Another one bites the dust

Just in time for a series of posts on proof-of-funds for cryptocurrency custodians, news has emerged that the Canadian exchange QuadrigaCX has gone out of business and customers are unable to get their funds on deposit. The plot thickens after Coindesk started investigating and discovered a filing attributing the problems to the passing away of the exchange founder while traveling. According to the affidavit, customer funds were stored on a single laptop—thankfully still in the possession of the Quadriga team— but the password required to access that device and unlock the cryptocurrency storage were only known to the founder.

Suspicious circumstances surround the incident. To pick on three examples:

1. Quadriga previously claimed to use a multi-signature design for cold storage. Instead of using a single cryptographic key, multisig distributes control of funds across N secret keys such that access to any quorum M ≤ N is sufficient to authorize a transaction. As the moniker “multi” implies N is greater than 1, it is difficult to see how the loss of just one laptop alone could result in complete loss of access to funds. (Unless that is all keys were stored on the same device; technically this qualifies as “multisig” in letter but not in spirit. The whole point of multiple keys is risk diversification: force attackers to perform additional work to get more than one key while also building resilience against failure/loss of individual keys. Keeping all keys on the same hardware achieves neither.
2. Even if Quadriga used this degenerate design that achieves “multisig” in name only, the idea of storing over $100M USD on a system accessible to only one person defies the imagination. Well-run companies strive for redundancy in operation, seeking to avoid key-person risks where one person has an outsized level of influence on the success of the enterprise. If employee Bob is the only person in the entire organization who can perform a vital business function, the company is going to have a bad-hair day when Bob goes on vacation, quits to join a competitor, retires— or gets hit by a bus. In fact, that last morbid scenario has inspired the concept of “bus factor” for projects, quantifying the level of dependence on specific individuals with irreplaceable capabilities. Surely Quadriga management would have recognized the massive risk posed by their cold storage having exactly 1 authorized user and no redundancy beyond a single laptop? Putting aside personnel issues, what happens if that laptop experiences a hardware failure? Some commentators have also pointed out that the founder had a chronic medical condition that has also been listed as the cause of death. This is irrelevant: the bus-factor captures chance events not dependent on individual behavior. Careening buses do not discriminate based on prior conditions.
3. Quadriga is also having difficulties accessing its fiat currency accounts, due to ongoing legal disputes. This is completely orthogonal to the problem of accessing cryptocurrency storage: even if the deceased founder had been the only authorized signatory for those accounts, the laws of mathematics do not prevent transferring ownership of funds to the executor. Experiencing problems with both cryptocurrency due to technical reasons at the same time as experiencing problems with fiat due to litigation at the same time is an unlikely coincidence.

The burden of proof

“Never attribute to malice that which can be explained by incompetence”— Hanlon’s razor

Looking past the present uncertainty, we can ask how Quadriga will substantiate its claim that funds have become inaccessible. In other words, what type of evidence is required to prove beyond reasonable doubt that the current dilemma is the result of an honest mistake around key-person risk (in both of senses of “key”) and not outright fraud? There are at least four pieces of evidence required:

• List of wallet addresses. While the cryptographic keys controlling these addresses may be locked away in a laptop with unknown password, the addresses themselves are not secret information. For each cryptocurrency (bitcoin, litecoin, ethereum, …) Quadriga should be able to produce an inventory of all hot & cold addresses currently used to custody customer funds.
• Sufficient funds to account for all customer deposits. While some addresses are no longer under Quadriga control due to inaccessible keys, blockchain balances must show that in principle all depositors could get paid in full if those addresses were accessible.
• An argument for the correctness of the address list. This is the trickiest part, required to compensate for the missing proof that specified addresses are still under Quadriga control. Without that constraint, Quadriga can simply point to a random pile of funds on the blockchain— consider that there exist individual addresses storing more funds than all of Quadriga’s liabilities— and claim those as part of their own wallet. (Given privacy considerations, one can not rely on the legitimate owners to step forward and challenge bogus assertions.) This argument is bound to be imprecise, relying on heuristics and to some extent information volunteered by customers about their own deposits. Hot and cold wallets for a custodian are likely to exhibit high-degree of clustering. Hot wallet addresses send excess funds to cold wallet, and cold addresses replenish hot wallet when liquidity is running low. Starting with a self-identified customer deposit, we can trace funds on the blockchain. For example, suppose a Quadriga customer publicly volunteers the information that they deposited funds from origin address O123. The expected pattern on blockchain would be  O123 → Habc moving funds to hot-wallet, followed by a sweep transaction Habc → Cxyz securing the excess in a cold wallet address and perhaps eventually followed by Cxyz → H456 replenishing a different hot-wallet address when liquidity runs low. Every occurrence of an address in these patterns will lend additional credibility to Quadriga claiming that address as part of its wallet.
• Permanent inactivity. This is a part of the demonstration that remains open-ended. If cryptographic keys controlling addresses are irretrievably lost, the expectation is those addresses never appear as the source for any future transaction on the blockchain. Any movement of money originating out of those supposedly frozen addresses would give the lie to the assertion that corresponding keys are missing. On the one hand, showing that the funds are indeed “stuck” is an easy way to refute the exit scam accusations. It is not exactly a very successful scam if the perpetrator goes out of business without getting to keep any customer funds. On the other hand, it means Quadriga will never have any finality or closure in its defense: years from today, the eventual movement of those funds could reveal that it was an exit scam after all— albeit one orchestrated by extraordinarily patient crooks, waiting years for their payoff.

Can Quadriga build a convincing argument? Time will tell. It is very likely that parts of the raw data will be reconstructed independently by outside individuals, without any participation from the company itself. Not surprisingly, the suspicious circumstances have already inspired armchair forensic accountants to conduct their own blockchain research to locate customer funds. One such examination has tentatively concluded that statements made by Quadriga management are not consistent with blockchain activity, to put it mildly. Time is running out for Quadriga to furnish its own evidence to refute these allegations, as the public narrative is shifting from an astonishment at incompetence to outrage fueled by increasing suspicion of malice.

CP