Keeping Exchanges Secure

[c_atlas]

inb4 someone says not your keys not your bitcoin; we know.

Unfortunately, if you want to exchange your digital currency in a reasonable amount of time you'll have to put your crypto on a centralized exchange (for now), so my question is this: As of today, what's the most secure way for exchanges to keep your crypto safe while ensuring that it's always accessible when it needs to be withdrawn? I find it shocking that Cryptopia and QuadrigaCX went under just weeks apart due to poor handling of private keys. Is there no industry standard? MultiSig cold storage addresses? Can't people write distributed smart contracts that work with their internal APIs to control the transfer of funds?

If someone were to start a new exchange today, what are the steps they should take to ensure their private keys are as secure as can be?

[1715548340]

1715548340

[1715548340]

1715548340

[1715548340]

1715548340

[cissrawk]

Using top exchange is one of option, example is binance. Or just do instant exchange and withdraw it asap.

If someone were to start a new exchange today, what are the steps they should take to ensure their private keys are as secure as can be?

I just can think about increasing their security. Also, they can give bounty or reward to people that can hack or find a hole in their site and give reward for them before release the site officially.

[c_atlas]

Using top exchange is one of option, example is binance. Or just do instant exchange and withdraw it asap.

If someone were to start a new exchange today, what are the steps they should take to ensure their private keys are as secure as can be?

I'm asking about what exchanges do/can do to ensure the integrity of the storage and access to their private keys, not what we as individuals can do if we have to use an exchange.

I just can think about increasing their security. Also, they can give bounty or reward to people that can hack or find a hole in their site and give reward for them before release the site officially.

Still not related to their private keys, this relates more so towards the security of their webapp. Sure you could hack an exchange's site, but just because their website is compromised doesn't mean their private keys are

[freedomno1]

If someone were to start a new exchange today, what are the steps they should take to ensure their private keys are as secure as can be?

Public Cold Storage Address and Proof Of Keys is the minimum.
E.G: Poloniex Old Cold Storage Address https://www.blockchain.com/btc/address/17irB8xLxhVRerCoUyypnmpoak3QBpVp2z
Moved into Multi-Sigs
https://bitcointalk.org/index.php?topic=1432482.0
https://www.blockchain.com/btc/address/39TDhgfAg4oRXo1TLfEb5yZBN45hBKVYja
With a test now and then

Or Listed on a service
https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html

1   3D2oetdNuZUqQHPJmcMDDHYoqkyNVsFk9r 3-of-6
wallet: Bitfinex-coldwallet   138,661 BTC ($471,705,994 USD)   0.7914%   2017-01-05 05:34:15   2019-02-04 09:24:55   5609   2017-01-06 03:29:06   2018-10-22 07:45:07   4541
2   385cR5DM96n1HvBDMzLHPYcw89fZAXULJP
wallet: Bittrex-coldwallet   130,005 BTC ($442,259,707 USD)   0.7420%   2018-12-20 18:16:25   2019-02-03 12:40:50   9   2019-01-09 15:58:55   2019-01-09 15:58:55   1
3   3Nxwenay9Z8Lc9JBiywExpnEFiLp6Afp8v 3-of-5
wallet: Bitstamp-coldwallet   108,848 BTC ($370,287,511 USD) / +8000 BTC   0.6212%   2015-10-16 08:43:06   2019-02-04 09:42:42   226   2015-10-29 04:44:26   2019-01-03 05:57:01   61
4   3Cbq7aT1tY8kMxWLbitaG7yT6bPbKChq64 3-of-5
wallet: Huobi-wallet   108,135 BTC ($367,859,839 USD)   0.6172%   2017-09-08 10:41:05   2019-02-04 13:39:02   230   2017-09-09 05:18:35   2018-04-25 01:53:53   9
5   3AweAnU1qYSUCJ5Hvy9DFEB7dVqUebZw5i
wallet: Binance-coldwallet   107,432 BTC ($365,469,601 USD) / +107432 BTC   0.6131%   2019-01-14 19:19:40   2019-02-03 12:40:50   6

The next step is Proof of Ability to Move Funds on occasion or signed message and a few people holding the keys example in 3 of 5
5 people each hold 1 Key  (1 Dies we still have 4/5)
Otherwise we could end up with another Quadriga Situation ...

Rating Wise
https://icorating.com/exchanges/centralized/

As an indicator
Quadriga was a B
Cryptopia was a B

Poloniex is an A-
Binance is a B+

Only A+ is Kraken
Not even Coinbase got A+

[squatter]

Unfortunately, if you want to exchange your digital currency in a reasonable amount of time you'll have to put your crypto on a centralized exchange (for now)

DEX platforms definitely don't have the liquidity of centralized exchanges, but they're perfectly fine for smaller, casual traders. If you're trading less than 20-30 ETH worth of Ethereum assets, using a DEX is the way to go.

As of today, what's the most secure way for exchanges to keep your crypto safe while ensuring that it's always accessible when it needs to be withdrawn? I find it shocking that Cryptopia and QuadrigaCX went under just weeks apart due to poor handling of private keys.

Sadly, it doesn't surprise me at all. There's something about cryptocurrency -- the speed with which irreversible payments can be made -- that makes it especially prone to these events.

Is there no industry standard? MultiSig cold storage addresses?

QuadrigaCX stated they used multi-sig and cold storage. That's another problem with centralized exchanges. We take them at their word, but they often lie to our faces.

Can't people write distributed smart contracts that work with their internal APIs to control the transfer of funds?

Doesn't that require keeping private keys online? Cold storage needs to be a central requirement.

[NeuroticFish]

while ensuring that it's always accessible when it needs to be withdrawn

Heh, you ask too much.

The solution, as the others have written, is multisig cold storage. Cold storage will contain a big part of the funds, but not all of them.
What's in cold storage may need more time to get accessed and it's seldom accessed for withdraws. But no problem, this is for safety.
A smaller amount is in hot wallets and that's used for withdrawals.

So always accessible is not a good request and it's not met. If more whales want to withdraw, a delay will clearly happen.

[Bitze]

while ensuring that it's always accessible when it needs to be withdrawn

Heh, you ask too much.

The solution, as the others have written, is multisig cold storage. Cold storage will contain a big part of the funds, but not all of them.
What's in cold storage may need more time to get accessed and it's seldom accessed for withdraws. But no problem, this is for safety.
A smaller amount is in hot wallets and that's used for withdrawals.

So always accessible is not a good request and it's not met. If more whales want to withdraw, a delay will clearly happen.

this is probably the best solution there is at the moment. it is important to distribute the
infos and access rights combined to several people. a lot of money is tempting  after all

[Potato Chips]

That's another problem with centralized exchanges. We take them at their word, but they often lie to our faces.

Bottomline right here ^

Exchanges will claim this and that but there's no way for us to confirm it and they don't too. If someone were to start a new exchange today, maybe they could work on that, too?