Coinbase recently moved 5% of all BTC, 8% of all ETH and 25% of all LTC in circulation (among many other assets) in what we believe is the largest crypto migration on record. Our VP of Security is publishing the case study below to shed light on the specific ways we build security into our platform at every stage — as well as engage with the community around sharing best practices for crypto security.

In the world of cryptocurrency, security must be a core value and top priority of any organization looking to serve customers over the long-term. Today, we’re sharing what we learned from our recent migration of crypto with the broader ecosystem in an effort to build trust for the entire industry.

At Coinbase, our commitment to security is expressed in a number of ways, from consumer security protections to internal development practices to third-party audits and tests. Our most critical responsibility is the security of the assets that our customers entrust to us. The gold standard of cryptocurrency asset security is offline, or “cold,” asset storage. Coinbase stores 98% or more of our customer assets in our cold storage system. Coinbase’s cold storage has gone through a number of evolutions through the years as the cryptocurrency space has evolved and matured.

L ast week we successfully completed an on-blockchain migration of approximately $5 Billion (as valued the week ending Dec. 7, 2018) of cryptocurrency from Generation Three to Generation Four of our cold storage infrastructure. To our knowledge, this is the largest movement of cryptocurrency (certainly in USD terms, potentially in absolute terms) ever undertaken.

TRULY SECURE CRYPTO THROUGH TRUE COLD STORAGE

Cold storage can cover a number of storage techniques, ranging from HSMs to bunkers in the Swiss Alps. Assets placed in cold storage are completely offline and disconnected from any automated system. As with many terms in a rapidly developing industry like cryptocurrency, there is no clear standard for cold storage.

Coinbase’s standard for truly cold storage is that multiple geographically separated humans in the real world should be forced to perform physical actions to enable a transaction after reviewing transaction details. If that isn’t true, we don’t think it’s actually cold storage.

Coinbase’s cold storage has been through a number of iterations over the last six years. The first version, as we’ve talked about previously, was keys in a safety deposit box.

Coinbase cold storage, circa 2012

While that was fine for back then, as asset values increased and cryptocurrencies started to diversify, we needed to build a system that ensured broad consensus on movements from cold storage and could flexibly support many types of assets. In our latest version, which initially rolled out with Coinbase Custody and now handles all cold storage at Coinbase, we start with a secure foundation with a highly controlled and audited key generation process and continue with a globally distributed key storage and transaction approval system.

USHERING IN THE NEXT GENERATION OF COLD STORAGE

This system protects against key loss, key misuse (including insider threat and application level attacks) and supports world class key governance and audit while being currency agnostic. That means we can store any cryptocurrency using the same system, without making compromises in the level of security provided to any single cryptocurrency.

The idea of moving $5 Billion on-blockchain was one we approached with a very high degree of caution. While we believe in the security of the blockchain, the number of moving parts combined with our absolute responsibility to ensure the security of funds in our custody meant that we needed to cover every possible scenario.

We began planning months before the actual move date and involved almost every team at Coinbase in the process. We conducted risk assessments, honed monitoring plans and conducted test migrations until we were positive that the live migration would go off without a hitch.

NAVIGATING RISKS

One of the risks we identified early on in the process was the potential for our migration to be mistaken for an exchange breach or a large trader preparing to sell a significant amount of cryptocurrency. Either way, we were worried that the market uncertainty would result in price movements. On the other side of the equation, we were worried that giving potential attackers too much notice would let them plan for and execute attacks during the migration. Once we were ready to conduct the migration, we put out a brief blog post to calm fears without giving away too much information about our plans. This piece helped steer a significant amount of the resulting discussion on online forums and in trade blogs (like this one).

After that blog post was out, we proceeded to restore our existing cold storage addresses one by one, waiting until the previous address had been swept to the new cold storage before moving the next address. This approach made the migration take longer (it lasted 4 working days), but resulted in much higher assurance that our customers’ funds were secure every step of the way.

In the end, what all this means is that we’re continuing to push the pace of the industry in providing secure, auditable, asset-agnostic offline storage for cryptocurrency. Our customers reap the rewards in terms of better security, more assurance and faster asset additions. This new cold storage system is a core part of our strategy to expand our asset offerings while never compromising on the level of security we provide our customers. If that sounds like an interesting set of challenges, we happen to be hiring…