For the entire encryption industry, the extremely long and worrying year 2022 is coming to an end, but in the story of the theft of users' digital assets, it is far from over.
According to the monitoring of the blockchain security audit company Beosin, in November 2022 alone, there will be more than 17 more typical cases. Among them, the Centralized trading platform Deribit hot wallet was stolen and lost 28 million US dollars ; The wallet was suspected to have leaked the private key and was stolen, resulting in a loss of about $42 million.
The last line of defense to protect users' digital assets, is the cold wallet safe? Is it worthy of our trust? If your digital assets are lost, will the cold wallet service provider be held responsible? Let's talk about it in this article.
1. What does digital wallet mean to users?
In essence, the encrypted assets we have are just a string of data on the blockchain, and the digital wallet exists as a carrier that connects the blockchain entrance and generates data circulation. Therefore, for each wallet user, what really needs to be stored on the cold and hot wallets is the entry key—the private key, as well as the account number, password, and mnemonic that are approximately equal to the private key.
Due to the anonymity and high cognitive threshold of the blockchain itself, what most hot and cold wallet service providers do is to try their best to shorten the distance between ordinary users and this threshold.
The encrypted world is like a dark forest. Digital wallets give users a torch, but this torch cannot replace users in thinking about how to move forward in the dark and how to avoid the risks of darkness. In the final analysis, in order to protect the security of your own assets, you must establish an awareness of wallet security.
2. Several common situations of being stolen from a cold wallet
In fact, users do not have enough knowledge of wallets, which may directly lead to asset theft. In reality, many coin theft cases are the result of inadvertent user operations, such as using mailboxes to store or transmit private keys, letting acquaintances access private keys, mnemonic words...
Generally speaking, the theft of user assets under the cold wallet can be mainly attributed to the following three reasons:
The first category: improper storage by users. Cold wallet products are anonymous wallets, and those who own the wallet own the assets in the wallet. As the buyer of the cold wallet, the user should be the only user, and the user's custody behavior is particularly critical. On the one hand, objectively, poor storage by users, such as loss of mobile devices, loss of media for backing up important wallet information (private keys, security passwords, mnemonics), etc., gives thieves opportunities to take advantage of. On the other hand, the user is not cautious enough to keep it subjectively. For example, the user borrows, transfers, or authorizes others to use his wallet service, or allows other people to directly or indirectly contact and know the private key, and indirectly disclose the private key. In reality, some cold wallet theft cases are often committed by acquaintances around.
The second category: the risk of cold wallet service providers. Cold wallet service and hot wallet service are essentially technical services. Compared with hot wallets, cold wallet service providers should ensure the absolute security of the private key offline generation-offline storage process. in. Cold wallet service providers pose a risk of theft in two special cases. The first situation: There may be some attackable loopholes in the specific cold wallet service technology, and objectively there is a risk of private key leakage in the middle link, leaving opportunities for some hackers or other organizations to take advantage of. Scenario 2: With more and more cold wallet products, some informal cold wallet service providers may have a "back door", secretly copying and retaining the customer's private key. Of course, retaining the private key does not necessarily result in the theft of user assets, but more depends on whether the retained private key is used by insiders to steal user assets.
The third category: the risk of introducing third-party services. Usually, cold wallet service providers will cooperate with some external service providers to provide specific service support. For example, the "purchase, sale and cryptocurrency exchange service" embedded in Ledger Live is a typical third-party service. Users can easily jump through the web page or in the wallet Get related services on the page. From the perspective of the risk source and generation method of theft, third-party services are similar to service providers, and there may be risks of theft such as technical loopholes and retention of customer private keys.
However, the introduction of third-party services often requires the signing of additional agreements, mainly through direct incorporation into the third-party user agreement or listed in the terms of the cold wallet service provider itself. Therefore, once the user is stolen due to the introduction of a third party, the terms between the third party and the user need to be considered in terms of responsibility. In some cases that are not listed, the cold wallet service provider still needs to bear certain risks under the third-party service risk. joint and several liability.
