Most exchanges — fiat or cryptocurrency — maintain an operational strategy that involves aggregation of funds from multiple consumers’ accounts into a single higher-level account. In the cryptocurrency space this is known as a ‘co-wallet’ strategy. By means of introduction, the co-wallet strategy assumes that an exchange doesn’t keep consumers’ money in a dedicated wallet per consumer, but rather in a wallet that includes funds of multiple consumers.
In a practical implementation, this means that consumers of an exchange don’t hold a key to a wallet but only online authentication means (e.g. a password and/or two-factor authentication) to an account’s balance and sell-buy order requests. The exchange, on the other hand, holds the keys to two types of wallets: hot wallets that keep a very small percentage of the exchange’s assets (typically up to 5%) and cold wallets, that hold the rest of the assets.
Whenever a consumer places a sell-buy order, a balance management layer will check if that account has enough balance to complete the sell-buy order. If the consumer’s balance is enough, an order management layer will trigger a withdrawal order from a coin specific hot wallet (for the ‘buy’ order) into the consumer’s pre-defined address and a deposit order into the exchange hot wallet address (for the ‘sell’ order).
Behind the scenes, the cold-to-hot transfers enable the exchange to respond swiftly to consumers’ orders. The hot-to-cold transfers, on the other hand, ensure that most of the assets are kept offline and safe. The safety level of the cold wallets is usually achieved by several means, including permanent placement in an offline location, several people that multi-sign each transaction, hardware tokens.
This very brief introduction of crypto exchanges’ operational co-wallet strategy sets the stage for discussing the various challenges this strategy imposes.
Challenge 1 — Security at the expense of velocity
By keeping most of the assets in cold wallets and having to populate the hot wallets with enough funds to meet consumers’ demand, the exchange is always confronted with the need to decide how much money it is risking by keeping it in a hot wallet.
The transfer from cold to hot is purposely cumbersome — requiring several people to arrive physically at one or more locations, the use of dedicated hardware tokens, and the very temporary operation of a usually-offline server. Naturally, such a cumbersome process happens only a few times per day and certainly not in real-time. Based on demand, the larger exchanges may go through these cold to hot transfers 3 times per day and the smaller ones may complete this type of transfer only once every few days.
One can only imagine the operational toll that this co-wallet strategy has on the average exchange — both process-wise and time-wise. The bottom line is that most exchanges, while trying to reduce the number of times that their executives physically go to the cold wallets’ location to handle the cold-to-hot transfers, are bound to have less money in the hot wallets to reduce risk, and hence respond to consumers sell-buy orders slower than the business really demands. This relative slowness is perceived today as a built-in challenge into the exchanges’ mode of operation. Everyone would agree that when it comes to currency trading, velocity is second priority to security, and there is a tight tradeoff between the two.
Challenge 2 — Minimizing the risk for an insider attack
Cryptocurrency exchanges, very much like traditional banks, need to minimize the risk of insider employees that can very easily empty worthwhile wallets. With cryptocurrency exchanges, the risk is even greater than with fiat money, since there are no call backs and tracing the money trail effectively is almost impossible.
It is easy to imagine an employee sitting in an airplane, at the airport, easily signing a transfer order of millions worth of dollars to his address and just minutes afterwards taking off to the Bahamas, to live his life fully and pleasantly.
Exchanges mitigate this risk by leveraging that co-wallets strategy that was described above. In addition, exchanges — certainly the big ones — define and operate large quorums of approving parties, often involving multiple people from the company’s C-level executives; A cumbersome and time-consuming approval process that puts a massive operational burden on the exchange.
Challenge 3 — Maintaining the co-wallet strategy for hundreds of cryptocurrencies
This type of challenge can be compared to the proud home cook that is able to prepare a great dinner for a group of 8 people and the incomparable challenge of running a restaurant that feeds 150 people every evening.
Maintaining a co-wallet strategy for hundreds of cryptocurrency pairs, serving millions of customers, employing dozens of (can be trusted?) employees and managing it all securely and smoothly, responding to consumers orders in a near-real-time manner, is an enormous challenge — security-wise and operations-wise. The challenges that have been described above are multiplied by factors of magnitude when having to deal with hundreds of hot and cold wallets, millions of USD worth of money that should be transferred daily and dozens of employees that have inside information as to the signing workflows and approval policies.
Bringing it all together: How are exchanges securing their assets?
The traditional banking system has been building various security and operations mechanisms for the past 150 years. Cryptocurrency exchanges, a new entity in an emerging and fast-moving market, are facing greater challenges compared to banks, because of the complete digitization of the blockchain assets, the key-dependency and the irreversible nature of the cryptocurrencies’ transactions.
It is not surprising that up until recently, crypto exchanges have mostly taken the safe road and managed most of their assets offline, keeping only a fraction of the assets in hot wallets. This is the reason that most of the world’s cryptocurrencies (in terms of value) are still stored in air-gapped computers or HSMs that are kept offline in heavily guarded facilities.
This piece described the mitigation strategy that helps exchanges serve their consumers on a daily basis: the co-wallet strategy; a secure enough strategy with the toll of a slow response when demand exceeds the amounts that are stored in the hot wallets.
Considering the challenges that cryptocurrencies exchanges must deal with, it is easy to understand the offline and the co-wallets paradigms. However, the security platforms that can protect cryptocurrencies have evolved considerably in the last few years, offering new security solutions that enable the magic of a hot wallet which is as secure (if not more) than a cold wallet. If you are operating an exchange, imagine how your business would look like with 20%, 30% or even 50% in a hot wallet? The business and operational gains are immense.