Best protocols for cold wallet, hot wallet. We are building an exchange.

[TierNolan]

Its not ideal because I was thinking it would be best to use Armory to just recharge the HOT wallet and so if the hot wallet runs out of funds then every new transaction goes into a Queue which are then executed once the hot wallet is full again.

You could set it up so that the cold wallet has a watching only wallet for the hot wallet. 

It would be possible to verify that all outgoing payments of the cold wallet are going to a hot wallet address.  I don't think Armory supports that though.

[1713992666]

1713992666

[gokudev]

Thanks for all the great responses.

I love the idea of a warm wallet!
I am collating all the ideas and schematics for the devs to talk over.

Just looking at armory and it would be great if you could import a CSV with transactions that you need to happen and then then sign those on the cold wallet and finally broadcast them from hot.

So Armory would effectively be both the cold and warm wallet but we daily export a CSV of transactions that are waiting to happen and then send them out from cold storage.

Its not ideal because I was thinking it would be best to use Armory to just recharge the HOT wallet and so if the hot wallet runs out of funds then every new transaction goes into a Queue which are then executed once the hot wallet is full again.

What I like about this is that its more automated but if we are compromised I want a way to detect dodgy withdrawals in the queue because we don't want to fall into the alleged Karpeles tunnel syndrome, where funds are tunnelled away under the noses. But thats a whole other problem.

The main problem at the moment is cold warm hot wallet architecture.

Armory really is an amazing piece of work for cold storage, the issue is hot and warm really. I think it might be that every 24 hours we manually top up the hot wallet to a percentage of the cold.

If there is an overflow of withdrawals then we could manually process them. (This could annoy customers but if they realise that its for security reasons then people will be a bit more accepting, although people are fast to yell scam all over the internet if they don't get there bitcoins within seconds :/ so theirs that.  )

The main problem at the moment is cold warm hot wallet architecture.

I would like to discuss what manual methods are available to transfer signed tx from cold storage to warm/hot wallets. I am having a hard time to convince my team to use cold storage for one let alone usb sticks because they think its too old fashioned to use usb sticks.   The thing about cold storage is it must not be connected so ethernet cable over vpn does not work.  What other options are available to withdraw manually?



 

[TierNolan]

I would like to discuss what manual methods are available to transfer signed tx from cold storage to warm/hot wallets. I am having a hard time to convince my team to use cold storage for one let alone usb sticks because they think its too old fashioned to use usb sticks.

Armory uses usb sticks, so you would need to do recoding to support other methods.

The point about cold storage is that the money should very rarely be touched.

It is like money in a bank account that isn't tied into your trading engine.

Maybe if you used hot/warm/cold, then you might be able to convince them?

You can use any method for transfer really.  There was talk of using a sound card based solution and sending the data via sound pulses (like old telephone modems).

QR codes could possibly work too.  The problem is that you actually need a lot of information.  To safely spend a transaction, you need to include all the input transactions.  Otherwise, the cold store cannot determine how much is about to be spent.

[throwaway084575]

Yeah I'm a bit suspect of USB viruses / trojans
I have had them in the past. not to do with bitcoin but they infected computers at my old job.

I like the idea of having the cold storage monitor and the hot wallet server camera facing each other and to sign transactions we just let the 2 communicate via QR.
It seems really archaic but bitcoin is strange like that, we have to go back to old tech like paper to truly secure such a futuristic asset.

[TierNolan]

It seems really archaic but bitcoin is strange like that, we have to go back to old tech like paper to truly secure such a futuristic asset.

You are trying to create an "air-gap" effect.  The problem is that many things have auto-run, so it is hard to be certain that you are secure.

You pretty much have to code the channel yourself to be absolutely sure.

One suggestion was an animated QR code .gif file.  Each frame would have a different code.

Armory doesn't care how you get the file to/from the offline computer.

[spin]

while using usb stick to move info over and back might be suitable for a individual miner it is not feasible in an exchange environment where several withdrawals are possible. So what is an ideal design for a exchange environment?

The cold wallet is supposed to be reserve funds.

Cold Wallet
 - funds can be deposited automatically
 - funds can be monitored via watching wallets
 - withdrawal is difficult

Hot Wallet
 - all wallet operations are automatic

The idea is that you get a notification if the Hot Wallet is running low on funds.  Funds can then be transferred to the Hot Wallet in a single transaction from the Cold Wallet.

