Bitcoin Forum
November 14, 2024, 06:44:28 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Why do exchanges need a hot wallet on their server?  (Read 2056 times)
picobit (OP)
Hero Member
*****
Offline Offline

Activity: 547
Merit: 500


Decor in numeris


View Profile
September 07, 2012, 07:45:51 AM
 #1

After yet another exchange being hacked, I can't help asking myself: Why do exchanges need a hot wallet on the server at all?
All the server needs is to know the clients' balances in BTC and in USD/EUR/...

Only when the client wants to withdraw BTC is a wallet needed - but then it does not have to be on the exchanger server.  The USD are stored in a bank, not on the server.  When a client needs to withdraw money, the exchange server contacts a backend server, where the hot wallet is kept.  This could even be done through TOR with the backend as a hidden service,  making it hard for the hackers to find the backend server.  They can still inject false payments into the system if they hack the frontend, but if you require users to register their bitcoin payment address in advance (and perhaps block payments for 24 h when it is changed), then it becomes very difficult indeed for the hacker to run away with the money.

It would still be necessary to keep most of the BTC in a cold, offline wallet, since it is not 100% impossible to first break into the server, and then hack the backend through the TOR network.  So perhaps there should also be a limitation of how many BCT any given user can withdraw without incurring a 24h waiting period.  Waiting periods are annoying, but less annoying than loosing everything.

Just my 5 mBTC.

flower1024
Legendary
*
Offline Offline

Activity: 1428
Merit: 1000


View Profile
September 07, 2012, 07:59:49 AM
 #2

bitcoinica had their hotwallet on another server but it doesn't help them

every (unencrypted) wallet which resides on an online server (vps is even worse) is vulnerable.

hotwallets are unencrypted because they need to be accessed.

i would love to see exchanges where you request a widthdrawal and have to wait.
that way the owner could manually send out funds.

^^ much more secure
SpontaneousDisorder
Member
**
Offline Offline

Activity: 87
Merit: 10



View Profile
September 07, 2012, 08:05:58 AM
 #3

How about an option "Send my BTC to cold storage", then you can choose between safety and instant access.
scintill
Sr. Member
****
Offline Offline

Activity: 448
Merit: 254


View Profile WWW
September 07, 2012, 08:17:11 AM
 #4

This could even be done through TOR with the backend as a hidden service,  making it hard for the hackers to find the backend server.

Exchange hacks have been caused by credential disclosure, unencrypted wallets, VPS compromises, etc.  Tor doesn't magically fix those sorts of problems.  Unless you literally mean hackers are going to find the server's physical location, breach the hosting center holding it, and dump its keys, I don't see any reason to use Tor for this.  Has anyone hacked an exchange by gaining physical access to the servers?

1SCiN5kqkAbxxwesKMsH9GvyWnWP5YK2W | donations
dissipate
Sr. Member
****
Offline Offline

Activity: 288
Merit: 251


View Profile
September 07, 2012, 08:19:53 AM
 #5

This could even be done through TOR with the backend as a hidden service,  making it hard for the hackers to find the backend server.

Exchange hacks have been caused by credential disclosure, unencrypted wallets, VPS compromises, etc.  Tor doesn't magically fix those sorts of problems.  Unless you literally mean hackers are going to find the server's physical location, breach the hosting center holding it, and dump its keys, I don't see any reason to use Tor for this.  Has anyone hacked an exchange by gaining physical access to the servers?

The details are sketchy but the Bitfloor hack sounds like it could have been done through physical access, or at least access via Bitfloor's LAN. Supposedly it was done by accessing 'non-public facing machines'.
flower1024
Legendary
*
Offline Offline

Activity: 1428
Merit: 1000


View Profile
September 07, 2012, 08:23:59 AM
 #6

How about an option "Send my BTC to cold storage", then you can choose between safety and instant access.

+1

i LOVE this idea
but: if they are in cold storage how could you trade them?

image two users:

A: 100USD 10BTC (option set to instant access)
B: 1000BTC (option set to cold storage)

now B trades 10BTC to A and A wants to withdraw 20BTC immedtialy.
how to handle this situation?

btw: if i where user B i would not have 1000BTC sitting in an exchange without an open order. so i am essentially my own cold-storage.
Traktion
Full Member
***
Offline Offline

Activity: 168
Merit: 100


View Profile
September 07, 2012, 09:55:13 AM
 #7

Surely, a client on a machine without a dedicated IP address could do the actual transacting?

From the client, you could then poll the server to see what transactions have been requested, before completing the process. The hot wallet would then be completely detached from the server and could either be supervised (manual confirmation) or unsupervised ('hot').

Ofc, it wouldn't stop someone hacking the process to create spurious transaction requests, but a secure protocol would make that very difficult. However, it would prevent attacks which focus on the stealing of wallets on the server and so forth.
Stephen Gornick
Legendary
*
Offline Offline

Activity: 2506
Merit: 1010


View Profile
September 07, 2012, 10:35:46 AM
 #8

After yet another exchange being hacked

There are solutions that were already available that would have prevented this latest specific instance (cold wallet storage, 100% air gap).

There are solutions being made easier to use (multisig):

 - http://bitcointalk.org/index.php?topic=94959.0


There are solutions nearing completion - Open Transactions for exchanges:

 - http://bitcointalk.org/index.php?topic=96391.0
 - http://bitcointalk.org/index.php?topic=95745.0

Unichange.me

            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █


optimator
Sr. Member
****
Offline Offline

Activity: 351
Merit: 250



View Profile WWW
September 08, 2012, 04:59:33 AM
 #9

hotwallets are unencrypted because they need to be accessed.

Is that correct? Can't you encrypt the wallet and then use a pass phrase to access it? The pass phrase being stored encrypted on the server?

HostFat
Staff
Legendary
*
Offline Offline

Activity: 4270
Merit: 1209


I support freedom of choice


View Profile WWW
September 08, 2012, 05:43:24 AM
 #10

@flower1024
I think that the easier way is just make the trade "virtually", and I think that many are already doing this way.
All Bitcoin will remain in the cold storage, trades will only be executed virtually on another database.
The cold storage will be used only to withdraw bitcoin.

NON DO ASSISTENZA PRIVATA - https://t.me/hostfatmind/
scintill
Sr. Member
****
Offline Offline

Activity: 448
Merit: 254


View Profile WWW
September 08, 2012, 06:51:28 AM
 #11

hotwallets are unencrypted because they need to be accessed.

Is that correct? Can't you encrypt the wallet and then use a pass phrase to access it? The pass phrase being stored encrypted on the server?

Yes, a server needs to be able to read a wallet to use it.  With your suggestion, what's going to decrypt the encrypted passphrase?  If the key to that is on the server, hackers will find it and it's now an unencrypted wallet.  If not, you're back to an encrypted wallet that needs outside intervention (inputting decryption key from an isolated system, human, etc.)

If automated transactions are desired, unencrypted hotwallets* are necessary, however there are precautions that should be taken, like NOT storing most of your bitcoins in hotwallets.  (*Well, they could be encrypted on-disk to help prevent certain types of attacks, but at some point, somehow, the system needs to be able to decrypt them to do automatic transactions.)

1SCiN5kqkAbxxwesKMsH9GvyWnWP5YK2W | donations
picobit (OP)
Hero Member
*****
Offline Offline

Activity: 547
Merit: 500


Decor in numeris


View Profile
September 11, 2012, 07:47:30 PM
 #12

This could even be done through TOR with the backend as a hidden service,  making it hard for the hackers to find the backend server.

Exchange hacks have been caused by credential disclosure, unencrypted wallets, VPS compromises, etc.  Tor doesn't magically fix those sorts of problems.  Unless you literally mean hackers are going to find the server's physical location, breach the hosting center holding it, and dump its keys, I don't see any reason to use Tor for this.  Has anyone hacked an exchange by gaining physical access to the servers?
TOR will not solve anything magically, of course.  But the hacker will need to first hack the exchange server, and then (since he cannot get the IP of the backend server) will have to hack the TOR hidden service.  Not knowing the IP will certainly reduce the attach surface.  But of course not eliminate it.

Thanks to you all for your comments!
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!