The Quadriga Stramash

I was on BBC Radio Scotland today talking about the Quadriga Exchange hack.

These radio pieces are often challenging – you’ve only got a few minutes to say something meaningful on cryptocurrency, a topic that doesn’t lend itself to pithy explanations and confuses the majority of people at the best of times.

It’s an interesting story though and worth recapping here.

Quadriga was one of Canada’s biggest cryptocurrency exchanges. Until a couple of months ago, when its 30-year old founder died unexpectedly whilst travelling in India. Not particularly newsworthy in itself – until it transpired that he alone  had sole responsibility for handling the funds, banking and accounting side of the business. Following good practice, the exchange kept a significant proportion of its cryptocurrency in cold storage. Which was great – until they released after his death that there was no way for his widow to retrieve the missing private keys. Cue the bankrupcy of the exchange.

The BBC were interested in a few key questions such as:

Q: Is it credible that £105 million could simply be locked away somewhere that no-one can access?

A: It’s not only credible – that fact lies at the core of cryptocurrency. Crypto has a three key characteristics: the asset can’t be copied; its use can’t be censored; and it can’t be confiscated. And a big part of the reason that explains each of these points is the public/private key pair that makes up each ‘bitcoin’. The public key is like your home address: anyone can send funds to it, 24 hours a day. But you can’t then move (spend) that Bitcoin unless you use the private key.

So is it possible in principle that the currency could be lost for all time? Absolutely. Unless you manage to break the rules of mathematics (enabling you to somehow derive the private key from the public key), it’s gone for good. Is this a bad thing? No. Because it also means that you can do things such as travel the world with only one password in your head that gives you control over vast sums of money without any interference. And that’s a characteristic that a truly global, internet currency must have.

Q: Is cold storage valid/sensible?

A: Yes. If you don’t own your (private) keys, you don’t own your bitcoin. Storing that private key offline – whether in a hardware wallet, USB stick or paper wallet – keeps it far from the prying eyes of any hacker. Hence the recent #proofofkeys campaign on Bitcoin’s tenth birthday which encouraged everyone to remove their cryptocurrencies from the control of exchanges.

In this case, it sounds like they correctly went down the cold storage route. But not sharing the backups or passwords to decrypt files amongst key execs – or using other more technical but basically straightforward approaches to secret management (e.g. Shamir’s Secret Sharing where you need a certain number of related passwords that is less than the total created to be able to unlock) – shows an incredible naivety towards running a business.

Q: It seems extraordinary that no-one can now hack into the system to release the funds?        

A: Not really. While it may be strange to you to think that no-one can hack the system, the ‘system’ you’re talking about here isn’t a safe or a bank. The system we’re discussing is maths. Or more accurately, cryptography and secure communication.  We’re dealing with the science of numbers, and the way that these work together. So if it’s hard to imagine that no-one can hack this system to ‘release’ these missing bitcoin, ask yourself a similar question: can people hack gravity? In the sense of permanently altering the level of gravity on planet Earth? Perhaps, theoretically, at some point in the far far future. But not today. And in the same way, you can’t simply change the laws here either.

Q: The internet is awash with conspiracy theories. Does this case just highlight the need for more and better regulation governing cryptocurrency? 

As is always the case when real money goes missing, allegations are flying. But there’s a couple of things that I suggest that anyone who doesn’t follow cryptocurrency tries to take on board here.

The first is transparency. We may find out ultimately whether or not this is some kind of elaborate exit scam pulled by someone in over their head, an unfortunate naivety and lack of organisational foresight – or something entirely different. Or we may not. After all, how do you prove a negative? The private key to that money is only lost until the day that those funds start to move…But can you imagine citizen investigations like this following allegations of financial irregularities taking place in the banking sector today?

I have my own views on what likely happened here. But more conjecture really shouldn’t be the goal here. Because we are living through a paradigm shift here. For the first time, we have a burgeoning financial system where total responsibility for assets falls onto the shoulders of the individual. And of course, it’s scary having complete and utter responsibility for your own financial future.

For those who don’t want to do that, don’t play in the sandpit.

But for those who do? Remember: the beauty of the system was that it was created to function without third parties. That includes exchanges and modern ‘crypto-banks’. Because the moment you introduce third parties and start to rely on them in any way, the more risks you’re taking on. With your money.

To quote Uncle Ben in Spiderman: “With great power, comes great responsibility”. Learn what you need to in order to become comfortable with the risks that you’re taking on if you want to be part of this new world. But if you’re waiting for the safety net of regulation to save you, I’m afraid you’ve turned up to the wrong party.