Is Bittrex securing your Steem properly?

in #steemit7 years ago (edited)

Take a look at this:
Screenshot_2018-03-05_11-11-52.png

https://steemit.com/@bittrex/transfers

Over 27 MILLION STEEM worth over $100 MILLION USD is stored in this single account. Now if you look they only use this account to store EVERY client's STEEM and SBD in. They do not create content or posts or provide anything on their channel. This account I concluded is where Bittrex stores ALL STEEM and SBD. This is at least from my understanding, HIHGLY insecure, and here is why:

Keeping a "hot" wallet ensures that clients can withdraw their coins without a human involved. BUT this also means you must store the key somewhere that is accessible to the internet and create a piece of software to handle the withdraws. A hacker simply needs to find an exploit in your software OR the server in order to drain the hot wallet. THIS is why SMART security for exchanges requires a cold storage protocol where the bulk of funds are kept offline and verified and processed by humans.

We have seen exchanges hacked MANY times and for bittrex to basically store $100mln payday in the open with almost no security is insane! All someone has to do is figure out how to exploit their server OR their withdraw daemon and in seconds they can drain the entire account!

Simple best practices like the ones I outline for other coins help prevent the ability for theft BEFORE it happens! https://steemit.com/steemit/@bigdeej/how-i-secure-cryptocurrency-for-under-usd1-creating-a-cold-storage-locker

Let's make sure this doesn't happen and the only time you read about this issue is here BEFORE the coins are stolen! Hackers only need to be right once, security experts must ALWAYS be right! If you agree with me and are a @bittrex customer please reach out to them about this concern and push them to adopt a cold storage policy for their STEEM and SBD! They should not be keeping all their client's coins as a target in a hot wallet EVER!

Check out my current Steem Project @shadowbot!

For more information on ShadowBot:

Getting Started: https://steemit.com/steemit/@shadowbot/top-3-tips-to-earning-more-on-steem-and-shadowbot-pro-tips

Latest Post: https://steemit.com/steemit/@shadowbot/meet-the-team-that-makes-it-all-possible

Important Information: https://steemit.com/steemit/@shadowbot/why-we-have-the-fvl-and-why-it-is-a-fair-system

FAQ: https://shadowbot.us/shadowbot/faq.php

Signup/Login: https://shadowbot.us/shadowbot/login.php

Sort:  

Crazy! Thanks for drawing this to my our attention! I am concerned having an investment such as steemmpower in a hot wallet. Hopefully we can come up with a solution that makes storing steem power more secure! Thanks for the post!!

steem power is far more secure than keeping steem liquid in an account due to the 7 day power down cycle over 13 periods.

Once your master key is known to a scammer, can you do anything except from power up all your Steem or send all your Steem to another account you own and log in every week to prevent your SP from powering down?

The only thing left would be your savings and steem power! Any liquid SBD and STEEM would be instantly stolen... Which is where the bulk of over $100,000,000 worth of steem sits! IT is a GIANT bulls eye target for a hacker!

Just do not keep to many coins or tokens on an exchange and if you can send all your crypto to paper wallets..

If a hacker gets your master key your funds will be gone before you can say "steem"! They will transfer the steem to their account instantly upon gaining access to your account and there is no take backs in cryptoland!

All Steem deposited as Steem-Power takes 7 days to even partially power down so there will be time to cancel power down.
So what is the answer to my question?

If it was ALREADY powered up as Steem Power you are right, that would be safe and preventable. But as you see they have it as liquid STEEM, which can be withdrawn instantly upon access!

You got a 60.00% upvote from @greengrowth thanks to @fersher! You too can use @GreenGrowth by sending your post URL in the memo field to the bot. Minimum bid is 0.01.

If you feel this post is spammy or not worthy of @Greengrowth you can contact a moderator in our Discord Channel https://discord.gg/6DhnVTQ.

You got a 75.00% upvote from @greengrowth thanks to @fersher! You too can use @GreenGrowth by sending your post URL in the memo field to the bot. Minimum bid is 0.01.

If you feel this post is spammy or not worthy of @Greengrowth you can contact a moderator in our Discord Channel https://discord.gg/6DhnVTQ.

I guess now the information is out there. It's a matter of time before attempts are made. If the hackers did not think of it now they do. I wonder is there a safer way to point out a security loop whole? Just me thinking out loud.

It isn't just bittrex it is also poloniex: https://steemit.com/steemit/@bigdeej/poloniex-no-cold-storage-for-steem-funds-usd50-million-usd-at-risk-in-hot-wallet
And I suggest sharing this post with them if you are a customer since the more people who bring it to their attention the faster it can be fixed. In less than 2 hours this could be fixed and a cold storage setup! At most 1 day! The solutions are simple and something that are very well known in the crypto security industry. The only option is to force them to fix it by publicly disclosing their flaws! Anyone who uses them could easily figure this information out. Hackers already know, they just haven't gotten through (yet)! I advise exchanges not to wait till it does happen before implementing cold storage procedures and policies!

I use bittrex but not for Steem. I am happy to use @blocktrades for all my trading needs

I have heard many issues with bittrex lately and have not used them in years. I like blocktrades since you do not have to even make an account and funds are almost always in your control.

Daaym. Nice post bru. Thats mental eh!
Imagine how gutting that would be to be a victim of any crpto theft.

Seen it happen I remember the day Mt Gox happened I was one of the few who didn't have funds on there that I knew in this game! Imagine how it will feel if everyone wakes up and that much STEEM is stolen?! They need to think about a cold storage procedure which would not require much work for them.

Absolutely. Needs to happen quick!
Cypto is all new to me Deej. That Mt Gox sounded serious.. I'll look it up.

Mt Gox was at the time the biggest single theft of coins. Then shortly after the poloniex theft happened I outline in the article here: https://steemit.com/steemit/@bigdeej/poloniex-no-cold-storage-for-steem-funds-usd50-million-usd-at-risk-in-hot-wallet

Shit the bed. I see. Thanks for the link.
I am with Poloniex. Hope they sort their shit out.
Cheers Deej.

Even scarier to think these guys have had this kind of attack VERBATIM happen before and still store around $50 million (usd) worth of STEEM in a single account able to be stolen the EXACT same way!

use robot for deouble your benifits

Kinda interesting, I have not used Bittrex yet and probably won't now.

strange, very strange

It really makes you have to ask the question, are they really that incompetent, lazy or perhaps up to no good? This throws up a red flag to me saying something isn't right. I found Bittrex doesn't respect it's users, they don't give warnings and give people a chance to pull the money out if they don't like the changes. All the other exchanges do, to name Bitfinex and Poloniex the two I can recall right off hand. I wouldn't be surprised if Bittrex turns into Bitgox.

I tired to create a Bittrex account today, but it would appear they are only taking business or corporate clients. I was looking for a way to convert Steem Dollars into BitCoin. At this time I really don't have enough Steem Dollars to really start making trades, but I at least wanted to know how to do it.