I vividly remember my first experience as a Bitcoin Evangelist. I tried to explain what Bitcoin was to someone who had only just heard about Bitcoin from the mainstream media and she just couldn’t get it. She asked me how i could say that Bitcoin was secure when it had just been hacked and was now bankrupt. Those of us who have been in this space long enough still remember that back on those, when an exchange or wallet service got hacked and it’s customers lost their funds, mainstream media would report it as though Bitcoin had failed. I remember thinking then that had the responsibility to tell the correct narrative rather than let journalists who don’t get Bitcoin do it for us. Now I’m working for a Bitcoin exchange and as i reflect on that experience, i realise that we (read: Bitcoin Exchange operators) have the following responsibilities:
- To not get hacked.
But then again, even the most secure websites get hacked sometimes. So perhaps our real responsibility is to make sure that even if we do get hacked, we didn’t lose people’s Bitcoins.
- To not lose our customers’ Bitcoins
Satoshi invented Bitcoin to allow anyone to be their own bank. When someone else keeps and controls your money for you, there’s always a chance that they can lose, misuse or run away with your money if they choose to. But the reality is that, although we are going to encourage our customers to be their own banks, we also have a wallet service and some people are not going to be capable of securing and storing their Bitcoins themselves so they will probably trust us more with their money than they trust themselves. We therefore have a responsibility to make sure that we don’t lose that money to malicious hackers.
What our customers want
Instant Gratification- when i withdraw my Bitcoins from an exchange, i want them to get in my wallet now. Let’s face it, if i didn’t care about instant transfers then I’d put my money in a bank.
What we want (for our customers)
So we have established that we are going to need some sort of hot wallet but that’s not going to be enough to keep our customers money safe. In addition to that we are going to need:
- Cold storage — it wouldn’t be wise to put all our eggs in the hot wallet — there’s always a chance anything online can get compromised. We’ll always keep a fraction of our Bitcoins in a hot wallet and the rest in cold storage. That’s better security practice. Now we know what wallets we need but who in the company will have access to these? Next we need policies but policies alone are not enough…
- Policies that can be enforced programmatically
It’s not a good idea to one person full and exclusive access to the company’s Bitcoin wallet for two reasons: if they get run over by a bus, we’re screwed and if they decide to run away with all the money, we’re screwed too. For the second reason, we can’t give many people full access to the wallet because we don’t want one of them to be able to run away with all the money. This is where m of n multisig wallets come in. With multisig wallets, you give a number of people (n) the keys to sign transactions and you can choose how many signatures (m) you need for a transaction to be valid. Other policies we will need to enforce programatically are policies like: defining which IP addresses that can initiate withdrawals, defining a cap on the maximum withdrawal that can be made without first requiring approval. Bitcoin already makes these social contracts possible today.
Why we secure our funds with BitGo
Firstly, we trust them because we don’t have to trust them. BitGo alone can’t control the funds in our wallet. BitGo operates a 2 of 3 multi-signature wallet were they control just one key to co-sign transactions — we hold the other one two (and one of these is a backup key we store safely in cold storage and never touch). This is good because:
- It’s way more difficult for a thief to steal two keys than it is for them to steal one. By using multi-sig, we’re adding another layer of security against theft. This also makes it more difficult to mistakenly send money to a false address.
- Murphy’s Law: Hard-drives crush, passwords get forgotten — things will likely go wrong and when they do, we’ll be able to recover from the backup key we keep in cold storage.
- Multi-User Support
In addition multi-sig, we also have the ability to enforce controls with our organisation. So, for example, our accountant can have permissions to view transactions and not send money or the CTO can have permissions to send money, but up to a certain limit. We can also combine this with multi-sig and have a rule internally which says that money can only be sent from this wallet if 3 out of 5 authorised personnel sign the transaction.
- Spending Limits
I hinted at these in the last point. You can choose whether to have daily spending limits, transactional spending limits or both. The way we have set it up is that multiple signatures are required to spend about our limit threshold so we sleep easy at night because we know that our wallet cannot be easily emptied overnight.
- Address Whitelists
This is my favourite feature. You can scope your wallet to spend to a number of pre-approved, known, sage addresses. Spending to any address that is not on the whitelist would then require additional approval. An example of a situation of where this would be if a hacker manages to compromise our cold wallet. They will only be able to spend the Bitcoins in it to one of our addresses and would need to first come to us for approval before they can send the bitcoins to their wallet.
Humanity has come a long way. Before Bitcoin, the only way you could transact digitally was if you trusted some third-party with your money and if this third-party chose to, they could run away with all your money. Now Bitcoin allows you to transact digitally, entrust somebody else with the security of your wallet and still remain in full control of your money. Technologies like Bitcoin are making the world a better place.