Crypto Exchange Liquid Loses $100m in Hack

Posted on sept. 8, 2021 | BLOG

hacker_abstract

On the morning of August 19th, Japanese crypto exchange Liquid Global announced that some of their “warm” wallets were compromised, becoming the second major cryptocurrency hack in the month of August. The loss is estimated to be worth around $97 million US dollars in cryptocurrency. The exchange is currently investigating the cause of the incident and has temporarily suspended all transactions. 

The Liquid hack follows hot on the heels of the infamous and baffling Poly Network hack, where an anonymous hacker stole and then returned $600m in digital assets. Overall, it has been a bad year for DeFi protocols, with several exploited and hacked through increasingly sophisticated techniques. 

How was Liquid Exchange Hacked?

Japan’s Liquid Global is an international cryptocurrency-fiat exchange program. Despite not serving US residents, it is among the top ten cryptocurrency exchanges in the world based on daily volume. While their mission is to build a progressive, secure ecosystem for consumers and asset traders, they were unable to prevent the second largest digital asset theft to happen in August 2021, the largest being the theft of $600 million from Poly Network on August 10th.    

Liquid Global has over 800 thousand customers worldwide who conduct over $100 million in daily transactions of its 80 listed tokens. 

Liquid’s Warm Wallet MPC function allegedly compromised

Liquid manages its assets using a cold and warm wallet system, as well as Multi-Party Computation (MPC) technology. 

MPC is a cryptographic security function that requires a user’s private key to be generated by a number of parties, each unaware of the code generated by other facilitators. Liquid did not comment on how this security function was compromised, but has promised new MPC infrastructure with greater security since the hack occurred. 

A common reason for hacks in cryptocurrency thefts is that a user’s private key becomes compromised by other parties. Usually, an asset management company will securely store this key for you, while you are in possession of your public key to accept funds. However, mistakes can happen. Security experts speculate that the latest Liquid hack is related to their security breach last November. Hackers can be notoriously patient when it comes to waiting for the right moment to strike after infiltrating a system. 

A recent example is the recent Fireblocks vs StakeHound saga, where the digital asset custodian and its client became embroiled in a court case over the loss of $70 million in crypto after a mixup with the private key’s backup. 

What is a Warm Wallet?

In the simplest terms, a cold wallet is a dedicated physical offline crypto storage device that is not connected to the internet, like Ledger and Coolwallet. A hot wallet means that a crypto wallet application is connected to the Internet, and therefore might be more vulnerable.

A warm wallet falls somewhere in between a cold and hot wallet. It provides the ability to conduct transactions, but comes with superior security and enhanced safety measures.

Crypto Exchange Hacks- A Constant Threat

 Cryptocurrency thefts have been par for the course since 2014’s Mt. Gox hack, impacting multiple exchanges and users in recent years, including big names like Binance, Huobi and OKCoin

It is almost guaranteed there will be more cryptocurrency hacks in the future. As a user, the best way to prevent your digital gold, silver and NFT “jpegs” from being stolen is to understand the security features your wallet guarantees, and keep your private key somewhere safe.  

It may seem like your private wallet key would be safest in a physical form, but this has its own risks as well. Just ask the 35-year-old software engineer in Wales, England who threw away his hard drive which contained the private key to access 7500 Bitcoins, now worth $367 million US dollars.

What’s Next for Liquid After the Hack? 

As of August 21st, Liquid has completed their new MPC structure with heightened security, and will be testing the migration of assets to new secure vaults.  Liquid is taking all actions available with the appropriate authorities, and continue to update their customers through their blog and official Twitter account.  

At present, the saga continues. Several parties like Elliptic are tracking the funds despite the hacker’s best efforts to lay low and only interact with decentralized exchanges like SushiSwap. Some exchanges are also freezing suspicious accounts.

It may soon turn out that there is no place to hide with that large a bag of stolen crypto. With anti-money laundering (AML) regulations targeting the crypto sector and the on and off-ramps for crypto-to-crypto and crypto-to-fiat transactions, we’re seeing greater cooperation between exchanges and custodial platforms. Despite fears of excessive centralization, this bodes well for the industry.

CYBAVO VAULT Uses Sepior’s Highest MPC Security

Ultimately, your crypto assets are only as safe as the security measures you employ, and this includes your custodial solution of choice. If you choose a custodian that uses an MPC solution, keep in mind that not all MPC security measures are created equal. 

CYBAVO’s team of cybersecurity veterans are proactive in taking all security measures to protect digital assets. CYBAVO works with Sepior, a world-leading threshold security provider. CYBAVO VAULT wallets are protected by Sepior’s Threshold signature (ThreshSig) technology, its highest form of MPC security. ThreshSig ensures that your complete private key never exists on a single device, making it impossible to steal. What’s more, CYBAVO is insured by a S&P AA-rated international insurance company to provide digital asset loss insurance coverage, providing additional security to their institutional wallet customers.