Having an MPC is simply not enough to protect digital assets
- August 17, 2020
- 4 minutes read
In face of the growing threat of cryptocurrency theft, institutions that manage digital assets are seeking effective ways to keep hackers at bay. It’s a cat and mouse game, involving multi-million dollars: each time a bank sets-up a new layer of cryptographic defense, hackers seem to find a way to crack it.
In the crypto economy we live in, hackers are going after customers’ private keys. These keys authorize transactions to the blockchain, and since all blockchain transactions are irreversible – once you have control of someone’s key, you can essentially steal all of his or her Bitcoins, Ethereum, Ripple or any other digital currency that person is holding.
So how can these previous keys be protected? The mainstream solution employed by financial institutions dealing with digital assets today are MPCs: a Multi-Party Computation process, in which several independent and remote PCs are involved in the signing ceremony of any blockchain transaction.
MPC security is based on dividing each private key into shards: only by piecing together all shards, the key is revealed. The main rationale here is making life difficult for the casual hacker: break into one PC, and you have just a fraction of the key, which on to itself is useless.
MPCs seem like an effective way of protecting private keys, and various types of MPCs are indeed offered by quite a few companies operating in the blockchain cybersecurity arena. However, all MPCs share a few common vulnerabilities. Let’s take a quick look at these weaknesses that enable hackers to slip through the cracks.
The first vulnerability stems from the somber reality that any PC connected to the internet can potentially be hacked. Regardless how sophisticated its algorithm is, with enough effort and persistence – a skilled hacker will eventually find an attack vector on this device.
The second vulnerability has to do with the size of the MPC network. MPCs are typically programmed so that once the majority of PCs in the MPC network (usually 2 out of 3, or 3 out of 4) provide their shard of the key, the request to execute the transaction is authorized. What this means for hackers, is that they simply need to hack into one or two additional PCs to complete their takeover of the valuable keys. While this entails considerably more effort, in today’s lucrative crypto market, hackers will invest millions in order to steal billions. The equation is that simple.
One would think, “OK, why not add 10 or 20 more PCs to the approval ceremony?”. The problem here is that expanding the MPC network creates serious performance implications, making legitimate transactions to the blockchain slow and inefficient. Hence, the largest MPC networks in the market today typically don’t exceed 5 PCs.
With these inherent vulnerabilities in all MPCs in mind, GK8 takes a radically different approach to securing digital assets: our solution is based on a truly air-gapped vault, which is never connected to the internet, and simply cannot be hacked (even the sharpest hacker can’t break into something that’s off the grid.) The vault is where the keys for the vast majority of digital assets are stored, with MPCs controlling just a fraction of the assets. The vault is connected with a unidirectional connection. This means that signed transactions can only go out from the vault, never in.
On top of the unique vault, GK8 has a patented solution that enables to add dozens of PCs to the custodian MPC network – with no impact on network performance. This is far more than just safety in numbers: the ability to add dozens of automated co-signers to any MPC network changes the equation for hackers, setting up a barrier that climbing over it would by definition require spending more than ever getting in return.
In recent months, cryptocurrencies are becoming a mainstream asset, held by a growing share of households around the world. One sign for this trend is the overall increase in the value of Bitcoin and other major digital coins, fueled by regulatory changes that authorize banks to start offering crypto-based services.
Despite growing customer demand for digital assets, many banks still hesitate to jump on the crypto bandwagon. It’s understandable, considering that as much as $4.5 Billion in crypto were stolen in 2019 alone. That’s exactly why it’s so critical for banks to implement a robust end-to-end platform that mitigates hacker attacks that can result not just in loss of digital assets, but also in severe reputational damage.