Topic: Storing Cryptocurrency in Coinbase Vault Vs Hardware Wallet? (Read 519 times)

True, but a very niche attack. Far more likely that someone's email address is compromised through a weak password, password reuse, database leak, password reset, phishing, etc., and then the scammer uses that email to access their exchange account. And of course once the scammer has access to your email, they can prevent you from even seeing the emails from Coinbase informing you of an attempted withdrawal. And if a scammer can convince someone who is naive enough to hand over their exchange password and 2FA, they can probably convince them to either also hand over their email password or to ignore the email from Coinbase informing them of the withdrawal.

All in all, it's a weak system and in no way comparable to a hardware wallet as OP has suggested.

I understand that many losses from keeping coin on exchanges result from some type of fishing against the customer. If a customer is tricked into providing their password and 2FA token to a scammer, if coin is being withdrawn from "coinbase vault" the customer will have time to realize they have been tricked and can cancel the withdrawal. So there is a scope of potential losses in which using the "vault" feature that coinbase offers is more secure than keeping coin in their coinbase account.

If the customer is subjected to more advanced attacks, they will potentially lose their coin, even if using the 'vault' feature. Ditto with regards to if coinbase is unable to pay their customers their coin, or if coinbase decides they should not allow the customer to withdraw their coin.

But I also know people who leave all their coins in the hands of Coinbase or Binance long term, believing them to be "safe". It makes no real difference if they are sitting in your Coinbase exchange account or your Coinbase vault. The outcome is the same; you control nothing, Coinbase controls everything, someone who hacks your email can steal your coins, and Coinbase can freeze/lock/seize/etc. your coins and account at any time. The only discernible difference is a 24 hour delay on withdrawals.

Agreed. I don't blame them for discontinuing an old service which was being under-utilized, but promoting this new vault service as anything other than just a separate number on your screen is disingenuous. It is no more secure than any other exchange account.

That is a big change. Their old setup allowed you to keep one of three keys in cold storage off-site and gives you security that is increased from having your keys on your internet-connected computer. The new implementation provides only incremental security above keeping your coin on an exchange.

Their blog says the previous implementation was not being used by many customers and was taking up engineering resources, so I don't blame coinbase for discontinuing their "vault" service.

It's not the same thing. I know few people who use Binance to trade shitcoins and few other who wanted to buy stuff with Bitcoin and used a similar exchange, but none who wants to keep their crypto in a vault they'll have no control upon, imagining they'll be safe there.

That's hilariously tragic.

People store their coins on exchanges and other third party services all the time, which is exactly the same thing. You cannot withdraw your coins from any exchange without that exchange's approval and cooperation. If the exchange decides not to let you withdraw your coins, then there is pretty much nothing you can do about it.

At least some exchanges like Kraken are open and honest that they may get forced to shut down your account and seize your coins at any time. Exchanges like Binance and Coinbase deliberately try to keep their users in dark, touting the safety of these stupid vaults or how funds are "safu".

This is unbelievable. Are there people who use it, for real? Can't they realize there's something really faulty with it?

Not anymore.

Coinbase vaults used to be a 2-of-3 multi-sig, but with their own needlessly complex set of protocols and software instead of just three BIP39 seed phrases or master private keys like they should have done. This is what the user in the post I linked to above is having trouble recovering. These were discontinued years ago, as can be seen here: https://blog.coinbase.com/multisig-vaults-on-coinbase-c21f58eed7cb

Coinbase vaults are now just a separate section of your Coinbase account. They are a single sig account with the keys held solely by Coinbase. The only difference is that when you request a withdrawal, they delay it for 24 hours and send you an email first. You do not have the ability to withdraw your coins without Coinbase's approval and cooperation.

Coinbase vault is essentially a 2-of-3 multisig setup. Coinbase has one key and you have two of the other keys. The instructions that coinbase provides is that the 3rd key (the 2nd key that you control) should be kept in a hard-to-access location that can be accessed in case coinbase will not sign a transaction spending your coin.

So you will sign a transaction with the 1st key, and after coinbase does it's security checks, they will sign with the 2nd key. If for whatever reason the security checks do not pass, coinbase will not sign the transaction, but you have the ability to sign the transaction by using the 3rd key.

There are loads of such examples of various centralized exchanges, but I was only referring to issues with the Coinbase Vault in my previous post. Besides the thread you linked to, which is different in nature, I can't remember reading other complaints where users weren't given access to their coins held in the Vault because they are sanctioned for whatever reason. 

