The case of QuadrigaCX – the cryptocurrency startup that saw CAN$250 million (£145m) disappear just got a lot more complicated. Analysis of crypto accounts has failed to find where the money went.
Gerald Cotten, the CEO of Canadian company died in India in December, and left 115,000 cryptocurrency wallets inaccessible. QuadrigaCX’s cryptocurrency wallets were kept in so-called cold wallets, which store valuables offline – theoretically insulating them from the kind of hacks that have blighted major cryptocurrency exchanges such as Mt Gox, which lost $1 billion-worth of crypto after it was hacked in 2014. (Mark Karpeles, Mt Gox’s CEO, was arrested and charged with embezzlement in Japan, and is being sued by victims of the Mt Gox theft in a US court.)
To unlock the cold wallets, the executors of the estate need a master key – the sole copy of which Cotten held before his reported death in December due to complications from Crohn disease. However, an analysis by auditors Ernst & Young, who were brought in to deal with the aftermath of the closure of QuadrigaCX, has more problematic findings for the account holders.
Cotten supposedly moved bitcoin entrusted to QuadrigaCX into six cold wallets. But Ernst & Young has said that its investigation found that those wallets were empty eight months before Cotten’s supposed death. Put simply: £145m-worth of cryptocurrency people trusted Cotten to keep safe wasn’t where he said it would be while he was alive, and no one knows where it is now.
A $100,000 bounty has been put up for information that can help find the missing millions, and one researcher, James Edwards, believes he may have found a significant chunk of QuadrigaCX’s funds stored on three other cryptocurrency exchanges.
Regardless, the news of empty cold wallets has some wondering whether there has been fraudulent activity or a cover-up of nefarious movement of the funds QuadrigaCX was meant to be storing. It’s a blow to the reputation of cryptocurrencies, which have been mocked for their rollercoaster valuation and the perception that it’s a wild west environment where people are as likely to be ripped off as they are to make off like thieves from savvy investments
“This is clearly a very significant loss,” explains Emin Gün Sirer, a professor at Cornell University. “Not only is the amount relatively large, but also it affects a large portion of the Canadian cryptocurrency community.” What makes it quite so damaging is that it appears to be “a complete loss event; that is, there are few assets to recover.”
“This is another in a long of examples that show that cryptocurrency exchanges are the weak link in the chain,” says Alan Woodward, a computer security expert from the University of Surrey. “If you use an exchange – and it’s the way many use cryptocurrency – then you are trusting people, unlike the blockchain itself which uses technology to ensure trust.”
That’s the fundamental issue at the heart of this and other issues: while cryptocurrency is designed to be safe, its relative youth means it relies on human gatekeepers. “This is pretty small fry compared to the larger hacks, but it highlights why people should take control of their coins with hardware wallets and not trust custodial exchanges to keep their coins safe,” says Patrick McCorry, assistant professor at King’s College London, who researches cryptocurrencies.
Read more: To get rich in crypto you just need an idea, and a coin
“Exchanges are effectively financial exchanges but they remain unregulated in most jurisdiction,” says Woodward. “Hence, exchanges are ripe from everything from conspiracy to messing up.” Which one of these – conspiracy or cock-up – best describes the latest wrinkle in the QuadrigaCX story is yet to be seen. But the crypto industry needs to take action to shore up its reputation.
“Issues like this arise due to the non-custodial nature of cryptocurrencies,” says McCorry. “In the crypto world, it is the companies’ full responsibility to ensure the coins are recoverable in ‘never events’ like this. I imagine more companies will run into this problem as crypto becomes more popular.”
To get out ahead of future issues, cryptocurrency exchanges and associated companies should try to proactively head off potential problems. Firstly, McCorry recommends exchanges instigate internal policies that ensure employees, and not just owners, can identify and find the coins that should be under their control. Currently it seems like the missing £145m hasn’t been traced.
Exchanges can also take advantage of the blockchain, the technology underpinning cryptocurrencies, to ensure that coins can be recovered even if someone dies. McCorry suggests that measures could be put in place to allow the coins to be spent if either the founder of the exchange authorises it, or if a group of parties authorise it after a time delay – he suggests 10 weeks. “This way, the coins can always be recovered by an independent group, such as auditors, internal employees.”
Sirer recommends that the sector takes advantage of the mathematical properties of these assets to provide even stronger assurance without costly audits. “In essence, exchanges can prove their solvency through cryptographic mechanisms,” he says.
Of course, that’s easier said than done for small companies with little overheads, designed to be light on regulation. And it doesn’t prevent people with bad intentions from gaming the system to their favour. Besides, proof of solvency is currently not commonplace because of lack of customer demand. That may change. “If any good comes out of the QuadrigaCX saga, I hope it'll be increased user demand for cryptographic mechanisms for proving solvency,” says Sirer.
But Woodward is less confident that something can be done. Cryptocurrency exchanges trade on their reputation as being distant from the reaches of formal financial regulators – it’s what attracts many to use them. While that’s a strength when things go well, it’s a fatal weakness if something goes wrong. “It’s one of many reasons people have significant doubts about any cryptocurrency that is not linked to and run or regulated by a traditional financial institution like the Bank of England,” he says.
This article was originally published by WIRED UK
