QuadrigaCX's loss of nearly $137 million in cryptocurrencies shows that even the most sophisticated methods of encryption are only as secure as the person holding the keys.
First, a brief overview of centralized exchanges: Cryptocurrency exchanges receive deposits from investors who want to trade on the platform. Funds are transferred from an investor's personal wallet to one operated by the exchange. Trades are then made directly between these exchange-controlled wallets. An investor can then withdraw funds back to their personal wallet (less the exchange's commission).*
What went wrong here?
1) Do not keep your savings on an exchange.
Exchange wallets are for trading, not storage. If you do not control the keys, you do not control the funds. Investors should never use an exchange as a form of savings account.
2) Secure your private keys.
The exchange held funds in 'cold storage', meaning the wallet was maintained offline. This makes funds far less vulnerable to remote attack. However, like any other wallet, 'cold storage' still uses a private decryption key. If you lose this, you lose the funds.
Physical security and contingency access are essential parts of this security process. There are various means of implementing both elements, but that is the topic for a future post.
The QuadrigaCX debacle reminds us that, despite advances in online security, we cannot rely on technology to do the whole job for us. In fact, the people operating that technology are often the weakest link in the chain.
*Peer-to-peer exchanges do exist, but centralised exchanges are far more prevalent for various reasons, including transactional speed and cost.
A Canadian court today granted legal protections to a Great White North cryptocurrency exchange that is holding some $190m that can't be accessed – allegedly because its founder, the only person with the passwords to the digital vaults, died.