Thanks, I haven't heard that news until now. What a bad move by a bad government-controlled exchange. There goes neutrality for you. I hope those 25.000 users + an additional 250.000 move away from this centralized service provider and start using a decentralized one.

I have lost track of the number of people I have seen complaining on here, Reddit, Twitter, etc., about some centralized exchange (not necessarily Coinbase) locking them out of their funds for no discernible reason, or withdrawing service and not giving them an opportunity to withdraw their coins first. The problem is nobody cares about these myriad of complaints until it happens to them individually, by which point it is too late.

Coinbase have already announced that they have frozen 25,000 Russian accounts and prevented the owners from accessing their coins. I would be very surprised if that number doesn't increase over the coming days and weeks.

To be fair, it does say that their checks are carried out during the registration process. So if you live in a sanctioned country, they will detect it and prevent you from registering. That's the theory at least. If you get sanctioned after you already registered your account, they are supposed to inform you that you can no longer use their services and provide you with a timeframe in which you can withdraw your assets. Again, that's only theory. I think there would be many complaints if the exchange was misbehaving when it comes to sanctioned individuals or whole countries. I don't remember ever seeing a case like that on Bitcointalk. Let's see if something pops up because of the Russian occupation of Ukraine.     

I have only one question -- can Coinbase staff intervene in your security setup and somehow prevent you from accessing your funds? If the answer is "Yes, they can!" then the whole system of securing your funds with the custodian that powerful is seriously flawed. Because if they can intervene, they will find a reason to freeze your account. Real-world example: yesterday, I could create an account on Coinbase, and I could make use of the crypto vault to protect at least some part of my funds. Today, something has suddenly changed, and I am not allowed to use Coinbase services because I now live in a sanctioned country. Coinbase, due to particular legal requirements, has to comply with US law, and therefore it cannot anymore provide me access to the funds the keys to which Coinbase fully controls.

Just read this article to understand what I am talking about: https://blog.coinbase.com/using-crypto-tech-to-promote-sanctions-compliance-8a17b1dabd68

No.

My understanding is that you still need to provide your private keys in order to spend coin from "coinbase vault", so it would not be a good solution. You are basically relying on coinbase's security measures to prevent you from immediately spending your coin.

If you cannot keep your private keys safe, frankly, you should not be using bitcoin. I'm sorry, but that is the truth.

It would be a superior solution to keep parts of your private key/seed in separate locations, or you could use multisig and keep the private keys in separate locations.

Here's another good reason never to use a Coinbase Vault: https://bitcointalksearch.org/topic/recover-coinbase-multisig-wallet-to-electrum-5381583

The user in this thread had their funds stored in an old-style Coinbase Vault. Coinbase then removed support for these vaults, and the user has been unable to access their coins for some time, despite multiple attempts at finding and decrypting various passwords and keys.

Nope. See here: https://help.coinbase.com/en/coinbase/getting-started/other/vaults-faq. They simply send you an email first. Given that the most likely way for an attacker to access your vault is via your email account, then this achieves next to nothing, since the attacker can set up a rule on your email account so you never even see the email arrive.

You know, no crypto exchange has ever been hacked until the moment it happens for the first time. And when it does, your money is gone. Hacking isn't the only thing you should worry about. Inside jobs are equally possible. After all these years, we still don't know what happened to Mt.Gox. They claim that they were hacked but who knows. xtraelv made a great thread on this subject here. Someone once said that there are two types of centralized exchanges: those that have been hacked and those that have not yet been hacked.   

You are supposed to be controlling and making your own decisions on what you do with your money. Not me, not Coinbase, and not your neighbor. If you put your coins in Coinbase's custody, they will tell you what hoops you need to jump through before you can access your own money. That isn't how it is supposed to be. If that's the way you want it, sure go ahead. Spread them out around multiple centralized exchanges.

If someone is not capable of keeping their seed phrase safe they shouldn't be owning bitcoin in first place since that's a pretty basic ability! And to answer your second question, the problem is not just hacks but the biggest problem is that you are trusting a third party. The exact thing that bitcoin was created to eliminate (which is another reason why such people shouldn't use bitcoin). Not to mention that Coinbase could at any time close your account and take your money whether it is in their vault or account or exchange,...

