$8 000 000 USD





“The goal of the Zug-based company is to open a multi-asset decentralised exchange which handles cryptocurrency, fiat currency, and financial derivatives based on physical commodities.” “Trade.io, a Swiss blockchain company that advertises itself as a “next-generation financial institution”, has been hacked. According to an announcement from the firm, 50 million Trade Tokens (TIO), which is the company’s own cryptocurrency, have been stolen. These are worth approximately $7.5 million at the current price, but closer to $11 million at the time of the hack a few hours ago.” “The stolen tokens were intended to be used as a project’s liquidity pool. Therefore, the management performed a fork to get the funds back. Interestingly enough the team stored the wallet itself in a local bank’s deposit safe. And since it was reported that the safe wasn’t compromised the only explanation is that hackers somehow managed to access the wallet details for making the transfers, that normally indicates an “inside job”.” “Trade.io states: “We use industry recommended cold storage which are maintained in safety deposit boxes in banks, along with all corresponding materials. We have confirmed that the safety deposit boxes were not compromised.””

Although the removed tokens in this case were created specifically for the company behind the exchange, and the situation was resolved through a hard fork, this hack could theoretically have happened to any other token. It seems fairly obvious that the cold wallet key was compromised during their generation sequence, and since the wallet only had one key, this enabled access to spend the funds in the future. It is therefore not enough to simply have a cold wallet and store funds securely offline. It must require multiple signatures. ERC20 does not presently offer a built-in multi-signature method, and therefore this is only possible with coins like bitcoin. Going with the theory that one of the team members went rogue and copied the private key during its generation, this would be solved by a proper multi-sig wallet where each team member independently and securely generates their own key, and the keys of multiple team members are required to move the funds.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.