Unlike previous physical goods, digital assets such as cryptocurrencies pose new challenges – especially regarding their safe keeping. With crypto exchanges in particular hitting the headlines on an increasing basis due to hacking and other attacks, there remains a distorted perception of digital assets in the media. But based on a differentiated understanding of what digital assets are, it becomes quite easy to test the once popular Wild West image – so what do the stats tell us?
Historically, custody of valuable assets has been a question of high walls, deep ditches and fortified vault buildings such as the fabled Fort Knox.
In the digital domain, especially with the emergence of densely networked computers, humanity is for the first time being confronted with digital objects, which are difficult to confine. A digital object is composed of a structured sequence of bits and the bit sequence realising the object can be identified and accessed by a unique and persistent identifier or by use of referencing attributes describing its properties.
Since 2009, the ever-growing Internet has been extended with persistent data structures such as blockchains that enfranchise digital objects into powerful independent digital assets (IDAs) such as Bitcoin. IDAs stand in contrast to dependent digital assets (DDAs) such as Tether or the recently announced Libra coin.
While humanity has learned over centuries how to protect analogue assets and assess corresponding risks, purely digital assets are creating entirely new challenges.
Bitcoin most famously displays this dynamism. Its independence makes it both desirable as a valuable asset and challenging to keep safe.
Recent headlines are evidence of a global learning curve on coping with this dichotomy. Proclamations such as “2018: A Record-Breaking Year for Crypto Exchange Hacks” suggest that these unwieldy IDAs cannot be kept secure.
As secure storage is at the heart of what we do, the perception that digital assets could just be lost or stolen is concerning. Therefore, in developing our state-of-the-art offline custody system, we asked: Just how bad is it?
To answer this question, we collected publicly available data covering the period from 2011 to 2018 from the Internet. This data is necessarily incomplete since it is unlikely that all incidents are made public, whereby an incident in the context of this article is defined as an event, that caused the loss of funds such as a hack, human error or a software bug. However, the available data does show trends that seem robust and support our hypothesis that the headlines in question lack merit.
The overall number of incidents has increased steadily, loosely following the price increase of digital assets.
Figure 1: Incidents per year
Clusters of incidents appear whenever the price increases (Figure 2).
Figure 2: Timing and amounts lost relative to BTC market cap
In accordance with popular opinion, the losses measured in fiat currency grow over time, with a coefficient of 0.43, as shown in Figure 3. This coefficient indicates a moderate relationship of two variables, in this case time and lost funds.
Figure 3: Amount lost across time
The first three graphs seem to confirm the current narrative of a worsening situation with increasing losses. But how does this hold up when we remove the distortion that comes from the increased value of IDAs?
First, is there a “dollar blindness”? Is the nominal exchange rate, as derived from the market cap, misleading? A bitcoin lost in 2011 could register at USD 1.00, but a bitcoin lost in 2018 would be USD 10,000.00 – an increase of 1 million per cent for essentially the same loss.
Second, how does this look when compared to the ever-growing number of participants in the space (a phenomenon known as “increased surface area”)?
Looking at losses in terms of bitcoin instead of fiat currency to account for the rapidly increasing value presents a different picture. When using bitcoin as a proxy, we actually find that fewer bitcoins are lost over time, as shown by Figure 4.
Figure 4: Amount lost across time in BTC
This trend holds true even when we remove outliers such as the infamous Mt. Gox hack (Figure 5).
Figure 5: Amount lost across time BTC without outliers
Increased surface area
While our list of participants is likely incomplete, we do know that the majority of affected entities are exchanges, as depicted in the chart below.
Figure 6: Affected organization
If we use these exchanges as a proxy for the number of entities that operate in the space, a different picture emerges. First, the number of exchanges increases rapidly based on venues featured on coinmarketcap.com.
Figure 7: Active exchanges
Ultimately, in relation to the incidents, we can clearly see an opposing development.
While in 2011, one in four exchanges was affected by an adverse incident, the ratio is down to just 2 per cent in 2018.
Figure 8: Incidents / Exchanges
The decline in affected venues is quite remarkable, leading us to conclude that the turbulent times are over – not since watchdogs started paying attention, but since 2015. One interpretation of this is that the early hacks served as warning sign, causing the industry to place greater focus on security.
The Wild West is wild no more
In summary, our findings confirm the hypothesis of dollar blindness. Headlines focus on fiat currency amounts that become more sensational the larger the market cap grows; however, the actual proportion of lost assets is declining, indicating a professionalisation in terms of custody.
Furthermore, the increased surface area of more participants would have led to an increased number of incidents had the security situation not improved. Instead, the number of incidents is declining, which points to increased sophistication, especially with regard to exchanges.
Overall, the first four years under review (2011 to 2014) were more turbulent than the last four years (2015 to 2018), which is why the Wild West image no longer fits. The expectation from an institutional perspective is that more and more IDAs will be held in professional and potentially insured custody arrangements.
Notably, no bank has been compromised to date and offline storage systems are rarely affected. In fact, we found only two incidents where an offline system or “cold storage” was affected. Moreover, the available data points to a few clandestine exchanges as the main source of losses.
With many new dedicated companies that address the challenge of institutional custody having sprung up in recent years, security concerns look set to ease further.