Pages:
Author

Topic: Storing Cryptocurrency in Coinbase Vault Vs Hardware Wallet? (Read 562 times)

legendary
Activity: 2268
Merit: 18771
If a customer is tricked into providing their password and 2FA token to a scammer, if coin is being withdrawn from "coinbase vault" the customer will have time to realize they have been tricked and can cancel the withdrawal.
True, but a very niche attack. Far more likely that someone's email address is compromised through a weak password, password reuse, database leak, password reset, phishing, etc., and then the scammer uses that email to access their exchange account. And of course once the scammer has access to your email, they can prevent you from even seeing the emails from Coinbase informing you of an attempted withdrawal. And if a scammer can convince someone who is naive enough to hand over their exchange password and 2FA, they can probably convince them to either also hand over their email password or to ignore the email from Coinbase informing them of the withdrawal.

All in all, it's a weak system and in no way comparable to a hardware wallet as OP has suggested.
copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7
The new implementation provides only incremental security above keeping your coin on an exchange.
Agreed. I don't blame them for discontinuing an old service which was being under-utilized, but promoting this new vault service as anything other than just a separate number on your screen is disingenuous. It is no more secure than any other exchange account.
I understand that many losses from keeping coin on exchanges result from some type of fishing against the customer. If a customer is tricked into providing their password and 2FA token to a scammer, if coin is being withdrawn from "coinbase vault" the customer will have time to realize they have been tricked and can cancel the withdrawal. So there is a scope of potential losses in which using the "vault" feature that coinbase offers is more secure than keeping coin in their coinbase account.

If the customer is subjected to more advanced attacks, they will potentially lose their coin, even if using the 'vault' feature. Ditto with regards to if coinbase is unable to pay their customers their coin, or if coinbase decides they should not allow the customer to withdraw their coin.
legendary
Activity: 2268
Merit: 18771
It's not the same thing. I know few people who use Binance to trade shitcoins and few other who wanted to buy stuff with Bitcoin and used a similar exchange, but none who wants to keep their crypto in a vault they'll have no control upon, imagining they'll be safe there.
But I also know people who leave all their coins in the hands of Coinbase or Binance long term, believing them to be "safe". It makes no real difference if they are sitting in your Coinbase exchange account or your Coinbase vault. The outcome is the same; you control nothing, Coinbase controls everything, someone who hacks your email can steal your coins, and Coinbase can freeze/lock/seize/etc. your coins and account at any time. The only discernible difference is a 24 hour delay on withdrawals.

The new implementation provides only incremental security above keeping your coin on an exchange.
Agreed. I don't blame them for discontinuing an old service which was being under-utilized, but promoting this new vault service as anything other than just a separate number on your screen is disingenuous. It is no more secure than any other exchange account.
copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7
Coinbase vault is essentially a 2-of-3 multisig setup.
Not anymore.

Coinbase vaults used to be a 2-of-3 multi-sig, but with their own needlessly complex set of protocols and software instead of just three BIP39 seed phrases or master private keys like they should have done. This is what the user in the post I linked to above is having trouble recovering. These were discontinued years ago, as can be seen here: https://blog.coinbase.com/multisig-vaults-on-coinbase-c21f58eed7cb

Coinbase vaults are now just a separate section of your Coinbase account. They are a single sig account with the keys held solely by Coinbase. The only difference is that when you request a withdrawal, they delay it for 24 hours and send you an email first. You do not have the ability to withdraw your coins without Coinbase's approval and cooperation.
That is a big change. Their old setup allowed you to keep one of three keys in cold storage off-site and gives you security that is increased from having your keys on your internet-connected computer. The new implementation provides only incremental security above keeping your coin on an exchange.

