Security Feature Proposal to reduce the risks in a Bitfinex Scenario for STEEM and SBD
Issue
3rd party, centralized exchanges like Poloniex and Bittrex might be vulnerable to a similar attack vector that yielded a $75,000,000 loss in the Bitfinex Heist.
A malicious actor could empty the exchange wallets and take off with all STEEM/SBD deposited on the exchange, if he acquired the private key that is used to sign the transactions.
The withdrawals on Poloniex and Bittrex are instant, and thus it is safe to assume that all the transfers are signed via automated software, on a more-or-less hot (online) system. Both exchanges appear to have 1 hot wallet each, an no wallets dedicated to cold-storage.
Proposal
A good way to mitigate risks is to make heists less profitable for thieves. Steem already does this, by having most of its value (97%+ at this time) secured in non-transferrable VESTS. Owners of compromised accounts are only vulnerable to a 1% max loss.
Could we limit the exposure on STEEM and SBD assets as well?
Example Implementation:
Owners should have the ability to set an active_limit
on their active keys (from cli_wallet
).
If active_limit is set, transactions signed with the Active key cannot exceed a set amount of funds in a given time period.
If a transaction is signed with the Owner key, limits are ignored.
Furthermore, only the Owner key can be used to set/remove the limit.
The RPC call could be as simple as:
====> set_active_limit
{
"STEEM": 0, // no limit
"SBD": 1000 // limit to 1,000 SBD in a 24hr period
}
This would essentially enable the exchange owners, as well as large stakeholders, to proactively limit their risks in an event of a hack.
Exchange Owners:
For example, if a major exchange holds $2,000,000 worth of STEEM and SBD, and their average daily STEEM/SBD withdrawals are $100,000 a day, they could set the limit to $200,000 a day. The automated withdrawal systems would be unaffected, and rarely - if ever - require human intervention.
In the above example, only 10% of holdings are at risk.
Exchange operators should store their Owner Key and Master password in a secure (multi-sig encrypted) cold (offline) storage, which can be accessed by the top executives only.
If the exchange is hacked, or if a rogue employee decides to rob his employer, the exchange and its users will suffer only a limited loss.
Large Stakeholders
This implementation also applies to savvy users, whom have larger amounts of STEEM and SBD on their accounts for market-making or investment purposes. These activities require access to unlocked wallet or in-memory storage of the active key - both being vulnerable to hacker/malware attacks.
We will never be able to achieve bulletproof security, however, that doesn't mean we should wait until bad things happen. We need to be proactive and try and learn from others mistakes.
amazing Proposal you
It seems to me that they'd be better off just using cold wallets. But maybe you could argue that this is easier to set up and could also be used in addition to a cold wallet as a way to protect the hot wallet.
One of the safest ways to secure transactions, is to attach two factor authentication, or BIOMETRIC authentication in order to transfer funds outside of Steemit.
A lot of people might say that this limits privacy, but isn't the security of your net worth worthy of a tiny interval of authentication? ;)
As of now, the "keys" that allow transfering of funds are susceptible to a host of attacks, such as man in the middle attacks, or keylogging (backdoor, remote access tool) attacks. Adding a two factor authenticator could make the integrity of Steemit account transactions (especially when it comes time to transfer funds outside of Steemit) much more secure.
(The 2FA could even be anonymous, such as with a Yubico Key, or a printed "one time" grid).
2FA will do nothing when holding the private keys, it's only frontend stuff but never helps on server level or RPC.
Good points and suggestions. Like you said there is no way to guarantee security but one should take all possible measures to limit risk. I suppose at least in Steemit there is sort of an active-limit imposed on your SP.
You are all missing the point. If people do not want to trade the money, they will make them non-liquid. If they do, then it they need to have it liquid. Steem power, means there is no liquidity. Paper wallets are a solution but were forbidden by the government where bitfinex operates. The problem is bitfinex is operating in the wrong country.
Two factor authentication is only for you authenticating with bitfinex and not with the blockchain itself. An insider can still steal what ever is liquid.