How QuadrigaCX's Tragedy Could Have Been Prevented

One of the recent controversies in the crypto community is the developing story of the Canadian exchange QuadrigaCX. It’s a sad story in every sense and it has investors tearing their hair out because more than C$250 million is likely gone forever.

This is not the story of a typical “coin heist” everybody is familiar with. According to the facts unveiled so far, the mistakes leading to this particular disaster could have been prevented if only responsible precautionary measures were taken.

Briefing of the facts

QuadrigaCX was a Vancouver-based cryptocurrency exchange and one of Canada’s largest crypto trading platforms, handling significant transaction volume despite being a relatively small company.

As promising as it was for the majority of its users, however, the exchange has long faced several legal and financial issues. For example, last year they had C$25 million frozen in their CIBC bank account because the financial institution couldn’t verify the exchange’s legitimate ownership of the funds. While those funds were eventually unfrozen, the incident generated a backlog of withdrawals requests, staining the name of the company even before real tragedy struck.

The tragedy

None of the exchange’s previous problems could ever be compared to what would happen in December 2018. Gerald Cotten, the CEO and founder of QuadrigaCX, was on a trip to India when he suddenly fell ill due to Crohn’s disease. He was admitted to hospital, where he sadly and unexpectedly passed away due to complications.

While this news alone was awful – the exchange lost its most important executive, and a family is mourning its relative – it wasn’t until a detail was discovered a month later when the situation imploded. The discovery tripped major alarms and brought panic and severe hardship to QuadrigaCX’s customers.

What had been discovered: QuadrigaCX’s funds were kept in a cold storage wallet protected by a single passphrase, and that passphrase was known only by Gerald Cotten. Nobody else had this vital piece of information enabling access to the cold storage funds. And so with his death, the exchange’s wallet, which contained hundreds of millions of dollars in customer balances, was buried as well.

More than C$250m (US$190m) was suddenly rendered permanently inaccessible.

Analysis of the issue

As with the unknown passphrase protecting the frozen funds, we may never know what made Gerald Cotten decide on such a nonchalant security scheme. With the limited information available, the community can only speculate on the reasons behind this decision.

This has given free rein to a plethora of rumors – from Cotten’s death being a lie, to the funds never existing in the first place. However, although there could be truth to some rumours, in this article we’re going to put the allegations aside and stick to the official story told by QuadrigaCX.

Let’s start this off by asking: Why would you choose a single passphrase over better, more robust security mechanisms such as a multi-signature wallet?

As the CEO of an exchange, you’re responsible for anything that happens within the company, including the input and output of funds. As the guardian of your customers’ money, you’re expected to provide a safe and robust custody solution.

As an exchange owner, it’s crucial to take into account every scenario in which the funds in custody could be put in danger, and plan accordingly — especially when you’re operating an exchange with thousands of investors trusting you with millions of dollars (including some people’s life savings).

What could have been done differently?

It’s likely that we’ll never know the reason Cotton opted to lock the funds with a single key. However, we’re not going to provide a critique of the deceased. Instead, what this article attempts to accomplish is to outline responsible steps that someone in a similar position to Cotton can take to ensure their funds survive a crisis — hopefully helping to prevent a “QuadrigaCX 2.0”.

Horrible situations like this can be avoided if responsible security measures are taken.

We’re going to review three of them:

  1. Using a multi-signature wallet
  2. Sharing a backup key
  3. Using non-custodial technology

1. Using a multi-signature wallet

Multi-signature wallets are extremely common for organizations that hold any significant amount of cryptocurrency. They are special cryptocurrency wallets that require two or more keys to authorize the movement of funds.

“Multi-sig” has become standard among custodial cryptocurrency services due to the strong and simple protections these wallets provide. These special wallets work by designating authority to several people, thus creating the need for cooperation between key holders to sign a transaction.

If you decide to use a multi-signature wallet for the exchange’s cold storage, you can select any number of authorized people to sign off on a transaction. When movement of funds is required, a threshold of key holders are required to come together and coordinate a transaction.

