A few days ago, Coincheck, one of Japan’s largest bitcoin exchanges, issued a statement saying that the Coincheck server was hacked, and NEM tokens worth 523 million US dollars were stolen. On the same day, Coincheck announced that it would suspend all virtual currency withdrawals and suspend all token transactions except Bitcoin.

 

"Hot wallet and cold wallet"

 

In fact, this is not the first time that something has happened to the virtual currency exchange. Four years ago, Mt. Gox, the world’s largest bitcoin exchange, was hacked. According to the then bitcoin price, the loss amounted to 450 million US dollars, and Mt.Gox also filed for bankruptcy protection because it could not make up for the losses of its customers. In December 2017, Youbit, a Korean virtual currency exchange, was hacked, resulting in the loss of about 17% of its assets and had to file for bankruptcy.

 

Many people are wondering: both bitcoin and tokens are based on blockchain technology. One of the previously claimed features of blockchain technology is security. Since it is safe, why is it stolen?

 

In this regard, Tan Yuan, the core development engineer of the distributed technology intelligent contract, explained that the theft of this exchange has little to do with the blockchain itself. Virtual currency exchanges are generally centralized exchanges, that is, after users recharge to the exchanges, they conduct transactions within the exchanges, but the middle process of the transactions will not be wound up, which has nothing to do with the security of the blockchain itself, but only with the security level of the servers of different exchanges.

 

The truth will soon come out-it is understood that under normal circumstances, Coincheck customers’ virtual currency will be stored in the "cold wallet" of the exchange, that is, it will be encrypted and stored offline, and the funds will be secured by physical isolation. However, Coincheck co-founder Yujie Otsuka said that due to "systemic difficulties", the stolen NEM tokens were kept in a "hot wallet" connected to the Internet, allowing hackers to take advantage of it.

 

To put it simply, the tokens that should have been offline were put online and stolen by hackers.

 

It is necessary to further explain the concepts of "cold wallet" and "hot wallet" here. Generally speaking, wallet is a tool or software for storing and using virtual currency. Then the so-called cold wallet is a wallet that is not connected to the Internet, also called an offline wallet, which is generally a computer, mobile phone, hard disk or paper with a private key written on it. The so-called hot wallet is a wallet that keeps online, also called online wallet. At present, the general view is that a cold wallet is safer than a hot wallet, because it is beyond the reach of hackers to cut off the Internet, and once connected to the Internet, there will be risks. However, the cold wallet also has the situation that hardware damage leads to data loss.

 

[There is no absolute safety]

 

An industry insider said that any strong security mechanism is not absolute. Although the blockchain network is safe in terms of data forgery and tampering, it cannot completely eliminate problems such as leakage, theft, fraud and data privacy leakage.

 

First of all, in the existing security design of Bitcoin, the signature algorithm based on secp256k1 elliptic curve multiplication, SHA-256, RIPEMD-160, and Base58 coding are used in the related operations of private key, public key and address. You don’t need to know what these algorithms are, just know that these algorithms are considered to be very safe at present, but the problem is that if any of the above links are broken in a decentralized financial system like blockchain, the whole system will face collapse. Because, in the past, the centralized system can upgrade and change the algorithm in a short time, but in the decentralized network, it is too difficult to upgrade once. As for whether the algorithm of bitcoin private key will be cracked, it may be necessary to look at the speed of quantum computer industrialization.

 

In addition, the preservation of the private key just mentioned is also a big problem, and whether the private key in blockchain technology is easy to steal remains to be further explored and solved. The private key looks like a string of numbers. You can imagine it as your bank account password. Virtual currency users rarely see the private key directly. Generally, the private key will be stored in wallet files and managed by wallet software. However, whether you use a cold wallet or a hot wallet, as long as others know your private key, they can take away your virtual currency. If you are a holder of virtual currency, you must carefully protect your account private key, which is the only seal that can prove that the money belongs to you. In the past, traditional centralized institutions like banks could freeze related accounts and recover assets to some extent through real-name authentication and other means. But in the world of bitcoin, if you lose the private key, you will have nothing.

 

Therefore, several incidents of theft of virtual currency exchange have also made it clear that the current virtual currency trading environment is far from safe. Whether it is developers, trading platforms or investors holding virtual currency, it is necessary to improve security awareness and security measures.

 

As for how to keep your own virtual currency more safely, some experts suggest that for large virtual currency, it must be stored in an offline cold wallet, and for small virtual currency or virtual currency that needs real-time trading, you can choose a reliable online wallet.

 

So, is the security of online wallet guaranteed? Tan Yuan said that if the code written by the online wallet supplier is normal (there is no interface for uploading the user’s private key), then the wallet is safe. All the data information about the wallet is cached in the local browser cache, and the transaction is sent by using the private key to sign the transaction. The whole process does not involve the transmission of the private key, so there is no leakage of the user’s private key. However, it takes time to test whether the code is formal and reliable.

 

Because the private key is easily confused with the public key or even the address, experts specially remind users of virtual currency to learn relevant knowledge and not to expose their private key in any website, email or chat software, otherwise hackers can easily take away your wealth through these channels.

 

---