Hot wallets remain one of the most vulnerable points for crypto exchanges. According to Atlas VPN, from 2012 to 2020, 87 platforms lost $4.8 billion to hacking attacks.
To protect users’ assets, some exchanges keep them offline only. One such platform is Phemex. We look at the security system and cold wallets of this trading platform.
About Phemex
Phemex is a Singapore-based crypto exchange founded by eight former Morgan Stanley bankers. In March 2020, Phemex raised $3.5 million in a Series A round valuing the company at $50 million.
The platform has been operating since 2019 and supports 37 crypto assets. Users have access to futures contracts with leverage up to 100x. At the time of publication, the exchange had 2 million registered users.
The Phemex trading engine can process up to 300,000 transactions per second. It consists of two modules: CrossEngine and TradingEngine. The first sorts orders by time and price priority, and the second handles requests to place user orders.
The crypto exchange operates in accordance with the information security standard ISO/IEC 17799 and partners with auditing company SlowMist. To defend against external attacks, the exchange uses the Amazon Web Services Cloud Security.
The Difference Between Hot and Cold Wallets
Most crypto exchanges use two types of wallets: hot (online) and cold (offline).
Hot wallets are constantly connected to the internet, and are therefore vulnerable to hacking. However they allow exchanges to process withdrawal requests faster.
Cold wallets have no internet access. This protects them from hacks, but at the same time slows withdrawals from the exchange.
Large exchanges move most digital assets to cold wallets. For example, Bitstamp stores offline 98% of client funds, and Kraken — 95%.
Phemex has developed its own hierarchical deterministic (HD) cold wallet system that allows 100% of user funds to be stored offline.
How Phemex’s Cold Wallets Work
Each exchange user receives a separate deposit address. Periodically, Phemex consolidates separate deposits into a single cold wallet.
Platform staff confirm internal transfers and withdrawals from the exchange with offline signatures. For such operations two computers are required:
- The first is offline and stores private keys for signing transactions;
- The second is connected to the internet and broadcasts the transaction to the blockchain.
Phemex staff sign transactions on the offline computer and then transfer them to the online computer via a USB drive. The online computer then broadcasts the transactions to the blockchain.
The exchange processes withdrawal requests three times a day. Exchange staff review the requests and confirm them with offline signatures.
Conclusions
In March 2012, hackers stole 18,500 BTC from the Bitcoinica hot wallet. Since then, not much has changed: in 2019 attackers hacked Binance and Upbit, in 2020 — KuCoin and EXMO, and in 2021 Liquid and Bilaxy.
Phemex ensures the safety of user assets: the exchange stores all funds in cold wallets.
The drawback of this approach is that clients have to wait for the platform to process withdrawal requests offline. However, this is a small price to pay for the assurance that hackers will not gain access to the exchange’s digital assets.
Subscribe to ForkLog’s channel on YouTube!