“With our BitGo wallet solution it becomes impossible for our users to lose their bitcoins due to us being hacked or stealing them.”
So wrote Bitfinex CFO Giancarlo Devasini about the bitcoin exchange’s then-new multi-signature security architecture roughly a year before $60m was stolen in one of the industry’s highest-profile hacks this week.
While we know that multi-sig accounts were impacted by the hack (which doesn’t look good for the security feature), it’s still unclear exactly how this breach occurred. Still for many it begs the question, what does this breach mean for multi-sig technology, an innovation often heralded as the future of bitcoin security?
Thursday, the co-founder and CEO of the industry’s largest multi-sig provider BitGo, Mike Belshe, provided an update on the situation, explaining that his startup’s software “functioned correctly” during the incident. Further, both companies in the partnership have now said that BitGo, and its multi-sig solutions, were not at fault.
But for many, that answer isn’t enough. In the court of public opinion, the verdict as to who – or what – should carry the blame is still out.
Those working closely with multi-sig technology argue it shouldn’t be the scapegoat, and that it still should form a core part of exchange security.
Former BlockTrail business development lead Jop Hartog, whose firm offered multi-signature wallets prior to its acquisition this year, said he believes exchanges should still consider the technology, but that they need to understand it’s not a single solution.
“Exchanges should [use multi-sig], and should look for a proper solution for their risks, once they know what they want to have, then go look for a partner,” he told CoinDesk.
“Multisig is the only way forward with current exchanges, but it depends on the implementation to be secure.”
The argument is multi-signature offers a flexible security model with many different configurations, as funds cannot be spent unless two or more users sign the transaction.
However, what the incident might have exposed is that this technology is only as strong as its supporting infrastructure. For Adamant Research’s Tuur Demeester, the incident is a sign of the tech’s maturation process.
“You think you have the silver bullet and it turns out to be more complicated than you thought,” he told CoinDesk, adding:
“Multi-sig has gotten a blow, it has to be rethought.”
In Bitfinex’s case, two particular configurations were used.
Users who were lending or borrowing for the purposes of margin trading had three keys distributed, with one to Bitfinex, one to BitGo and one to the user. Users who were trading had a different arrangement, where two out of three parties needed to sign to release the funds. BitGo had one of the keys and Bitfinex had two.
As previously profiled, it appears that Bitfinex’s key was compromised, but that BitGo didn’t necessarily detect the unusual actions that would have been required to drain the exchange of nearly one-sixth of its monthly volume with speed.
According to Peter Van Valkenburgh, director of research at non-profit advocacy group Coin Center, Bitfinex could have used multi-sig in a way that didn’t expose this vulnerability. (BitGo is among Coin Center’s public donors).
In a detailed blog post yesterday, Van Valkenburgh described one secure scenario where every customer is given “unilateral ability” to access their funds, but that in the event that the customer loses one of the private keys, the exchange, or other service-provider, has a recovery key available.
“If the service provider is hacked, the only keys compromised are the single backup keys,” he wrote. “To actually steal the bitcoins, the hacker needs to also target and compromise every individual customer — a substantially harder task than compromising one server.”
Despite some concerns that cold storage (where bitcoins are kept offline and not in wallets connected to the Internet) was a better option, Van Valkenburgh writes that multi-sig offers a different type of security.
One isn’t necessarily superior, he asserts.
“I could put keys to a pooled wallet on a USB drive and hide it in my five-year-old niece’s dollhouse. That storage is cold (the dollhouse doesn’t have Wi-Fi) but it’s also a terrible idea,” he wrote.
Still, Demeester noted that multi-sig has inherent limitations as well.
“The problem with multi-sig is you can have insiders steal, and you can have people be imposters who pretend to be one or multiple of the multi-sig parties,” he said.
On the other hand, the security technologies aren’t mutually exclusive.
Demeester suggested older solutions like cold storage, and bleeding-edge technologies like the Bitcoin Lightning Network, are likely to gain more attention in the wake of the attack.
Former Blocktrail CTO Ruben de Vries told CoinDesk that the most secure option is to combine multi-sig with cold storage:
“Obviously a combination of cold storage and a multisig wallet is superior to just either one of them. It’s unfortunate that Bitfinex made the choice not to have any cold storage for unknown reasons.”
Bitfinex moved away from a cold storage model last year, and some have speculated that this change could have been triggered by an enforcement action from the US Commodity Futures Trading Commission (CFTC) in which it was forced to change how it “delivered” customer funds.
It’s notable that exactly how this changed the exchange’s infrastructure is not known, and that it’s also the matter of a petition from a prominent law firm seeking for the CFTC to disclose this information.
Rodolfo Novak, CEO and founder of the multi-sig wallet Coinkite, contends that hardware security modules, or devices that store the digital keys, could have mitigated the issue.
“The employment of HSMs is the only sane way of managing funds. If Bitfinex had an HSM on their end, [they] would probably have been able to stop the transactions much sooner,” he said.
The consensus seems to be that while multi-signature adds security, it’s best used with other technologies and secure equipment.
On that note, Belshe said yesterday that BitGo’s other exchange partners – including major exchanges Kraken and Bitstamp – are using different implementations of its software.
“Fortunately, the Bitfinex configuration was unique and other BitGo customers do not need immediate changes,” he said.
Belshe writes that the hack should be seen as an opportunity for exchanges to carefully inspect their security models, so that the ecosystem can move forward from this latest step back.
However, whether multi-sig solutions offered by BitGo or others will be a part of that strategy, remains to be seen.
Pete Rizzo contributed reporting.
Update: The description of how Bitfinex and BitGo handled key management has been updated.
Disclaimer: CoinDesk is a subsidiary of Digital Currency Group, which has an ownership stake in BitGo.
Broken lock image via Shutterstock