Their blog says the previous implementation was not being used by many customers and was taking up engineering resources, so I don't blame coinbase for discontinuing their "vault" service.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
People store their coins on exchanges and other third party services all the time, which is exactly the same thing.
It's not the same thing. I know few people who use Binance to trade shitcoins and few other who wanted to buy stuff with Bitcoin and used a similar exchange, but none who wants to keep their crypto in a vault they'll have no control upon, imagining they'll be safe there.

That's hilariously tragic.
legendary
Activity: 2268
Merit: 18771
You do not have the ability to withdraw your coins without Coinbase's approval and cooperation.
This is unbelievable. Are there people who use it, for real? Can't they realize there's something really faulty with it?
People store their coins on exchanges and other third party services all the time, which is exactly the same thing. You cannot withdraw your coins from any exchange without that exchange's approval and cooperation. If the exchange decides not to let you withdraw your coins, then there is pretty much nothing you can do about it.

At least some exchanges like Kraken are open and honest that they may get forced to shut down your account and seize your coins at any time. Exchanges like Binance and Coinbase deliberately try to keep their users in dark, touting the safety of these stupid vaults or how funds are "safu". Roll Eyes
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
You do not have the ability to withdraw your coins without Coinbase's approval and cooperation.
This is unbelievable. Are there people who use it, for real? Can't they realize there's something really faulty with it?
legendary
Activity: 2268
Merit: 18771
Coinbase vault is essentially a 2-of-3 multisig setup.
Not anymore.

Coinbase vaults used to be a 2-of-3 multi-sig, but with their own needlessly complex set of protocols and software instead of just three BIP39 seed phrases or master private keys like they should have done. This is what the user in the post I linked to above is having trouble recovering. These were discontinued years ago, as can be seen here: https://blog.coinbase.com/multisig-vaults-on-coinbase-c21f58eed7cb

Coinbase vaults are now just a separate section of your Coinbase account. They are a single sig account with the keys held solely by Coinbase. The only difference is that when you request a withdrawal, they delay it for 24 hours and send you an email first. You do not have the ability to withdraw your coins without Coinbase's approval and cooperation.
copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7
I have only one question -- can Coinbase staff intervene in your security setup and somehow prevent you from accessing your funds?
Coinbase vault is essentially a 2-of-3 multisig setup. Coinbase has one key and you have two of the other keys. The instructions that coinbase provides is that the 3rd key (the 2nd key that you control) should be kept in a hard-to-access location that can be accessed in case coinbase will not sign a transaction spending your coin.

So you will sign a transaction with the 1st key, and after coinbase does it's security checks, they will sign with the 2nd key. If for whatever reason the security checks do not pass, coinbase will not sign the transaction, but you have the ability to sign the transaction by using the 3rd key.
legendary
Activity: 2730
Merit: 7065
I have lost track of the number of people I have seen complaining on here, Reddit, Twitter, etc., about some centralized exchange (not necessarily Coinbase) locking them out of their funds for no discernible reason, or withdrawing service and not giving them an opportunity to withdraw their coins first.
There are loads of such examples of various centralized exchanges, but I was only referring to issues with the Coinbase Vault in my previous post. Besides the thread you linked to, which is different in nature, I can't remember reading other complaints where users weren't given access to their coins held in the Vault because they are sanctioned for whatever reason. 

Coinbase have already announced that they have frozen 25,000 Russian accounts and prevented the owners from accessing their coins. I would be very surprised if that number doesn't increase over the coming days and weeks.
Thanks, I haven't heard that news until now. What a bad move by a bad government-controlled exchange. There goes neutrality for you. I hope those 25.000 users + an additional 250.000 move away from this centralized service provider and start using a decentralized one.
legendary
Activity: 2268
Merit: 18771
I think there would be many complaints if the exchange was misbehaving when it comes to sanctioned individuals or whole countries.
I have lost track of the number of people I have seen complaining on here, Reddit, Twitter, etc., about some centralized exchange (not necessarily Coinbase) locking them out of their funds for no discernible reason, or withdrawing service and not giving them an opportunity to withdraw their coins first. The problem is nobody cares about these myriad of complaints until it happens to them individually, by which point it is too late.

