A $99 Trezor Could Have Prevented the $70M Bitfinex Theft

The Bitfinex hack was an unfortunate time for Bitcoin users as the exchange had lost roughly $70 million USD in customer funds. Thus, the topic of security is on everyone’s lips as two hardware wallet manufacturers — Trezor and Ledger — are claiming that the hack could have been prevented with one affordable device.

Also read: Australia’s Postal Service Reveals 3 Blockchain Use-Cases

Trezor Wants to Stop Bitcoin Exchange Theft

In the wake of the Bitfinex hack, hardware wallet firms Trezor and Ledger published posts on Medium concerning the event. On August 5, Satoshi Labs wrote a column called “Trezor: Mitigating Risk For Bitcoin Exchanges” detailing how a Trezor device could have “completely prevented” the situation.

The company states its product has secured bitcoin for users in over 100 countries worldwide and has never experienced a glitch. SatoshiLabs:

With the recent Bitfinex hack, it came to light that all of the exchange’s bitcoins were stored in a 2-of-3 multisig hot wallet. With a full automation though, multisig loses its security advantage. It was sufficient to compromise one signature in order to empty the wallets. A good portfolio analysis would determine an appropriate percentage of the liquidity to be withdrawn to the safety of a Trezor (also capable of multisig). However, for the best security, Trezor allows no automation. Instead, it requires the responsible fund manager to verify each transfer between cold and hot wallet with their own eyes and a physical button press — something a hacker could never do.

SatoshiLabs also details that Slush Pool and the European exchange Coinmate.io are two businesses that use the device for their cold storage applications. SatoshiLabs believes exchanges are meant to be a part of the ecosystem to provide liquidity.

Ledger & Hardware Security Modules

On August 8, Ledger Wallet also published a medium article detailing the benefits of hardware storage for exchanges. The company believes these types of hacks can at least be “severely limited — with a best practice security approach.”

The best practice to Ledger is what legacy finance institutions have been relying on for years, which is secure hardware. The firm explains that Hardware Security Modules (HSM) or physical computing devices can bring the best safeguards to the cryptocurrency industry when it concerns cryptographic key management.

Ledger understands that exchanges rely on hot wallets to be able to provide liquidity. However, they believe most exchanges do not live up to the standards that active physical security measures provide. Ledger states:

For some unknown and mysterious reasons, hot wallets security architectures are based on ad hoc solutions built around off the shelf hardware and thus totally uncertifiable against Common Criteria or FIPS 140. When you deal with private keys that you cannot revoke, and whose compromise would result into massive losses, you just can’t have them on a regular server architecture.

Throughout the rest of the blog post, Ledger describes a hardware solution that they believe could curb theft in the Bitcoin exchange sector. The company only sees one worst case scenario, which is the inside job. However, the firm says that rogue employee would have to be extra careful using the HSM method.

“The worst-case scenario is a loss of what the rate limiter allows per hour, multiplied by the number of hours the hacker managed to stay undetected,” Ledger explains.

The security firm has also offered its services to businesses who want to protect customers funds with secure key management through HSM implementation.

The two companies believe they can advance security for exchanges and wallet services and are very willing to instruct these companies on the best security practices. It may be beneficial for firms exchanging bitcoin or managing users private keys to heed their advice as the community has begun to question multi-signature practices.

While hardware solutions may not completely eliminate cyber theft, devices such as Trezor and Ledger should be taken into account as a way to reduce attacks and deter hackers.

Do you think a Trezor or Ledger device could have prevented the Bitfinex attack? Let us know in the comments below!

The Trezor hardware wallet can also be found at Bitcoin.com’s online store for those interested in this type of wallet as well as competitors like the KeepKey hardware wallet and the Ledger Wallet.

Images courtesy of Trezor, Ledger Wallet, and Pixabay