Can a Cryptocurrency Wallet Ever Be 100% Unhackable?

On Thursday, a breach at the Japanese cryptocurrency exchange Liquid Global resulted in the theft of almost $100 million in cash.

The assault was believed to be directed against the company's multi-party computation (MPC) system of custody.

“This time, our Singapore subsidiary QUOINE PTE's MPC wallet (used for storage / delivery management of cryptographic assets) was hacked,” the firm stated in ablog post about the issue, which Google translated from Japanese.

In the bitcoin world, hacks are frequent. The Liquid attack is intriguing, however, because MPC appears to be the technology of choice among banks and blue chips looking to get into crypto. MPC is an advanced cryptographic technique in which the private key controlling funds is generated collectively by a set of parties, none of whom can see the fragments calculated by the others.

PayPal's purchase of Curv in March and Gemini's acquisition of Shard X in June are two examples of MPC shops in high demand. BNY Mellon, the world's largest custodial bank, announced a collaboration with MPC supplier Fireblocks earlier this year.

MPC is likely to be a desired end-goal for banks interested in the cryptocurrency sector since the technology is adaptable to their needs and provides a more flexible, self-managed solution than just turning over keys to a third-party custodian.

Is it MPC's fault?

According to Michael Shaulov, CEO of Fireblocks, the way MPC wallets may be setup is where vulnerability might sneak in. This is referred to be a policy problem, or human mistake.

According to two individuals aware with the agreement, Liquid Exchange utilized MPC technology supplied by Israel-based Unbound Security. Unbound is a well-known cryptography firm that has received backing from Goldman Sachs and is utilized by JP Morgan for key management inside its Onyx suite of blockchain-based services.

Unbound's spokesperson stated via email that the business was "unable to comment on things that fall outside of our scope."

According to Shaulov of Fireblocks, Thursday's assault on Liquid was likely linked to a prior breach of the exchange's system in November of 2020, during which an attacker collected information about the firm's security setup.

“Although the assault was on their MPC-based hot wallets, I believe this has nothing to do with MPC vulnerabilities,” says Shaulov, an MPC specialist (and advocate).

According to Shaulov, the policy was probably designed so that the initial hacker could circumvent the exchange's whole clearance procedure and direct the wallets to withdraw without impacting the private key.

“Nothing is 0 percent in my business,” Shaulov remarked. “However, the odds of the hacker figuring out anything using Unbound's MPC protocol are very slim.”

Tal Be'ery, the chief security officer of the ZenGo wallet, which is powered by MPC, agreed.

He stated through Telegram, "Most likely it's not the MPC, but some other issue." “MPC allows users to effectively minimize the danger of key theft by factoring in the involvement of several parties. So it may be 2X, 3X, and so on, but it's not impossible.”

MPC is insufficient on its own.

According to Lior Lamesh, CEO and co-founder of GK8, an Israeli custodial tech company that utilizes MPC in conjunction with cold vaults, the assault on Liquid supports the premise that MPC alone is insufficient.

According to Lamesh, hacking is all about the return on investment (ROI), and a hacker would need to spend a few million dollars on average to breach a few internet-connected devices. MPC implies that instead of being stored on a single internet-connected computer, key fragments are stored on two or three separate internet-connected machines, according to Lamesh.

The more shards, the more costly the assault; nevertheless, for a crypto hacker after hundreds of millions of dollars, it's still a viable goal.

“MPC is more secure than a hot wallet, but it isn't adequate by itself for banks managing tens of millions of dollars in cryptocurrency,” Lamesh said in an interview. “However, managing 2% or 3% of assets is acceptable, while the bulk of assets will be maintained in a cold vault, where they will be 100 percent secure since they will never be linked to the internet.”