Tagged: security

Capital Markets Veteran Gavin Smith Calls for Better Security Standards for Bitcoin Traders


“Blockchain fintech companies can not only provide better security for bitcoin traders we can also solve the problems that plague conventional capital market companies.”

November 15, 2016    London

This is the opinion voiced at the Blockchain Money Conference in London last week. Speaking to an audience of investors, entrepreneurs, and experts including Jon Matonis, Michael Parsons and Roger Ver, First Global Credit’s CEO Smith proposed that companies needed to take a more pragmatic view of risk. During his talk he highlighted specific areas of risk that were being overlooked by bitcoin companies.

“In the conventional capital markets we have many metrics used to measure risk. They are not great; they are not foolproof, but they are a decent framework that [start to] measure where the risk comes from. In the cryptocurrency world, we don’t yet have that.” — Smith asserted.

His statement came in response to ongoing security threats that challenge bitcoin  exchanges. There is not a single year that has gone without reports of online bitcoin wallets being hacked. Many speculators turn to bitcoin trading in hopes of making easy profits from its trademark price volatility. Exchanges such as BitFinex further attract traders by offering leveraged trading based on loans being made by bitcoin holders who are not skilled traders but still want to make a return on their crypto-assets.

Are these practices — and whatever returns they promise — worth the risk if the exchange cannot provide investors with insurance during a security breach? Even the most respected Bitcoin exchanges are not able to protect their customers from hacks that have led to over $80 million worth of losses in last two years.

“BitFinex was one of the largest and most respected Bitcoin exchanges and they still got hacked,” Smith stated. “It clearly illustrates how vulnerable our funds are in absence of adequate risk management protocols.”

 Minimising Risks

Exemplifying his own company that allows bitcoins to be used as collateral margin to trade against fiat currencies, world-wide stock markets, precious metals and ETFs, Smith described what his company does to effectively reduce risk especially counterparty risk.

“First we actively grade bitcoin exchanges based on a weighted set of criteria including whether the exchange is domiciled in a respected jurisdiction, the transparency of their management structure and finally the longevity of the exchange. Once we have identified acceptable counterparties we spread assets across multiple exchanges. We need to be in a situation where we keep operating and continue to provide our customers with service even if one of our counterparties fail. So we don’t risk more than 15% of reserves on any one bitcoin exchange.”

“We further control risk by minimising the time that we have funds out of our control. We do this by continuously moving funds out of exchanges when not actively being used to trade.”

Exchanges are Centralising Bitcoin

“One of the benefits of bitcoin is that it should cut away middlemen from financial settlements, but bitcoin exchanges have failed to follow the vision themselves by acting like centralised authorities.” Smith highlighted these points and didn’t shy away from identifying that his own company was subject to the same issues. He then pointed to current and upcoming developments that are steps in the right direction of combating counterparty risk.

“I believe the real challenge over the next 2 years – for companies who operate in the cryptocurrency capital markets – is to move beyond this model of us holding client funds and being ourselves, a point of risk for the customer assets.”

“We’ve already seen some attempts to deal with this problem, but thus far these have failed because they do not cover the security of funds over the full trade lifecycle. They protect funds when they are initially placed on the exchange, but as soon as funds are committed to an active trade they are subject to the same risks as they are on a conventional bitcoin exchange because they are pooled with other trades. So while protecting inactive funds provides a partial solution, this benefit is counteracted as soon as you open a position and start trading. This is not a particularly useful innovation for funds lodged with First Global because we are actively moving dormant money out of the control of the exchange anyway. So a solution that only protects funds when there is no active trade does not really add value.”

“The second area is using smart contracts to replicate trading. Again, this is a move in the right direction but the problem with the practical use of smart contracts at the moment is lack of liquidity. There is a real challenge of creating a solution that provides good liquidity and real security through the full lifecycle of a trade including point of settlement. To my mind that is where the real benefit and the future lies; If we can create a solution that achieves this we have not only provided value in the cryptocurrency capital markets, we’ve created something that actually leapfrogs existing mainstream capital market risk.”

“All counterparty risk management strategies in existing capital markets are based on allowing banks to transact business securely. Allow bank A to trade with bank B in a way that keeps them from having counterparty risk. Nobody considers the last step in the cycle, the piece that covers the transfer of funds to the end customer. That customer is still expected to assume all the counterparty risk of working with a bank or broker or other institution. If we can create an environment that allows customer A to trade with customer B without any added counterparty risk from working with an institution in the middle, that’s where I think the public blockchain can add real value to the whole finance industry and our market will pull ahead of conventional markets in what we can offer our customers. So in the next two years not only will counterparty risk become actively managed in the cryptocurrency space, I can imagine ways blockchain tech can be adapted for mainstream markets counterparty risk management as well.”

Do you have a leaky Bitcoin wallet?

leaky faucet

Filippo Valsorda, the engineer that developed the program that checks to see if your network or browser is vulnerable to the Heartbleed virus, today released a tool designed to hunt down wallets that poorly secure transactions and in effect that leak private keys.

Mr. Valsorda who works for CloudFlare demonstrated how known flaws in some wallets have allowed thieves to steal Bitcoins due to insecure clients or flaws identified in unpatched browsers.

Mr. Valsorda stated, “I found two really big security holes where someone probably made an error while writing their client that generated hundreds and hundreds of vulnerable transactions. I was able to identify one attacker who stole something like 59 Bitcoins … targeted the users’ browsers that were likely not providing the right random numbers.”

The 59 Bitcoin hack happened in August 2013 and Google was wrongly blamed for the loss. Valsorda also found indications that other hackers were scanning the blockchain for this deficiency and were raiding wallets, but the results were not conclusive.

Mr. Valsorda studied the blockchain during his research looking for mistakes and concluded that we would be better protected if we create systems that by default protect transactions when the security design fails.

A known flaw in the Elliptic Curve Digital Signature Algorithm (ECDSA) that showed up in insecure clients or unpatched browsers is to blame for the issue. While Bitcoin clients Multibit and Electrum received gold stars for the correct use of ECDSA, blockchain.info did not. However Mr. Valsorda stressed this was not a vulnerability in blockchain.info, but rather in the reliance on what could be an unpatched or outdated browser.

Valsorda’s found no remaining wallets vulnerable to attack and pointed out that attackers could target exposed wallets without his script. Valsorda concluded, “whoever is developing software has [a] responsibility to users who do not know enough to protect themselves.”