Why Preventing a Cryptocurrency Exchange Heist Isn’t Good Enough

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11286)


Cryptocurrency exchanges have a history of deploying poor security policies and it is claimed that over a third of exchanges were compromised by 2015. Once compromised, the attacker can copy the exchange’s wallet (i.e. a set of cryptographic private keys) and appropriate all its coins. The largest heist so far occurred in February 2014 when Mt. Gox lost 850k bitcoins and unlike the conventional banking system, all theft transactions were irreversibly confirmed by the Bitcoin network. We observe that exchanges have adopted an overwhelmingly preventive approach to security which by itself has not yet proven to be sufficient. For example, two exchanges called NiceHash and YouBit collectively lost around 8.7k bitcoins in December 2017. Instead of preventing theft, we propose a reactive measure (inspired by Bitcoin vaults) which provides a fail-safe mechanism to detect the heist, freeze all withdrawals and allow an exchange to bring a trusted vault key online to recover from the compromise. In the event this trusted recovery key is also compromised, the exchange can deploy a nuclear option of destroying all coins.


  1. 1.
    Andresen, G.: Pay to script hash. Bitcoin Github (2012)Google Scholar
  2. 2.
    Bacca, N.: How to properly secure cryptocurrencies exchanges. Ledger Company (2016)Google Scholar
  3. 3.
    BBC: Bitcoin exchange Youbit shuts after second hack attack. BBC, December 2017Google Scholar
  4. 4.
    Belshe, M.: Bitfinex breach update. BitGo Blog (2016)Google Scholar
  5. 5.
    Bitfinex: Explanation. Reddit Post, December 2017Google Scholar
  6. 6.
    Brito, J.: What does the CFTC have to do with the Bitfinex hack? Coin Center, August 2016Google Scholar
  7. 7.
    Browne, R.: More than \$60 million worth of bitcoin potentially stolen after hack on cryptocurrency site. CNBC (2017)Google Scholar
  8. 8.
    Chavez-Dreyfuss, G.: Cyber threat grows for bitcoin exchanges. Reuters, August 2016Google Scholar
  9. 9.
    Dariusz: Slow withdrawals leave coinbase users annoyed. TheMerkle (2017)Google Scholar
  10. 10.
    Decker, C., Wattenhofer, R.: Bitcoin transaction malleability and MtGox. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8713, pp. 313–326. Springer, Cham (2014). Scholar
  11. 11.
    Gennaro, R., Goldfeder, S., Narayanan, A.: Threshold-optimal DSA/ECDSA signatures and an application to bitcoin wallet security. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 156–174. Springer, Cham (2016). Scholar
  12. 12.
    Goodin, D.: Bitcoins worth \$228,000 stolen from customers of hacked Webhost. Arstechnica (2012)Google Scholar
  13. 13.
    Hanson, R.: A \$50 million hack just showed that the DAO was all too human. Wired, June 2016Google Scholar
  14. 14.
    Higgins, S.: BTER claims \$1.75 million in bitcoin stolen in cold wallet hack. Coindesk, February 2015Google Scholar
  15. 15.
    Hildenbrandt, E., et al.: KEVM: a complete semantics of the ethereum virtual machine. Technical report (2017)Google Scholar
  16. 16.
    Kocher, P., et al.: Spectre attacks: exploiting speculative execution. arXiv preprint arXiv:1801.01203 (2018)
  17. 17.
    Lee, T.B.: Hacker steals \$250k in Bitcoins from online exchange Bitfloor. Arstechnica, May 2012Google Scholar
  18. 18.
    Lemos, R.: Bitcoin exchange Bitstamp claims hack siphoned up to \$5.2 million. Arstechnica (2015)Google Scholar
  19. 19.
    Lipp, M., et al.: Meltdown. arXiv preprint arXiv:1801.01207 (2018)
  20. 20.
    Luu, L., Chu, D.-H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 254–269. ACM (2016)Google Scholar
  21. 21.
    Martin, P.: Coinbase accused of technical incompetence after hoarding millions of UTXOs. Coinbase, January 2018Google Scholar
  22. 22.
    Meiklejohn, S., et al.: A fistful of bitcoins: characterizing payments among men with no names. In: Proceedings of the 2013 Conference on Internet Measurement Conference, pp. 127–140. ACM (2013)Google Scholar
  23. 23.
    Möser, M., Eyal, I., Gün Sirer, E.: Bitcoin covenants. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 126–141. Springer, Heidelberg (2016). Scholar
  24. 24.
    Nilsson, K.: Breaking open the MtGox case, part 1. Wizsec, July 2017Google Scholar
  25. 25.
    O’Brien, W.: It’s time to end the cold storage ice age and adopt multi-sig. BitGo, September 2014Google Scholar
  26. 26.
    Palatinus, M., Rusnak, P.: Multi-account hierarchy for deterministic wallets. Bitcoin Github, April 2014Google Scholar
  27. 27.
    Palatinus, M., Rusnak, P., Voisine, A., Bowe, S.: Mnemonic code for generating deterministic keys. Bitcoin Github, September 2013Google Scholar
  28. 28.
    Perkin, M.: Bitfinex breach update. LedgerLabs (2016)Google Scholar
  29. 29.
    Sedgwick, K.: Coinbase Accused of Technical Incompetence After Hoarding Millions of UTXOs., December 2017Google Scholar
  30. 30.
    Shen, L.: Millions of dollars worth of ethereum got locked up. Here’s Why. Fortune, November 2017Google Scholar
  31. 31.
    Wuille, P.: Hierarchical deterministic wallets. Bitcoin Github, February 2012Google Scholar
  32. 32.
    Zurich, E.: Formal verification of ethereum smart contracts. Securify, January 2017Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.University College LondonLondonUK
  2. 2.Princeton UniversityPrincetonUSA
  3. 3.National University of Sciences and TechnologyIslamabadPakistan

Personalised recommendations