If someone is not confident in keeping their seed phrase safe, then wouldn't coinbase vault probably be the best option then?  Has there been any cases of it being hacked from anyone?


The thing is if you want to get your coins out of the vault, coinbase will make sure they do some strict verification because they move the coins outside the vault again right? 

I guess you don't know jerry0 that well from all his posts in the recent years. jerry0 owns a Nano S. He owned one in the past as well, but its screen broke so he bought a new one. Check the hardware wallet section to learn more. There are dozens of posts and threads by him about passphrases, hidden accounts, Ledger Live, storing recovery phrases, etc. He doesn't need Coinbase Vault, he stores his seed on a password manager. 

And yeah I almost forgot... any suggestions you make, will come back to slap you in the face because it's not going to change anything.   

I can't stand Coinbase, but if you absolutely had to store crypto on an exchange, they'd be the one I'd choose--but why would you even want to entrust your coins to any exchange when you could keep them securely in your own wallet?  I doubt Coinbase is going to pull an exit scam or suffer a hack so severe that their customers would lose their coins, but they do monitor their users and no doubt are in bed with the government.  Do you want to be surveilled? 

Gemini, Kraken, and Binance are all reputable, but personally I wouldn't trust any exchange to hold onto my crypto for me.  It's just not worth the risk when it's easy enough to maintain control over your private keys with a paper or software or hardware wallet.

I've commented in one of your threads related to this and it seems like you are not comfortable on using the Coinbase Vault as you have a lot of questions about it and you are worried about its safety and how it can be hacked by someone else. Maybe I can give you an alternative for your storage problems, if you don't want to buy a hardware wallet and you aren't comfortable with using a service like Coinbase Vault you can always create a cold storage of your own by using an old phone/laptop where you install Electrum and you keep that device offline meaning not connected to the internet at all, in this way you have a peace of mind about any hacks happening from your wallet as it is an offline device.

The whole censorship resistance angle of Bitcoin goes out the window when you're trusting a custodian, specifically a regulated one. Regulated entities answer to the state first and foremost. They will tell your government how much coins you have and give them the funds if they ask hard enough. A storage solution that doesn't even offer you the opportunity to defend against a governmental attacks is worthless.

You mean ''trusted'' custodian like Bitgo, or exchanges like MtGox for example?
Her son could be more trusted than some company, and they can even share control over Bitcoin with some multisig solution, so in case she lose keys her son can always recover the funds.
Why would she keep this away from her family when she is going to die at some point and probably leave coins to here son and family, and dealing with some custodian will only complicate all situation with inheritance.

Can you trust her to write down anything, store and remember codes for her credit cards or password for her email accounts and smartphone?
I don't see why learning about importance of controlling your own coins, keys and wealth would be a bad idea, and it's not really that complicated, except if she is senile and have alzheimer's.

For her sake, yes. For the sake of Bitcoin's existence and future, no way. We have to look at the long-term effects of those things and they are surely not positive if we end up recommending custodial and trusted wallets. Bitcoin wasn't made for us to become rich but for us to be financially free. By promoting and advertising companies that do against Bitcoin's fundamental ideas, we're supporting Bitcoin's enemies.

If the woman doesn't care about third parties, then it makes no sense first of all to purchase Bitcoins. There are options out there like Revolut and eToro that let you purchase just the value of BTC instead, but I think supporting them is just as bad even if it's just for speculation.

At that point... she is effectively just trading one set of risks (fiat depreciation, govt control etc) with another set of risks (volatility, lack of govt control, possibility of govt control in the future, trustworthiness of centralised service etc).

Given that they're basically indicating that they don't appear to care about the whole "financial freedom" part of the Bitcoin equation, I'd have to question why they want Bitcoin in the first place? It would seem they were just wanting the "Big Gains"™ that everyone talks about (which come with the "Big Risks"™). Given that they're "elderly"... that is probably not the proper risk profile if they want to guarantee that something is left for children/grandchildren


Also... define "trusted custodian"? Do you just mean "Big Name Exchange"™?

I'm sorry for hijacking this thread a bit but my question is still well within context so no need for another thread.

Would you guys ever recommend using trusted custodians when the situation seemingly calls for it?

Supposing the elderly mother of a friend suddenly gets curious about Bitcoin and after a few briefing on its risks and all, she has finally decided she wants a significant portion of her wealth converted into Bitcoin for long-term safekeeping, mainly against perpetual fiat depreciation, for her children and grandchildren. She wants to keep her decision from any of her family.

Supposing you cannot trust her about writing down and hiding away seed words since she even looks for her eyeglasses when she's wearing it. Supposing she doesn't care about anonymity, dealing with a third party like a bank, and her funds could easily fall within a crypto custodian's insurance limit.

Would you, then, recommend it?

It's an additional use-side security, which is always good don't get me wrong. But then again, like I said in my previous reply, user-side account security is pointless if it's their cold wallet that gets breached.

Think of it like your local bank and your online banking account. You can secure your online banking account as much as you want, but if the bank's vault itself that get's breached(and ends up going bankrupt), then you're screwed either way. (I know there's insurance and all that with banks, but you get the point)

So I heard not only with the coinbase vault, you could also whitelist addresses.  Opinion on this? 

Just to add for the beginners: ONLY DO THIS IF YOU KNOW WHAT YOU'RE DOING.

If you're going to use Electrum as your main long-term holding wallet and you think you're safe just because you have an anti-virus on your main personal computer, you're taking serious risk. For most people, using a reputable hardware wallet is simply the better and safest solution.

An Electrum wallet on an offline computer coupled with a master public key inserted in a computer connected to the internet is a good choice in terms of security. But if you have Electrum installed on a computer that is constantly connected to the internet and you use it daily for various things, you are better off with a decent hardware wallet. It's especially dangerous if your are into torrents, pirated software, porn, etc.

I don't need a hardware wallet to keep my Bitcoin safe. Electrum wallet is enough for me. If I am serious with security, I will use extended phrase or multi-signature wallet

I don't need any Vault on any exchange to keep my Bitcoin safe. Exchanges are never best places to store Bitcoin or cryptocurrency. "Not your keys, not your Bitcoins", "Not your keys, not your crypto"

https://notyourkeys.org/

You can store coins on exchanges for only one reason: you are a trader. You are constantly trading and paying taxes because some of the major exchanges are already helping users calculate their profit (or loss).
In other cases, it is better to store coins on a hardware wallet and trade them on decentralized exchanges where there are no KYC procedures

You have to understand what exactly you're storing. Essentially, you're locking your funds a chain of blocks that requires computational power to be secure for outsider attackers. In order for you to spend money, you have to provide a signature to the network's nodes as a proof that you're the owner of that specific output. They keep extending the chain and including your transactions to their successfully mined blocks. Hence, there is no third party. Only nodes that “obey” to the longest chain, which is distributed peer-to-peerly.

Now think that if you store your bitcoins on Coinbase, you ruining the entire purpose. It's quite ironic for a Bitcoiner that those so-called "secure" exchanges such as Coinbase or Gemini introduce their services as wallets to store your bitcoins.

As for their security: There are two types of exchanges. The ones that got hacked and the ones that will be.

After everything you have asked in the past few years and after hundreds and more than quality answers, you are asking a complete beginner question "is it safer to keep crypto on a crypto exchange or a hardware wallet?" So after all, you haven't (and I believe you never will) learn what a private key is and how important it is for everyone to be in complete control of their private keys.

Now it seems to me that you are a completely lost cause or that you are trolling us all to incredible limits here - so I would advise everyone to stop wasting time on someone who will ask the same questions in a few years without adopting at least 1% of all answers.

Sure, it's very secure. I mean what could possibly go wrong by storing your coins with a third party? The words MT. Gox come to my mind. Have you heard of it? It was a reputable exchange that facilitated 2/3 of all bitcoin transactions worldwide in its prime. It's estimated that 850.000 bitcoins were hacked and stolen from MT. Gox several years ago. So much for "pretty damn safe", eh?

You are screwed again!

And despite all that, you are considering keeping your coins in Coinbase? More precisely, you already sent coins their way to test out your Nano S theories.

Compared to unknown, low traffic exchanges, Coinbase and Gemini are "safer", but they are still not "safe". The term worth highlighting is exchange! It's a website where you move your coins to exchange them for other assets, and move them back into private wallets when you are done.

Since when is the easiest way the safest way?  Shouldn't you be concerned with the safety of your funds, and not what is easier and more convenient for you? It's even quicker if you send the coins to a random person on the Internet for him to store, but what do you think, is it safer than holding them yourself?   

There is no such thing as reputable and secure exchanges. There are only exchanges that have not yet mass scammed anyone or gotten hacked and became insolvent.

All the arguments about lack of security of storing your bitcoins with third parties aside this is not how bitcoin is supposed to be used. When using bitcoin you are supposed to be "your own bank" not go about using a bank again (or a bank-like service where you have no control). Why bother with volatile bitcoin if you are going to do that anyways?

2FA is only secure if the initial setup was done in a secure environment. Most TOTP requires the secret during the activation of the 2FA to be secure. Coinbase vault is only secure if you are able to keep all of the accounts involved in the authentication secure. I don't think the funds are insured if it gets compromised due to the user's incompetency either, CMIIW.

Of course, this also means that you'll inevitably lose a lot of privacy when you're relying on a third party for the security of your funds. Hardware wallets or any airgapped wallets would be far more secure than trusting a third party, insured or not. Being in the sole control of your own funds would be a far better idea either way. I find HW wallets easy enough to use unless you're absolutely illiterate when it comes to computers. I also find the 48 hours waiting period quite ridiculous.

1. These exchange giants are safe, until they're not. Some of the exchanges listed here were also deemed "secure enough" by people in the past, but yet.. : https://cryptosec.info/exchange-hacks

2. 2FA is great, but it only protects access to your exchange account. But if the exchange's cold wallets itself are what gets hacked? Your exchange account's security ends up being pointless.

3. Coinbase only insures 2% of all the crypto funds they're holding(hot wallets), and their customers' cash balances: https://help.coinbase.com/en/coinbase/other-topics/legal-policies/how-is-coinbase-insured

So if that is the case, why isn't storing your btc and other crypto on coinbase a good idea?  Yes I know people say don't store it in an exchange... but isn't coinbase or gemini as safe as you can get?  I read people say for the average retail investor, storing your coins on coinbase is the easiest way.  But if someone has huge amounts... say 50k or 6 figures... would that be safe?  For some reason, I can imagine tons of people who invest in crypto... let say they put 6 figures, they probably put it there and don't even bother with hardware wallet.  Would you say that is accurate or not?  I am talking about ppl that are not that crypto savy and just do things normally like they do with stocks etc.



Coinbase seem to insure up to 250k.  So if someone had that type of money, wouldn't it feel safe to still store it there assuming they don't want to store their own seed?  Since doing this, someone could make mistake writing seed, lose their seed, seed compromised etc.  I mean you don't need to know your seed... don't need to protect your seed.  And if you have issue you contact coinbase and send your verification documents to them again. 



But that coinbase vault.  Anyone have experience with it?  I read Vaults also go through a secure approval withdrawal process after creation.    That seems very secure but how is this process?  If that is the case, couldn't someone with like half a million dollars or more trust that vs storing it in their own hardware wallet... where they always need to make sure their seed phrase is protected?  I mean... I can't imagine someone like Elon Mush or Max Keiser or people with tons of crypto have their own seed to protect?  I heard its under custodial accounts... which is what coinbase and coinbase vault is right?  The idea of not having to protect your seed seems really appealing. 



Does gemini offer something like this as well?  I heard someone mentioned some sites offer services like this but they charge a lot for it?



I mean not having to have your seed protected... seems much better. 

So I created a few threads about where to store your seed for your wallet whether its a hardware wallet like nano ledger/trezor or software wallet like electrum.  Of course with every option, there is pros and cons of each. 



Now the more I think about it... if you keep it in an exchange but very reputable... think coinbase/gemini or maybe kraken/binance... isn't that pretty damn safe?  But when i checked coinbase, they also have this thing called coinbase vault which apparently makes it even safer?  I see that it seems to insure up to 250,000 usd?   Or is that just coinbase in general?



The thing is what does that protect you against?  I mean if someone hacks your account somehow because you didn't have two factor authorization, then you are screwed right?  But what if you have two factor authorization and someone does that sim swap i heard of?  What happens then?  Now what if you use google authenticator or authy as your two factor authorization?  Does that protect you or not?  I also heard cases of two factor authorization getting hacked which i thought was not possible.



I do know if you use your phone as your two factor authorization and you lose it or it broke, its a huge hassle contacting coinbase as i recall this a while back.  You had to reverify your documents if for example you lost your coinbase secret key right?  Because a while back my phone which was my two factor authorization... i forgot if i used authy or google authenticator but i know i didn't have my secret key.  Is that the coinbase key?  But after a while, they were able to confirm my account.