The Japanese cryptocurrency exchange Liquid reported a security attack on its hot wallets in an Aug. 19 tweet. Liquid has been operating as a centralized exchange since 2014.
Most centralized crypto exchanges maintain two types of wallets: hot and cold. Hot wallets are connected to the web for allowing quick deposits and withdrawals and can be prone to hacks. In comparison, cold wallets are not exposed to the web and offer much stronger security against attacks.
While it did not say how much funds were stolen, it shared crypto the hacker’s addresses. As per the transactions made by the addresses used by the hacker, the stolen assets are worth over $84 million.
At the same time, it appears that the hacker was unable to transfer all of the assets from the exchange’s hot wallets. The unhacked portion of the funds is now being transferred to its cold wallets, the exchange said.
This is the second time Liquid’s infrastructure was compromised. On Nov. 13 last year, the exchange confirmed a hacker had gained access to its employees’ email accounts and compromised the company’s network.
- - - -
Hacks are not uncommon in the crypto world, but the Liquid attack
was notable because MPC – an advanced cryptographic technique in which the private key controlling funds is generated collectively by a set of parties, none of whom can see the fragments calculated by the others – appears to be the technology of choice among banks and blue chip companies looking to get into crypto.
However, the manner in which MPC wallets can be configured is where weakness, namely human error, can creep in, said Michael Shaulov, CEO of Fireblocks, a digital asset custodian.
“Although the attack was on their hot wallets that are based on MPC, my assumption is that this has nothing to do with MPC vulnerabilities,” Shaulov told CoinDesk.
In Shaulov’s opinion, the exchange’s security policy was likely designed in such a way that the original hacker was able to bypass its entire approval process and instruct the wallets to withdraw coins, without affecting the private key.
“MPC is more secure than a hot wallet, but is not enough by itself for banks who need to manage more than tens of millions dollars’ worth of crypto,” Lamesh said in an interview. “But it’s fine to manage, say, 2% or 3% of assets, while the majority of the assets will be managed in a cold vault where they are 100% safe since they’re never connected to the internet.”