The most common multi-signature wallet is a 2-of-3 scheme. That is to say there are a total of three key holders and any two of them are required to sign a transaction. If a key is lost, it shouldn’t matter so long as the remaining two keys are secure. An organization can choose to use any m-of-n designation; e.g. 1-of-2 or 5-of-10, or 2-of-2 (although the last option won’t help for this scenario).

If an exchange owner decided on a 2-of-3 setup, the owner could hold one key, and the two other keys could be entrusted with employees of the company.

There are several benefits an organization can gain from using a multi-signature wallet. For starters, with each key in the hands of each authorized person, the risk of theft is smaller, as a potential thief would need to gain access multiple keys — which is not an easy task if we assume the keys are stored in different places, and a theft of one key will alert the other keyholders to take extra precautions.

Another advantage comes with the threshold scheme. Should one of the keyholders pass away, there will be no repercussion to the unlocking of the funds as there are still two keys available.

2. Sharing a backup key

This sounds like an obvious one. Say I run a company that safeguards the funds of my clients. The funds are stored in an impenetrable vault and only I know the combination of the vault’s lock. If I die, the funds will remain locked in that vault forever. How can I prevent this from happening? Well, entrusting somebody else with the combination in the event of a crisis is a good start. However, it’s hard to find somebody to trust with a key to hundreds of millions of dollars.

A simple idea is to create a backup of your wallet and keep it in contents of your will. However, this is unsafe and not recommended because your lawyer — and whoever else has early access to your will — has the ability to copy the key and pull off a heist. Another idea is to give a backup to a trusted family member, but that carries the same risk. Unless there is somebody you have absolute trust in to hold the funds, and perhaps more importantly, somebody you trust to protect themselves from external theft, then sharing a complete backup with a specific person is a bad idea.

A much better idea is to use a less well-known technique: secret sharing. Shamir’s Secret Sharing Scheme (SSSS) is a powerful tool which allows you to split a secret into, say, 10 key parts, which you’ll distribute among trusted friends and relatives.

Each individual key part is useless alone, but together the key parts can be combined to recover the original secret (i.e. the backup key to the wallet). The magic of SSSS is that not every single key is required to recover the original. Similar to m-of-n multi-signature wallets, the SSSS backup could require, for example, 7-of-10 key parts to recover the backup. The m-of-n threshold is customizable when first generating the key parts.

Shamir’s Secret Sharing is a secure way to ensure the accessibility to the vault in the event that you, as the custodian, are no longer around.

So far, these two reviewed methods have one thing in common: they require trust in other people. Whether sharing a copy of his key, splitting it into several pieces, or setting up more keys and entrust them to others, you need to believe in these people. But what if you don’t want to trust anyone?

3. Using non-custodial technology

If trust is the root of the issue, can we remove it? Can we use a “trust-less” solution to avoid all the hassles while ensuring your users have access to their funds?

Enter non-custodial technology. Non-custodial exchanges (better known as “decentralized exchanges” or “DEXs”) are exchanges that never take custody of users’ funds. Instead of accepting user deposits, users on a decentralized exchange have full control over their cryptocurrency at all times. This means that regardless of the exchange’s status (whether it goes down for maintenance, or suffers a cyberattack), user funds will remain safe and accessible because it’s the users themselves who hold the keys to their own wallets.

If you operate a decentralized exchange, you don’t need to concern yourself with wallet security, for the obvious reason that there are no funds for you to protect.

If QuadrigaCX had been a decentralized exchange, the press wouldn’t be talking about how hundreds of millions of dollars in crypto, kept in cold storage of a trusted exchange were rendered lost forever because of a forgotten password.

There may still be some hope left for QuadrigaCX customers. Kraken, an exchange company investigating the rumours surrounding Gerald Cotton, recently offered a $100,000 reward to anyone with information leading to the return of the lost C$250 million.

Unfortunately, as we know from the alarming number of previous exchange hacks, thefts and scandals that remain unsolved, the probability that victims will see their investments again is slim.