a reliable structure.

In a highly unlikely event that an executive or a key figure at an exchange goes missing, the company should still be able to operate and protect the funds of users.

“Beyond horrifying. Canada’s largest exchange QuadrigaCX: founder dies suddenly, no one has private keys to wallets, fiat balances inaccessible. Operational security and continuity planning is essential for both a business and an individual,” she said.

Changpeng Zhao, the CEO of Binance, the world’s biggest crypto exchange based on volume, said that exchanges have to utilize a multi-signature system to control a cold wallet.

In Bitcoin, a multi-signature wallet allows multiple users or organizations to hold private keys to the wallet.

Only when all of the keys or the majority of the keys are combined, depending on the structure of the multi-signature wallet, can the funds be accessed.

“That’s sad,” CZ said, referring to the QuadrigaCX case. He added, “there are many solutions to split private keys or signing to achieve 3/5, 5/7 etc. Never neglect security. Also, never have CEO carry private keys. Bad on many levels. Personally, in good health and intent to live longer and prosper.”

For an exchange, the protection of user funds and the security of internal management systems have to be prioritized over any other area of business.

Many of the largest exchanges in the global market employ a carefully laid out strategy in governing cold storage wallets to ensure the safety of user funds.

In December 2018, Coinbase, a leading U.S.-based exchange, transparently disclosed the biggest crypto transfer on record involving its cold wallet, providing a rare insight into its system.

Prior to moving its cold wallet funds, the Coinbase team said it planned months ahead of the event to eliminate any potential technical hiccup.

Previously, Coinbase stored user funds in a cold wallet secured in a safety deposit box. As the exchange grew in size, the company had to overhaul its storage to a more secure and efficient system.

The Coinbase team explained:

We began planning months before the actual move date and involved almost every team at Coinbase in the process. We conducted risk assessments, honed monitoring plans and conducted test migrations until we were positive that the live migration would go off without a hitch.

QuadrigaCX’s negative effect on the crypto sector

Nathaniel Popper, a journalist at The New York Times, said it best.

The Mt. Gox-esque case of QuadrigaCX may have harmed the reputation of the industry as well as that of companies like Coinbase, Binance, and Gemini that allocate a significant portion of their resources in protecting user funds and establishing industry standards.

Already, in major markets such as Japan and South Korea, crypto exchanges have a reputation of being vulnerable to hacking attacks and fraudulent operations due to past events.

These cases demonstrate that the cryptocurrency sector is still at its infancy. Over time, as the industry adopts better practices, the infrastructure and internal management systems of exchanges are expected to improve.

Individual safe storage

With the cryptocurrencies one have in his own hands the individual responsibility to look after his/her own affairs. It is a training for freedom. The process of disintermediation is difficult to follow after decades of constant propaganda by the intermediaries themselves: “You need us”. Not anymore. Not even in the safe custody of your funds. In fact, the Melis wallet is an app that can contain in it all the options and the security of an account in a physical bank.

Its richness of features make Melis the wallet able to satisfy any need, both of safety and utility, requested by the user. There are simple wallets for smartphones without security features or very secure desktop wallets for managing your savings that are quite unpractical to use. Melis offers the best of all worlds: simplicity and security for desktop and mobile, in the same application.

With Melis you can create as many single or multi user accounts as you want and can be configured on more than one device (desktop computers, smartphones, tablets, etc.). You can create an account with maximum level of security (protected by server signature, with spending limits); there are already other wallets that can create multi-signature accounts very easily, but the key schemes are fixed and not configurable. With Melis you can create a multi-signature account between N people, where up to N signatures are required to sign a transaction, choosing if any of those should be mandatory.

Key features

• Native support for Bitcoin, Bitcoin Cash, Litecoin and Groestlcoin
• A single wallet is able to handle an unlimited number of accounts of different kinds, single signature, multi signature, and multi user
• The most advanced multi user implementation available, where you can create an account for example with these characteristics:
• 5 users, where 1 signature is mandatory and any 2 of the remaining 4 are needed to authorize a transaction
• 2of2 signatures where one of the two signatures is handled by the server so that it can enforce spending policies like TFA and limit of expenses per period (daily, weekly, monthly)
• multi user accounts (for example 3of5) with added, mandatory, server signature
• The server coordinates real time messaging between users so that at any time you can know the status of an “ongoing” transaction and the list of cosigners that have already signed
• TFA for enhanced security, available also via Telegram (very handy!)
• The server is smart enough to detect if someone sends BTCs to a BCH address of yours and viceversa, and in that case creates on the fly a new account in order to be able to recover the (otherwise lost, or difficult to retrieve) funds
• Multi device support with native builds for Linux, Mac, Windows, iOS and Android in addition to the web https://wallet.melis.io
• A single backup using standard BIP39 mnemonics is valid and sufficient for an unlimited number of transactions, address and different account types
• A special feature able to recognize the access to the wallet by a designated primary device that is the only one able to access secured accounts.
• Accessing the wallet from every other device would be impossible to know that there are hidden accounts, with plausible deniability
• Capability to create advanced transactions with multiple recipients, manual tuning of the fees and complete coin control
• RBF support (Bitcoin only)
• Untrusted server architecture where all the keys never leave the clientand are in full control by the user
• Completely open source client with rebuildable sources hosted on github: https://github.com/melis-wallet

We could argue that a single user account with server side signature, TFA and spending limits, secured to be used only by a specific account is one of the most advanced scheme available today to secure its stash (much more secure than a paper wallet).

Multiple accounts with different characteristics enable different use cases:

Here you can find a sample of the wizard used to build and avanced multiuser, multisignature account:

Melis is not perfect nor complete yet and it is very much work in progress but completely usable in its current form. We are trying our best to make it a very powerful tool for advanced users. Visit our websiite for further infos: https://www.melis.io/