Presently, Bittrex and Poloniex do not appear to be using any cold storage of their Steem account funds. As of now these are the balances of their accounts: @bittrex has 531,533.899 STEEM and $98,704.106 SD. @poloniex has 604,173.956 STEEM and $239,075.969 SD.
Security Now
While I have confidence that both of these exchanges take security very seriously, it is a bad idea to have this much liquid currency on online accounts continuously using the active key to sign transactions. I have so far been aware of their lack of cold storage but I figured they'd work it out in time. Bitfinex reminds us that now is the time, always, for security. If either of these accounts were compromised there would likely be a hardfork to fix the damage (re: Draft Steem Constitution) but that would get messy and there would still be significant losses.
As stakeholders in Steem, we must ask these exchanges to use better security practices for the value of our own accounts and the network as a whole.
We are working on a solution where exchanges can set daily rate limits on withdraw activity from their account. Their "warm storage account" could be online allowing them to withdraw X% per day to their "hot storage account".
The downside from a user's perspective is that attempts to withdraw your funds would be rate limited by the same algorithm. But at least it would be transparent why there is a delay in withdrawal.
This is really good to hear, but I'd still hope to see a third-tier cold storage with manual offline transactions to refill the hot/warm wallets. Forgive me if there's already a method, but are offline signing tools on the to-do list anywhere, by the way?
A possible solution would be to add 2 factor authorization. This would be great for users and exchanges could move a majority of funds to an account secured by a secondary hardware PIN.
As long as the default is hot storage and people have to opt in for warm storage (much like Coinbase does there vault), I think this would be a great feature to add.
I agree with your opinion @lukestokes
Maybe the limit could be increased substantially for people that have 2fa?
Still 2FA is better. This makes very little sense. Security should come first.
I would like to see a security audit for Steem in general. It could be crowd funded right here on Steemit. I really believe that a single serious breach can undermine the whole success of the project.
All true safety comes first!
As far as I Poloniex uses cold wallets.
It is very sad that we have to fight for freedom, for the development of technologies for cryptocurrency and blockchain. And then our money so easily disappear.
I hope all this story will end well.
And these negative factors will be as small as possible.
Nothing can stop bitcoin even falling exchanger. Every chrisis brings fresh air. That's Bitcoin.
You raise very valid concern here... What the hell are they thinking dangling such a large carrot.
I believe the system bitfinex was using was put in place because of government regulations they had to meet to be a legal exchange. They couldn't keep the coins in cold storage and use ledgers to move the coins they had to move the coins from account to account to satisfy the regulations. Same would have probably been true of any other coin on the exchange.
I wonders if that means they'd have some type of insurance on the wallets?
Would make it pretty lucrative for an insider to come in and fill his pocket..!
They should have tried to get insurance. The Lloyds Insurance market in the City of London does all sorts of bespoke insurance for a fee, and other exchanges have obtained insurance this way. Of course they also demand rigorous audits and internal security to reduce their risk, and perhaps Bitfinex believed they couldn't meet the criteria...
I'd like to see an equal-replacement insurance policy for 120,000 bitcoins. It would easily create a new all-time high BTC price!
I think it would still have crashed. Thief dumping lots of BTC, panic selling, and the insurance probably wouldn't pay out until after an investigation and months of paperwork.
I believe they said there was no insurance for that yesterday on reddit.
What about the Steem/Steem Power/Steem Dollars that are in your Steemit.com wallet? Are they considered secure?
They are as secure as your password/keys are secure. So far, a web exploit was able to compromise the keys of people who were logged in with a master password. That web exploit has been fixed and all lost funds have been promised to be reimbursed. I haven't read if there have been any changes to the way the keys are stored locally after that incident, but I have some faith that it's been made more secure now.
Ok, cool. Thanks!
Exchange should give serious attention about security, what happens to bitfinex should make them even more concerned about security, and we also need to save each of our assets in place is really safe, do not store all assets in one place it's much safer
This is true, they should be using better security standards. However, Steem has shown that it's antifragile - hacks can be reverted. This makes me feel safer with steem than other cryptocurrencies.
Be careful what you wish for - ask Ethereum, although @dantheman had a great post about this. I am not opposed to hard-forks to recover stolen funds, it just opens a can of worms that without proper vetting, can be disastrous. If I read this post correctly, there is still a shoe to drop on the ETC/ETH problem at Coinbase:
https://steemit.com/steem/@dantheman/bitfinex-blockchain-hacks-and-replay-attacks-oh-my-all-things-that-steem-s-technology-is-designed-to-prevent
I agree. Having this much on hand can be terrible. Hardforks here on steem seem to have not had the impact on other crypto's (don't see steem classic). Still, it seemed a relatively minor hit last time and something harder hit can do it's damage. Since the days of Mt. Gox you think lessons would have been learned. Humans..... we're so slow lol
Exactly... There is some massive wealth building on steemit, and like any mass amounts of Cryptocurrency we need a secure safe to secure the jems.
How can we do that? I mean "ask"?
Crypto is really showing itself up at the moment, it could get really ugly which would be very disappointing. I have a lot of faith in it but the security side of things is letting everything down bigtime.
Great point! If we do not learn from others, we will be doomed to fail ourselves. Maybe you can make a post for newcomers about what happened in the hack and what they should do with their currency to be as safe as possible.
Amazing I posted a story about this yesterday and got nothing, but now I see a post saying the same thing I did and it has tons of Votes. WTH
https://steemit.com/steemit/@greatone/proposal-steemit-vault-safeguard-your-investments
There are a lot of variables to a post being successful. People who have a larger following will have their posts get noticed sooner. The time you post, who is online/reading at that time, how attention grabbing it is, how well written, etc. all play a factor too. Try not to let it discourage you. Building a following takes time, but if you consistently keep posting good content - people will start to notice.
It's actually not the same at all. What you are proposing sounds similar to what Dan said they're implementing. I want to see Bittrex, Poloniex, and any other exchange use one or more accounts (with different active keys) as cold storage, significantly reducing the risk of a large amount of liquid STEEM or SD from being stolen.
As it stands, if someone were to get the active or owner keys of either of these accounts they could instantly send the liquid assets to another Steem account. We know their active keys are "hot" because both are sending withdraws from the account.
There is nothing I could say that isn't said in this earlier post. If you haven't read it, it is worth the time.