When a client withdraws money, it is from the Hot Wallet.

In an exchange, there is like a "float" that varies daily.  If the total funds stored on the exchange went up an down by 10%, then you only need to store 10% in the hot wallet.

You could have an intermediate level (warm wallet?) that have less security than the cold wallet but more than the hot wallet.  For example, transfers might be automatic, but need to be signed by 3 of 3 separate servers.

I believe other controls (not tech based) around this process are also needed.  I'm not an accountant but I'm thinking:
- Regular cash/BTC recons.  Is the amount of btc/cash held now equal to previous balance +/- transactions made?
- Customer balance recons.
- Cold to hot transfers can only occur if a proper recon has been done.  Is the cold as big as it should be.  Has the hot reduced to a low level for valid reasons?  Need sign-offs on this, with the cold to hot transaction only occurring if audits/recons are in place.

This is to stop one blindly refilling an empty hot wallet from the cold.  If you have a recon you can be sure the hot needs refilling for the right reasons.  

[gokudev]

while using usb stick to move info over and back might be suitable for a individual miner it is not feasible in an exchange environment where several withdrawals are possible. So what is an ideal design for a exchange environment?

The cold wallet is supposed to be reserve funds.

Cold Wallet
 - funds can be deposited automatically
 - funds can be monitored via watching wallets
 - withdrawal is difficult

Hot Wallet
 - all wallet operations are automatic

The idea is that you get a notification if the Hot Wallet is running low on funds.  Funds can then be transferred to the Hot Wallet in a single transaction from the Cold Wallet.

When a client withdraws money, it is from the Hot Wallet.

In an exchange, there is like a "float" that varies daily.  If the total funds stored on the exchange went up an down by 10%, then you only need to store 10% in the hot wallet.

You could have an intermediate level (warm wallet?) that have less security than the cold wallet but more than the hot wallet.  For example, transfers might be automatic, but need to be signed by 3 of 3 separate servers.

I believe other controls (not tech based) around this process are also needed.  I'm not an accountant but I'm thinking:
- Regular cash/BTC recons.  Is the amount of btc/cash held now equal to previous balance +/- transactions made?
- Customer balance recons.
- Cold to hot transfers can only occur if a proper recon has been done.  Is the cold as big as it should be.  Has the hot reduced to a low level for valid reasons?  Need sign-offs on this, with the cold to hot transaction only occurring if audits/recons are in place.

This is to stop one blindly refilling an empty hot wallet from the cold.  If you have a recon you can be sure the hot needs refilling for the right reasons.  

- Regular cash/BTC recons.  Is the amount of btc/cash held now equal to previous balance +/- transactions made?
- Customer balance recons.
- Cold to hot transfers can only occur if a proper recon has been done.  Is the cold as big as it should be.  Has the hot reduced to a low level for valid reasons?  Need sign-offs on this, with the cold to hot transaction only occurring if audits/recons are in place.

those are valid concerns. there has to be some form of auditing available to customers especially they have no control over hot/cold storage.  we will have an officer approve the withdrawal request and then also have speed bumps and a some kind of activity monitoring.

has anyone found a serial tx program that can be used to transfer transactions from cold to hot storage?

[gokudev]

It seems really archaic but bitcoin is strange like that, we have to go back to old tech like paper to truly secure such a futuristic asset.

You are trying to create an "air-gap" effect.  The problem is that many things have auto-run, so it is hard to be certain that you are secure.

You pretty much have to code the channel yourself to be absolutely sure.

One suggestion was an animated QR code .gif file.  Each frame would have a different code.

Armory doesn't care how you get the file to/from the offline computer.

well i was suggesting and maybe someone can try this and post here, if you remove ubuntu-desktop and you end up with a bare terminal. and if you put the usb stick, auto run should never run.

Animated qr codes would work great, but digitizing something makes it easier for theft then physical objects. I think paper wallets would be the way to go.

[ThePurplePlanet]

Yeah I'm a bit suspect of USB viruses / trojans
I have had them in the past. not to do with bitcoin but they infected computers at my old job.

I like the idea of having the cold storage monitor and the hot wallet server camera facing each other and to sign transactions we just let the 2 communicate via QR.
It seems really archaic but bitcoin is strange like that, we have to go back to old tech like paper to truly secure such a futuristic asset.

Armory wallet is looking into schemes like communitcating through QR codes or sound waves. You can contact the dev for what they are thinking.