Let's see if something pops up because of the Russian occupation of Ukraine.
Coinbase have already announced that they have frozen 25,000 Russian accounts and prevented the owners from accessing their coins. I would be very surprised if that number doesn't increase over the coming days and weeks.
legendary
Activity: 2730
Merit: 7065
To be fair, it does say that their checks are carried out during the registration process. So if you live in a sanctioned country, they will detect it and prevent you from registering. That's the theory at least. If you get sanctioned after you already registered your account, they are supposed to inform you that you can no longer use their services and provide you with a timeframe in which you can withdraw your assets. Again, that's only theory. I think there would be many complaints if the exchange was misbehaving when it comes to sanctioned individuals or whole countries. I don't remember ever seeing a case like that on Bitcointalk. Let's see if something pops up because of the Russian occupation of Ukraine.     
legendary
Activity: 2464
Merit: 4415
🔐BitcoinMessage.Tools🔑
I have only one question -- can Coinbase staff intervene in your security setup and somehow prevent you from accessing your funds? If the answer is "Yes, they can!" then the whole system of securing your funds with the custodian that powerful is seriously flawed. Because if they can intervene, they will find a reason to freeze your account. Real-world example: yesterday, I could create an account on Coinbase, and I could make use of the crypto vault to protect at least some part of my funds. Today, something has suddenly changed, and I am not allowed to use Coinbase services because I now live in a sanctioned country. Coinbase, due to particular legal requirements, has to comply with US law, and therefore it cannot anymore provide me access to the funds the keys to which Coinbase fully controls.

Just read this article to understand what I am talking about: https://blog.coinbase.com/using-crypto-tech-to-promote-sanctions-compliance-8a17b1dabd68

Quote
No compliance program is perfect, including ours. But to play our part in these critical economic sanctions, Coinbase implements a multi-layered, global sanctions program. We take steps to:

Block access to sanctioned actors. During onboarding, Coinbase checks account applications against lists of sanctioned individuals or entities, including those maintained by the United States, United Kingdom, European Union, United Nations, Singapore, Canada, and Japan. [...] If a customer lives in a sanctioned country or region, or if they are identified as a sanctioned individual or entity, they cannot open an account on our platform.

Detect attempts at evasion.
Coinbase regularly updates the global sanctions lists that we use for screening. If someone has opened a Coinbase account and is later sanctioned, we use this ongoing screening process to identify that account and terminate it. [...]

Anticipate threats. Coinbase maintains a sophisticated blockchain analytics program to identify high-risk behavior, study emerging threats, and develop new mitigations. For example, we have methods for identifying accounts held by sanctioned individuals outside of Coinbase, even if we don’t have direct access to their personal information. [...]
copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7
If someone is not confident in keeping their seed phrase safe, then wouldn't coinbase vault probably be the best option then?  Has there been any cases of it being hacked from anyone?
No.

My understanding is that you still need to provide your private keys in order to spend coin from "coinbase vault", so it would not be a good solution. You are basically relying on coinbase's security measures to prevent you from immediately spending your coin.

If you cannot keep your private keys safe, frankly, you should not be using bitcoin. I'm sorry, but that is the truth.

It would be a superior solution to keep parts of your private key/seed in separate locations, or you could use multisig and keep the private keys in separate locations.
legendary
Activity: 2268
Merit: 18771
Here's another good reason never to use a Coinbase Vault: https://bitcointalksearch.org/topic/recover-coinbase-multisig-wallet-to-electrum-5381583

The user in this thread had their funds stored in an old-style Coinbase Vault. Coinbase then removed support for these vaults, and the user has been unable to access their coins for some time, despite multiple attempts at finding and decrypting various passwords and keys.

