QuadrigaCX nightmare — how basic corporate governance could have prevented disaster

Originally published in 21 Cryptos.

The nightmare of every cryptocurrency holder recently became reality, when the founder of a prominent exchange died and took with him the passwords to several cryptocurrency cold wallets.

All of a sudden, more than 100,000 users of QuadrigaCX were left high and dry as the exchange was unable to access more than $140 million worth of cryptocurrency.

Setting aside the suspicious circumstances around the founder’s death and the debated existence of the cold wallets, the most shocking issue here is that just one person was the sole keeper of a password that gave access to millions of dollars of clients’ cryptocurrency.

To place the power of managing all the exchange’s crypto assets to a single person without any sort of contingency plan is beyond negligent. And it is hard to believe this was the standard of wallet management at one of Canada’s largest exchanges.

Sadly, those left to suffer were the unsuspecting users who placed their trust –a juxtaposed concept in the world of blockchain and cryptocurrencies– in the exchange.

The simple fact is that all of this could have been prevented if basic corporate governance was in place at QuadrigaCX, as governance is at the the core of any project’s survival and success.

Read on to learn the key lessons we can take from QuadrigaCX’s disastrous story and how to protect your assets going forward.

Multi-signature wallets

Any custodian of cryptocurrencies, be it an exchange, wallet or individual, needs to balance the security of assets under management with a plan for how other people will access those assets in the case of death or other unexpected circumstances.

Most individual Bitcoin users send transactions with one signature, coming from the owner of the private key of the sending address.

That might be okay if you give your spouse access to your private key. But when it comes to businesses handling large amounts of cryptocurrencies for third parties, proper private key governance becomes absolutely mandatory.

This is commonly handled via the use of multi-signature wallets.

For the uninitiated, a multi-signature wallet requires multiple keys to be accessed. The safety mechanism here is that each person who has a key only has partial access to the cryptocurrency stored there. This protects against theft from within the project and gives added protection against hackers and fraud.

If one user has access to all of the required keys of the wallet, he could potentially move funds out of the wallet without leaving a trace. Given this potential risk, it is imperative that all the keys to a multi-signature wallet are never controlled by a single person.

It goes without saying that the use of multi-signature wallets should be standard practice in any crypto exchange. Making QuadrigaCX’s reliance on its founder alone to both manage and store the passwords to cold wallets almost impossible to believe.

Ironically the founder, Gerald Cotten, himself extolled the virtues of recording private keys on paper wallets and storing them in a vault. In a 2014 podcast, Cotten explained that this was how his exchange safeguarded users’ crypto assets.

Centralized vs. decentralized exchanges

Despite their current prestige and assets under management, many exchanges are still essentially start-ups. In the space of just a couple of years, many exchanges have gone from four guys in a garage and $0 in assets to a 50 person team with $150 million in assets.

Unfortunately, rapid growth doesn’t necessarily mean a startup knows how to manage it all. Given the incredible speed of growth for projects in this industry, often times they can grow faster than its managers can adapt. It takes time to build an exchange and to do it properly.

Eventually, centralized exchanges will have appropriate governance in place, but for now it is important to recognize their weaknesses.

For old school crypto disciples, this is a reminder of why centralized crypto exchanges are poor replicas of the system they were meant to replace. In the future, people will ideally move more toward decentralized exchanges, which operate without a central authority and enable users to engage in direct peer-to-peer transactions.

In decentralized exchanges, people do not have to rely on the management practices of an individual or group of managers. Instead, they are solely responsible to manage their crypto assets.

How to protect your crytpo

Whether you choose to put your funds in a centralized or decentralized exchange, there’s a lot to learn from the QuadrigaCX fallout.

First, try to avoid giving your cryptocurrency to third parties to store on your behalf. There’s a reason why cryptocurrency is about decentralization. Giving your assets to a “trusted third party” is what we’re trying to overcome, not perpetuate.

Second, when you decide to do so, do your proper due diligence! I understand why a Binance account adds value, but just because an exchange has a prominent name that doesn’t necessarily make it safe.

Before opening an account and sending cryptocurrency, make sure the exchange has basic governance in place to secure, manage and utilize its crypto. Ask about their multi-signature policy. What percentage of cryptocurrency is in cold storage? These are basic concerns you need to cross off before moving forward.

Third, unless you’re in the crypto-arbitrage business, you have no business holding large sums of cryptocurrency on an exchange. Get those assets into a cold wallet within your control asap.

Despite even the best of intentions, exchanges fail. And at the end of the day it’s your responsibility to protect yourself and your assets. With time, I have no doubt the industry as a whole will develop better governance practices. But for now, proceed with caution.