Crypto Exchanges Are Idiots

A Common Misconception

A friend of mine received this news flash…

… and said,

“These crypto exchanges are idiots and do not understand how the world should work.”

My Response

It’s the customers that are idiots.

In this particular case, the story is inconsistent. It says that Mr. Cotten’s holdings were in cold storage, which indicates that he used a hardware wallet. But then the article went on to say that his wife could not unencrypt the files on his computer, which indicates he used a software wallet. In either case, Mr. Cotten had no plans in place to reveal his private key to anyone in the case he became incapacitated.

Most people (customers) do not understand the basics behind public/private key cryptography. In crypto, you are the bank. If you lose your private key you lose your money and nobody can retrieve it by any technical or legal means.

Crypto Exchange Accounts

The person holding your private key in public key cryptography is like the person holding your wallet.

Would you leave your wallet in the hands of a bank teller and drive away from your bank?

That’s essentially what people are doing when they use the web wallet provided by a crypto exchange. When people transfer USD from their bank account; their money is converted into cryptocurrency which is then stored in their crypto exchange account — This is another place of confusion… With cryptocurrencies like Bitcoin, money is not in an account, but rather money is associated with a public cryptocurrency address. When people leave their money in the crypto exchange, their money is associated with a public key for which only the crypto exchange owns its private key.

Would you give your debit card and your secret PIN code to a bank teller and drive off? That’s what it’s like when you store your money in a cryptocurrency exchange. You’re trusting that the exchange won’t ever leave your card and PIN code laying around for someone else to pickup (hack) and use.

Consider sending your cryptocurrency, e.g., BTC, to a Coinbase Pro (previously “gdax”) account for free, then to your hardware wallet. This will save a little money on a transfer fee. The catch there is that you must let your money sit on their books for a while before the transfer is completed.

People should use a hardware wallet to hold their cryptocurrency — not a software wallet, and especially not a web wallet provided by a crypto exchange. (Mr. Cotten got this part right, assuming he used cold storage.)

However, there are times when you simply cannot store cryptocurrency in a hardware wallet. For example, if you hold a less common cryptocurrency that is not supported by your hardware wallet. In that case, you might consider another form of physical wallet to hold your funds until you find a hardware wallet to support your cryptocurrency.

Cryptocurrency Wallets

There are three primary types of cryptocurrency wallets:

1. Physical wallet

2. Software wallet

3. Web wallet

Wallet Subtypes

Physical wallets can be a “hardware wallet” that looks like a USB flash drive, or a piece of paper or sheet of fire-proof titanium with your private key printed/etched on it. These external physical wallets are called “cold storage” because they can stored separate from any connection to a live, i.e., “hot,” computer.

Software wallets can run on your desktop or on your smart phone.

Web wallets can be browser based, like metamask, or hosted on a crypto exchange like Coinbase.

Wallet Descriptions

The hardware wallet is the most secure. You must have physical possession of the device and you usually need to enter a secret code to execute a money transfer.

The software wallet, while in your possession, i.e., running on your computer, is still vulnerable to attacks. What if a keystroke logger were running and had the capability to manipulate your software wallet?

The web wallet is the least secure. With hosted web wallets, you don’t even have the wallet under your control. You are trusting that some crypto exchange will always have your best interest at heart and will never get hacked. If you leave your money there, don’t complain when your money disappears.

There is no Central Bank

Cryptocurrency is stored securely on a distributed network. There is no customer service to call when you forget your online banking password. You cannot request a new debit card in case you lose your card or forget your PIN code. Securing your money is your responsibility.

The owner of your private keys owns your money. Lose your private key and you lose your money. You have nobody to call and nobody to blame except yourself.

That’s why it is so important to secure your private key. Keep it out of sight of others and protect it from theft and forces of nature.

Since you are the bank you must think like a bank. That includes the full life cycle of money: acquiring, saving, accessing , securing and transferring your money.

Recovery Seed

Thankfully, crypto wallets typically provide a recovery seed to make it easier to store your private key. It works like this: 1) Your crypto wallet will generate a random set of words. 2) You record those words and store them safely. 3) If you forget your private key, you can enter those random words, i.e, the recovery seed, into your wallet to recover your private key.

Ledger Nano S

The Ledger Nano S comes with paper cards where you write the 24 words that the device displays:

Metal is Better

Paper is not as durable as metal. So if you’re concerned about protecting your recovery seed words from a fire you should consider purchasing something like this:

You can think of your private key or recovery seed as if it’s your bank account number, your secret PIN code and your signature all-in-one. So, secure it properly.

Risk of Storing Private Keys Offline

Another thing to keep in mind is, “What happens if you’re the only one that knows what your private key or recovery seed is?

That’s what happened to the $190M in client holdings that flowed through the QuadrigaCX exchange last Friday. The only person that had access to the $190M unexpectedly died. Without the private key or recovery seed it is not possible to access the $190M.

If Gerald Cotten had stored the $190M at the exchange, the exchange would have been able to access the money now. Mr. Cotten did the recommended thing and kept the $190M in cold storage. The mistake he made was not implementing a plan for someone else to access the money in case he died.

The news article said, “In a sworn affidavit with the Nova Scotia Supreme Court, widow Jennifer Robertson said that QuadrigaCX owes its customers some $190 million in both cryptocurrency and fiat money.” and that the funds were stored in “cold storage”.

Sounds like the attorney that filed this affidavit is clueless about how cryptocurrency works (and should take PART1 of my class).


The issue we see played out again and again is that there is a fundamental misunderstanding about how cryptocurrency works.

The sooner people understand the concept, crypto != central bank, the sooner we’ll stop hearing news like, “Another $___ Million Dollars Lost Forever!… Avoid Cryptocurrency”

Would you hide your bank account number, your secret PIN code and your signature from everyone?

Maybe. Even if you did your money is still controlled by the bank and there are legal means for your heirs, in case you die, to access your money. That is not the way cryptocurrency works out of the box, but with some extra effort you can make it work that way.

It’s not a flaw in cryptocurrency, it’s a misunderstanding of how cryptocurrency works. Most crypto exchanges don’t fully educate about the risks of cryptocurrency. They “assume” that people with cryptocurrency know to handle their money.

Unless you have no relatives and/or do not care what happens to your estate if you die, you should consider using a smart contract to manage who owns your assets. (Instead of having the “If I die, then transfer my money to my kids.” on paper, smart contracts implement that same logic in the blockchain.)

Other options include making copies of your private keys/recovery seeds and storing them in escrow with your attorney.

What’s the right thing to do? “It depends.”

But at the end of the day the buck stops with you. So, educate yourself.


Want to learn how cryptocurrency and blockchain technology work? Take my class.

Want to get a sneak preview of my Gossip Protocol Lab? Go to TABConf on 8 Feb 2019.

Lastly, this common misconception is a clear indication that what the world needs is a better way to perform monetary transactions using cryptocurrencies; one that makes it easy to use crypto without having to worry about doing something stupid or getting hacked and losing everything. Until then, the best way users can reduce their risk is to increase their knowledge.

B.S. in Computer Science (minor: Business) from Auburn University