The thing is if you want to get your coins out of the vault, coinbase will make sure they do some strict verification because they move the coins outside the vault again right?
Nope. See here: https://help.coinbase.com/en/coinbase/getting-started/other/vaults-faq. They simply send you an email first. Given that the most likely way for an attacker to access your vault is via your email account, then this achieves next to nothing, since the attacker can set up a rule on your email account so you never even see the email arrive.
legendary
Activity: 2730
Merit: 7065
If someone is not confident in keeping their seed phrase safe, then wouldn't coinbase vault probably be the best option then?  Has there been any cases of it being hacked from anyone?
You know, no crypto exchange has ever been hacked until the moment it happens for the first time. And when it does, your money is gone. Hacking isn't the only thing you should worry about. Inside jobs are equally possible. After all these years, we still don't know what happened to Mt.Gox. They claim that they were hacked but who knows. xtraelv made a great thread on this subject here. Someone once said that there are two types of centralized exchanges: those that have been hacked and those that have not yet been hacked.   

The thing is if you want to get your coins out of the vault, coinbase will make sure they do some strict verification because they move the coins outside the vault again right?
You are supposed to be controlling and making your own decisions on what you do with your money. Not me, not Coinbase, and not your neighbor. If you put your coins in Coinbase's custody, they will tell you what hoops you need to jump through before you can access your own money. That isn't how it is supposed to be. If that's the way you want it, sure go ahead. Spread them out around multiple centralized exchanges.
legendary
Activity: 3472
Merit: 10611
If someone is not confident in keeping their seed phrase safe, then wouldn't coinbase vault probably be the best option then?  Has there been any cases of it being hacked from anyone?
If someone is not capable of keeping their seed phrase safe they shouldn't be owning bitcoin in first place since that's a pretty basic ability! And to answer your second question, the problem is not just hacks but the biggest problem is that you are trusting a third party. The exact thing that bitcoin was created to eliminate (which is another reason why such people shouldn't use bitcoin). Not to mention that Coinbase could at any time close your account and take your money whether it is in their vault or account or exchange,...
full member
Activity: 1792
Merit: 186
If someone is not confident in keeping their seed phrase safe, then wouldn't coinbase vault probably be the best option then?  Has there been any cases of it being hacked from anyone?


The thing is if you want to get your coins out of the vault, coinbase will make sure they do some strict verification because they move the coins outside the vault again right? 
legendary
Activity: 2730
Merit: 7065
if you don't want to buy a hardware wallet and you aren't comfortable with using a service like Coinbase Vault...
I guess you don't know jerry0 that well from all his posts in the recent years. jerry0 owns a Nano S. He owned one in the past as well, but its screen broke so he bought a new one. Check the hardware wallet section to learn more. There are dozens of posts and threads by him about passphrases, hidden accounts, Ledger Live, storing recovery phrases, etc. He doesn't need Coinbase Vault, he stores his seed on a password manager.  Roll Eyes

And yeah I almost forgot... any suggestions you make, will come back to slap you in the face because it's not going to change anything.   
legendary
Activity: 3556
Merit: 7011
Top Crypto Casino
Now the more I think about it... if you keep it in an exchange but very reputable... think coinbase/gemini or maybe kraken/binance... isn't that pretty damn safe?  But when i checked coinbase, they also have this thing called coinbase vault which apparently makes it even safer? 
I can't stand Coinbase, but if you absolutely had to store crypto on an exchange, they'd be the one I'd choose--but why would you even want to entrust your coins to any exchange when you could keep them securely in your own wallet?  I doubt Coinbase is going to pull an exit scam or suffer a hack so severe that their customers would lose their coins, but they do monitor their users and no doubt are in bed with the government.  Do you want to be surveilled? 

Gemini, Kraken, and Binance are all reputable, but personally I wouldn't trust any exchange to hold onto my crypto for me.  It's just not worth the risk when it's easy enough to maintain control over your private keys with a paper or software or hardware wallet.
Pages:
Jump to: