The hacking problem is why all along I had always assumed I would be using an
Open Transactions server, and also had always planned to in effect have it be more than 100% reserve rather than fractional reserve or merely 100% reserve.
Basically the idea is that once tokens are created representing coins, the coins those tokens represent will never move until the tokens are destroyed, and the server will not be creating and destroying tokens on demand, sending out coins from hot warm or cold wallets when tokens are destroyed.
Instead, coins would be frozen "forever", that is, until such time as the system is to be closed down or is going to no longer trade in a particular coin.
Ideally centuries could go by with the system becoming an ancient institution, still with the same original coins in super-cold wallets, never moving.
The more than 100% reserve concept comes in to it due to the desire people might have to cash tokens out for actual on-blockchain coins.
The idea is that that function would be a third party function, a distinct thing, a service that buys and sells tokens. The coins represented by the tokens would not move, only the tokens would change hands. So if someone for example bought up all the dBTC (digiBiTCoin) tokens that represent actual bitcoins frozen in a supercold wallet cryptographically diffused across several Fortresses of Solitude, there would need to be that many actual bitcoins available to "cash them out" with over and above the supercold-wallet coins those tokens actually represent.
We would not destroy tokens to release bitcoins back into circulation, rather the tokens would be bought and sold using other, additional bitcoins.
This of course meant that I was not able to enter more than half as many coins of each type into the Open Transactions system as I actually had, because I held onto as many coins as I put in so that I could be the bailer-out-of-funds of last resort in the event third parties did not materialise to take on the "bailer in and out of the system" functions.
So in theory the coins ought not to be able to be hacked, because they would be in wallets in safe-deposit boxes or buried or whatever, wallets there is no plan and hopefully no need to ever actually go and dig up.
Remember that tribe that made stone wheels as money? And the King had a huge such wheel behind his throne? And it rolled into the sea one day? They were able to keep on using it as money because all that they needed was to know who owned it currently, regardless of the fact it was on the sea-bed and they could not go get it from there.
It'd be like that: the tokens represent coins, but ideally we never need touch those coins because we just buy and sell ownership of them and always have on hand enough additional coins to cash out all the tokens.
Unfortunately this does mean that for each million of a coin we have on the server, an additional million need to be somewhere ready to buy the tokens that represent the million coins bailed-in to the system. But it did seem to me that at least for using the markets to trade all the coins and other assets against each other this should be a system reasonably immune to hacking.
(Note that in Open Transactions all balances are cryptographically signed, your balance cannot be changed without your private key being used to sign the new receipt-aka-balance.)
-MarkM-