{"id":9949,"date":"2024-01-19T13:08:00","date_gmt":"2024-01-19T11:08:00","guid":{"rendered":"https:\/\/forklog.com\/en\/security-through-clarity-how-okx-safeguards-customers-bitcoin\/"},"modified":"2024-01-19T13:08:00","modified_gmt":"2024-01-19T11:08:00","slug":"security-through-clarity-how-okx-safeguards-customers-bitcoin","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/security-through-clarity-how-okx-safeguards-customers-bitcoin\/","title":{"rendered":"Security through clarity: how OKX safeguards customers\u2019 bitcoin"},"content":{"rendered":"<p>Centralised exchanges prefer to conceal how they secure customer funds, following the principle of <span data-descr=\"security through obscurity\" class=\"old_tooltip\">security through obscurity<\/span>. The less an attacker knows about a platform\u2019s inner workings, the harder it is to exploit potential weaknesses.<\/p>\n<p>However, the <a class=\"tracking_link\" href=\"https:\/\/www.okx.com\/ru?channelId=ACE520184\" target=\"_blank\" rel=\"noopener\">OKX<\/a> team believes clients have a right to know how the platform holds their assets. Transparency is one of bitcoin\u2019s core tenets and a hallmark that sets crypto apart from <span data-descr=\"traditional finance\" class=\"old_tooltip\">TradFi<\/span>.<\/p>\n<p>This article outlines OKX\u2019s hot- and cold\u2011wallet system and the exchange\u2019s Proof\u2011of\u2011Reserves audits.<\/p>\n<h2 class=\"wp-block-heading\">Hot wallet<\/h2>\n<p>Like many crypto exchanges, OKX uses two kinds of wallets: cold (offline) and hot (online). Hot wallets are connected to the internet and therefore vulnerable to hacking, but they allow faster processing of withdrawal requests.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cOur hot wallets hold only 5% of total assets, but they still demand close attention to security because most hacker attacks target them. When a <span data-descr=\"centralised cryptocurrency exchange\" class=\"old_tooltip\">CEX<\/span> is hacked, funds are usually stolen from hot wallets,\u201d the exchange\u2019s representatives note.<\/em><\/p>\n<\/blockquote>\n<p>The private keys to OKX\u2019s hot wallets are generated and encrypted on semi\u2011autonomous signing devices held by three employees in different countries.<\/p>\n<p>The keys have backups stored in bank safe\u2011deposit boxes in three jurisdictions. If a key holder becomes unavailable (including through death or amnesia), the exchange uses a backup within 48 hours. To defend against offline attacks, private keys are kept in device RAM rather than persistent storage.<\/p>\n<p>After key generation, the holders set up a semi\u2011autonomous 2\u2011of\u20113 multisignature scheme.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cThe hot wallet monitors all user deposits on\u2011chain. A transaction to an OKX address is routed to storage, its details are recorded in a dedicated database and then into the risk\u2011management system. The latter checks the origin of funds, the amount and the transaction\u2019s blockchain confirmations,\u201d OKX comments.<\/em><\/p>\n<\/blockquote>\n<p>According to the exchange, the risk\u2011management system also reviews outgoing transactions and watches for anomalous client behaviour:<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cWithdrawal requests that pass checks are moved to storage. The system automatically creates an unsigned transaction, which is then sent for semi\u2011autonomous multisignature via a special network protocol. This approach effectively makes it impossible for a third party or hacker to obtain the private key.\u201d<\/em><\/p>\n<\/blockquote>\n<p>Unsigned outgoing transactions are checked for anomalies by a separate semi\u2011autonomous risk\u2011management system, which serves as a second layer of defence for the hot wallet.<\/p>\n<p>A transaction is signed and broadcast to the blockchain only after both systems approve it. If a withdrawal request fails a check, <a class=\"tracking_link\" href=\"https:\/\/www.okx.com\/ru?channelId=ACE520184\" target=\"_blank\" rel=\"noopener\">OKX<\/a> delays or cancels the signature.<\/p>\n<h2 class=\"wp-block-heading\">Cold wallet<\/h2>\n<p>Cold wallets are not connected to the internet. That protects them from hacks but slows withdrawals from the exchange.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cAny online equipment is vulnerable by its nature. Although we devote substantial resources to maintaining the semi\u2011autonomous multisignature system, it cannot be deemed safe because it is connected to the internet, so we store 95% of funds in cold wallets,\u201d OKX notes.<\/em><\/p>\n<\/blockquote>\n<p>Private keys are created as follows:<\/p>\n<ul class=\"wp-block-list\">\n<li>Bitcoin software generates 10,000 private keys and corresponding addresses on a computer that is disconnected from the internet;<\/li>\n<li>OKX specialists encrypt them using <a class=\"tracking_link\" href=\"https:\/\/ru.wikipedia.org\/wiki\/AES_(%D1%81%D1%82%D0%B0%D0%BD%D0%B4%D0%B0%D1%80%D1%82_%D1%88%D0%B8%D1%84%D1%80%D0%BE%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F)\" target=\"_blank\" rel=\"noopener\">AES<\/a> on another offline computer and set a master password, which is held by two employees in different countries;<\/li>\n<li>all 10,000 original keys are deleted;<\/li>\n<li>the address and the encrypted private key are displayed as a QR code on the offline computer;<\/li>\n<li>that QR code is scanned from another computer to publish the cold\u2011wallet address and receive top\u2011ups from hot wallets. Each address is used only once;<\/li>\n<li>the QR code of the encrypted key is printed and stored at a bank. Even if the key holder is abducted, the document itself remains safe because retrieval requires an in\u2011person visit;<\/li>\n<li>OKX employees create additional backup copies of the QR codes, kept in different bank vaults. There are currently two backups, each accessible by a different person. The employees with access to the safe\u2011deposit boxes and those with the AES passwords are four different people.