Author

Topic: Why are exchanges still not using multi-sigs for their major wallets? (Read 1078 times)

hero member
Activity: 574
Merit: 500
This BTC exchange supports multisig (from 3 servers) >>> http://multigateway.org/

Quote
The coin assets are backed up by the coins deposited in MGW[Multigateway], stored by the three MGW servers in multiple multisignature accounts for every supported coin.

In a multisignature account, the same address has several associated private keys or signatures. This means the servers have to agree, each of them providing their signature, in order to process the coin transactions – similar way to a joint bank account. The use of multisignature accounts and independent servers is what makes MGW more secure than any traditional centralized exchange account.

Bitcoin, Litecoin, BitcoinDark, Doge, Blackcoin, Viacoin and Nxt are currently supported. There are plans to offer asset to asset trading in the future (i.e. BTC to LTC).

Support can be found here, if required >>> https://nxtforum.org/nxtservices-releases/multigateway-user-support-thread/
legendary
Activity: 3976
Merit: 1421
Life, Love and Laughter...
full member
Activity: 182
Merit: 100
So, seems stamp is having some issues and thought I'd revisit the idea..


Multisigs wallets will never be used by exchanges until customers demands it.

How much does a 10%, 30%, 70%, gain matter when your balance could be wiped out at a whim?

Why is it in a decentralized world we choose to leave money with the exchanges and trust one guy to keep it safe?
hero member
Activity: 574
Merit: 523
Could you elaborate please how an exchange should use multisig addresses. This is not completely clear from the OP.

Even if an exchange does prove that it uses multisig addresses, how it could prove in the decentralized environment that the corresponding keys are not in possession of a single person?
sr. member
Activity: 280
Merit: 250
scams hunter!
yes make them do so Tongue
legendary
Activity: 1256
Merit: 1009
Quote
That is why I am proposing all exchanges to do multi-sigs on their wallets.

you'd fucking think ...
hero member
Activity: 658
Merit: 500
Their software is not valid for that, then they need new software  Grin
full member
Activity: 182
Merit: 100
After the MtGox tragedy, we saw exchanges stepping up to do audits to ensure their customers. Atleast those who wanted to prove their legitimacy, although this is a small step, audits show that something is there until it's not.

I'm not gonna go into depth about MtGox much since other brighter minds have done so already but bottomline what we learned (or did not learn) from MtGox is that the human element, the same system bitcoin was built to erase the need of trust in money, is still in play when coming to exchanges. Exchanges are too damn easy for a single person to corrupt. Whether or not these persons are responsible I will not speak on, because nobody knows, but highly likely;

Exchanges are poorly built, ridiculously centralized, and a vast majority of them are the prime target for hackers. This happends today, tomorrow, the next week. Those saying "it is peoples fault for leaving coins on exchanges" I resent this, because in no way is it okay to bail with customers money whether in form of BTC or gold. People leaving coins on exchanges simply want to trade. Exchanges offer this service. The only people I can truely say they are to blame themselves are those who never want to trade but only hold this coin, then ofcourse a wallet elminates the need of trust for exchange owners, and there is no need to hold coins on exchanges.



That being said it is not the first time it is one point of error that ruins the life of many. Gox, Mintpal, let's say even services like that wallet in 2012.
And everytime, all the employers are "baffled" by this fact, I can't but help to chuckle when I read this sorta stuff, as in MP the employers were employed at a registered company but had no papers on it.... Ok, let's not get sidetracked but still, employers of a company in bitcoin holds some sort of responsibility to speak up when they feel something is not right instead of shrugging it off because they are making bread and butter off it. I don't blame any employee as CEOs in "real" companies can prove to be dishonest without employers knowledge.

But since this is the cryptography era, and we have technology at our hands made and further developed every day as, escrow system, multisigs, and more layers of security, to eliminate the need to trust the guy sitting on the other side of the globe whether he is anonymous or not I can't help but wonder why in this exact same sense people treat this industry like fiat money industries.



That is why I am proposing all exchanges to do multi-sigs on their wallets.

I am tired of "one guy" running off with money, leaving all the other employers baffled as to what happend, when they unknowingly aided him in a crime.
Whilst this extra layer would not eliminate conspiracies as such as more guys are in on the whole shebang, it would add an extra layer of security.

Proof of Identity does not matter

Take the real world for an example, where people rob the elder, or rob a supermarket for cigarettes. Some people have no shame.
As such, identity of owners of anything does not matter. People will steal your stuff with their real name, even let you see their face and remember it too.
I recall an incedent where I was robbed by someone in my school when I was young, and I could not do anything about it, him being 3 years older than me.
To some, their real name is no leverage against them because they simply place no dignity in it. Why this is such a big sense of security in crypto markets, I am not sure, but I can believe it being that many here are either techgeeks, drug users, doing something in which govt dislikes or they straight up would not take the chance whatever reason else there is, as soon as someone give up their realname he is suddenly Messiahs.

I don't even in the first place get why a majority wants to put their real name on anything brand new, as they have no idea what regulations they walk into, or if they are being made example of first when they do something succesful, also Bitcoin in ground was made so that we wouldn't have to trust who we deal with.
The system would eliminate that.
Also by the way giving up your name may result in: extortion, harassment. Look around in BCT and you'll find people are calling peoples parents, relatives, siblings, employers trying to get them fired. Sometimes the person being harassed have done something, other times it is done to them out of pure jealousy or just for the "lulz" of trying to ruin someone elses life, over disagreeing with them on forums.

Needless to say, btc-e has remained anonymous, had they been public they probably would be out of business soon, based on if they are russians.

My point in the end is just that identification does not matter, take a second to think that instead of storing $2500 on an exchange, how many people you've met through the years in real life would you let hold $2500 just because you know their name?


The time for false sense of security and centralization should be over when we have the right technology at our disposal

#1 My proposal is that I am calling for exchanges and services to start using multi-sig wallets and prove that they do.
#2 Audits were fine until it's not.
#3 1 person responsible for an entire exchanges wallets is not enough secure, from hackers or the person himself.
#4 Employees need to speak up more often instead of shrugging off if they feel something is not right.
#5 If owners of smaller exchanges are not willing to do this it will sooner or later cause their demise. Own stupidity or victim of other.
#6 If owners of exchanges/services do not agree to multi-sigs in my opinion it is alarming. Most owners need protecting from themselves.


If it is something we have seen time and time again from exchanges/services at their point of errors is that it comes down to ONE person "screwing up"
or "getting hacked".
I think it's time that customers demand better from their services of use instead of whining everytime we go down this road.

Discussion:
What other security systems can exchanges/services implement to eliminate the need to trust one person?
What exchanges/services are using this? Anyone care to make a list?
Other suggestions?
Pros and cons to using multi-sigs, solutions?
Jump to: