Blockchain Security Incidents and Private Key Management

January 19, 2022 - Zero Friction has recently completed the implementation of our Blockchain Hack and Scam Database. This inhouse solution aggregates vetted incident data from various Internet news sources dated back to 2012. The data are then combined with our own internal blockchain and smart contract expertise to identify and tag key attack and event patterns. It is our goal to keep this database public to provide transparency to the blockchain ecosphere to promote and support ongoing blockchain adoption.

Zero Friction's Hack and Scam Database can be accessed here.

As a quick recap, blockchain technology relies on a wallet to hold the private key to the user or contract address to sign/authorize transactions. The responsibility for the maintenance of the wallet comes in two forms: custodial and non-custodial. When a user holds funds on an centralized cryptocurrency exchange, the exchange acts as the custodian for the user's funds, and therefore the exchange holds the private key on the user's behalf. Conversely, in non-custodial, the user is responsible for his/her wallet and the private key. Accordingly, in both cases, any loss of private key will ultimately lead to the loss of funds.

The connection state of the wallet to the Internet can introduce additional risks to the wallet's holder. A hot wallet maintains a persistent connection to the Internet to support ongoing transaction requests such as the buying and selling of cryptocurrencies on an exchange for the user – Since this design has greater risks to the wallet's owner, most exchanges utilize multiple hot wallets and keep funds to no more than 2% of required assets under management. On the other hand, a cold wallet is air-gapped and only get connected when required. The majority of exchanges maintains the bulk of their funds in cold wallets.

To highlight one use case for the Zero Friction's Hack and Scam Database, we want to understand how private key management may have impacted the blockchain ecosphere from known security incidents. Specifically, we want to learn any or all of the following from our database:

  1. To what extent, does private key management play a role in past incidents.

  2. Are there difference observed with regard to private key management between hot vs. cold wallet.

  3. What types of entities are involved in private key leak incidents?

  4. What does the trend look like historically, and what will it possibly be for 2022?

Let's dive in on what we've learned!

Private key compromise contributes to total losses exceeding $2.0B across our historical data.

Exchanges account for $1.5B, or 59% of the total losses, and the various protocols hold the second spot for $175M or 14% of the total losses.

The data indicate that the cost of compromise has been increasing since 2012 and will likely continue to rise. Perhaps, this is due significant gains to be made in having successfully breached the private key from either a hot or cold wallet vs. attack or manipulate a smart contract for profit.

In 2021, notable examples of exchanges and protocols compromised include BitMart, AscendEx, Liquid, EasyFi, bZx and BXH.

Our analysis further reveals that hot wallets were most likely to be compromised in private key leaks, accounting for 46% of the incidents. Conversely, our analysis also reinforces the use of cold wallet as one of the best mechanisms to safeguard virtual assets. For all the HODLRs out there, the data support that hardware wallets like Ledger and Trezor are excellent tools for long-term storage.

For further clarification, in our methodology, 'Either' label was utilized to identify loss where the relevant news source did not provide explicit identification and 'Others' label was used for any other unclassified methods.

We can infer increasing cryptocurrency interest by following the king of cryptocurrency - Bitcoin. The chart below is taken from IntoTheBlock highlighting Bitcoin price action doubling its levels this year reaching almost $70k. The same chart also shows institutional interest as categorized by increasing volume of transactions greater than $100k.

Mapping the above observation back to our own dataset, we can observe that private key compromise also follows the money inflows as indicated.

As a final takeaway, we expect private key compromises to continue to be a major attack vector for ongoing losses for the blockchain ecosphere.

How do you best protect yourself as a crypto investor? It may be beneficial to rethink how much cryptos are you willing to risk on the exchanges or protocols. Perhaps, investments over an arbitrary value, such as $35k (the amount should be adjusted upward or downward depending on your risk tolerance), should be maintained using your own hardware wallet or diversified that across multiple exchanges or protocols.