<\/li>\n<\/ul>\n<p>A cold wallet can hold up to 1,000 BTC. No address is reused after its first outgoing transaction.<\/p>\n<p>Withdrawals involve the following steps:<\/p>\n<ul class=\"wp-block-list\">\n<li>an OKX employee retrieves the encrypted private keys by scanning a QR code on a computer that is disconnected from the internet;<\/li>\n<li>the AES master password decrypts the keys on the offline computer;<\/li>\n<li>the employee scans the QR code, imports it to another computer and signs the transaction.<\/li>\n<\/ul>\n<p>After signing, the transaction is broadcast to the network via a USB device.<\/p>\n<h2 class=\"wp-block-heading\">OKX Risk Shield and Proof\u2011of\u2011Reserves<\/h2>\n<p>To cover a potential breach, OKX has created the Risk Shield reserve fund. It is regularly topped up with a share of trading fees.<\/p>\n<p>In addition, the exchange publishes monthly <a class=\"tracking_link\" href=\"https:\/\/www.okx.com\/ru\/proof-of-reserves?channelId=ACE520184\" target=\"_blank\" rel=\"noopener\">Proof\u2011of\u2011Reserves<\/a> (PoR) audits. According to the latest <a class=\"tracking_link\" href=\"https:\/\/www.okx.com\/ru\/learn\/okx-14th-proof-of-reserves?channelId=ACE520184\" target=\"_blank\" rel=\"noopener\">report<\/a> for December, the platform holds $14.9bn in assets.<\/p>\n<p>The backing comprises <a class=\"tracking_link\" href=\"https:\/\/www.okx.com\/ru\/proof-of-reserves\/detail?channelId=ACE520184\" target=\"_blank\" rel=\"noopener\">22 assets<\/a>, including bitcoin, Ethereum, Tether (USDT) and USD Coin (USDC). According to <a class=\"tracking_link\" href=\"https:\/\/defillama.com\/cexs\" target=\"_blank\" rel=\"noopener\">DeFi Llama<\/a>, as of January 2024 the reserves\u2019 <span data-descr=\"excluding the exchange token OKB\" class=\"old_tooltip\">\u201cpurity\u201d<\/span> stands at 97.9%.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cAs far as we know, OKX is the only exchange that has provided reports for more than 14 consecutive months. Throughout this period, the reserve ratio has remained at 100% or higher.\u00a0<\/em><\/p>\n<p><em>Coin Metrics co\u2011founder Nic Carter <a class=\"tracking_link\" href=\"https:\/\/niccarter.info\/proof-of-reserves\/\" target=\"_blank\" rel=\"noopener\">called<\/a> OKX\u2019s proof of reserves one of the best among major centralised exchanges. He cited OKX\u2019s reliability, the professionalism of its management, its commitment to transparency and the overall quality of the PoR as reasons for such a high assessment,\u201d the exchange\u2019s representatives comment.<\/em><\/p>\n<\/blockquote>\n<p>In April 2023, OKX implemented zk\u2011STARK zero\u2011knowledge proofs in its Proof\u2011of\u2011Reserves mechanism, enabling users to verify the exchange\u2019s solvency independently.<\/p>\n<h2 class=\"wp-block-heading\">Takeaways<\/h2>\n<p>Since Mt Gox, reports of hacks at centralised exchanges have been a regular occurrence. In 2023 alone, hackers breached the hot wallets of CoinEx, Poloniex and HTX.\u00a0<\/p>\n<p>Such cases are a reminder that CEXs are ill\u2011suited to long\u2011term storage of substantial sums of crypto. Hardware wallets or non\u2011custodial options such as OKX Wallet are better choices.\u00a0<\/p>\n<p>Even for short\u2011term trading, it pays to choose a reliable platform that invests heavily in security. OKX does not hide how it stores funds, allowing users to make an informed decision about whether to entrust the exchange with their money.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Centralised exchanges prefer to conceal how they secure customer funds, following the principle of security through obscurity. The less an attacker knows about a platform\u2019s inner workings, the harder it is to exploit potential weaknesses. However, the OKX team believes clients have a right to know how the platform holds their assets. Transparency is one [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":9948,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[1144],"tags":[1166,1291],"class_list":["post-9949","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-longreads","tag-centralized-exchanges-cex","tag-okx"],"aioseo_notices":[],"amp_enabled":true,"views":"78","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/9949","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=9949"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/9949\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/9948"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=9949"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=9949"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=9949"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}