3. Under what circumstances should the cold wallet service provider bear legal responsibility?
For the theft of user assets, the responsibility of the cold wallet service provider is limited. The theft caused by the user itself belongs to the exemption of the cold wallet. In other cases, the cold wallet service provider needs to bear certain responsibilities.
(1) There are technical loopholes in cold wallet products
Cold wallets are usually sold in the form of physical products, and cold wallet service providers, as product manufacturers and sellers, should assume relevant responsibilities within the scope of operators. Once there are technical loopholes in the cold wallet product, it may be identified as a quality defect in the product, which may easily cause unreasonable risks to the safety of consumers' property.
According to Article 1206 of the Tort Liability Part of the Civil Code, "if a product is found to be defective after it is put into circulation, the producer and seller shall promptly take remedial measures such as warnings and recalls." For cold wallets with technical loopholes, the user's property in the cold wallet is difficult to guarantee, and even the loss is huge.
According to Article 4 of the "Interim Provisions on the Administration of Recall of Consumer Products", "producers shall be responsible for the safety of the consumer products they produce. If the consumer products are defective, the producer shall implement a recall." Specifically, cold wallet service providers should eliminate cold wallet defects or add patches to reduce security risks by supplementing or amending warning signs, repairing , replacing, and returning goods and other remedial measures.
It is worth noting that some cold wallet products stipulate a "technical loophole" exemption clause in the user agreement, so that users cannot claim compensation for losses due to contract breach. However, cold wallet service providers should establish a collection, verification, analysis and processing system for consumer product defect information, so as to find technical loopholes in time and make up for them.
(2) Fraud exists in cold wallet business activities
There is a certain probability that some cold wallet service providers will have a "back door" and take the opportunity to copy and retain the user's private key. This is contrary to the cold wallet technology itself and is an act of deceiving consumers.
When operators engage in fraudulent behavior, they should first bear administrative responsibilities, which may involve fines, confiscation of illegal gains, and revocation of business licenses. Operators who commit fraudulent acts in providing commodities or services shall also bear civil liability for compensation. According to Article 55 of the Law of the People's Republic of China on the Protection of Consumers' Rights and Interests, "If a business operator commits fraudulent acts in providing commodities or services, it shall increase the compensation for the losses suffered by the consumer at the request of the consumer. three times the price or the service fee; if the amount of additional compensation is less than 500 yuan, it shall be 500 yuan. If the law provides otherwise, follow its provisions."
In addition, the cold wallet service provider has the private key of the user, and if there is an internal embezzlement of the customer's funds, it may also be involved in criminal responsibility. Specifically, the blockchain account established by the customer through the cold wallet service is not only independent of the cold wallet service provider, but also independent of other customers, and is completely owned and used by the customer, so it does not constitute misappropriation of "funds or property of the unit" , Under this premise, the cold wallet service provider's misappropriation of customer funds may be deemed as theft.
(3) Responsibilities for introducing third-party service providers
In several recent cases of theft of user assets, many users mistakenly authorized wallets by entering private keys or phishing links on third-party platforms, resulting in asset theft. For this reason, whether the cold wallet service provider should bear the risks that occur in the third-party platform depends on the terms between the service provider and the user for the third party.
Taking the Ledger Live User Agreement as an example, Ledger expressly stated that "it is not responsible for the content, accuracy, security, availability, any performance or failure to perform of third-party services or any problems related to the use of third-party services. … ..You agree to use third-party services at your own risk. Before using third-party services, you are responsible for reviewing the third-party terms and policies ." Most cold wallet service providers use different third-party terms and directly remind users to pay attention to the first The relevant agreements of the three parties are exempt from liability, and the cold wallet service provider does not bear the corresponding responsibility for users to download or obtain any information through the use of third-party platform services. Of course, under the circumstances not listed, the cold wallet service provider still needs to bear certain joint and several liabilities under the third-party service risk.
Four, some thoughts
As an entry-level solution for Web3.0 , cold wallet entrepreneurs must not only make great efforts in terms of product usability and security, but also pay more attention to legal aspects.
The blockchain has no national borders, but users have their own countries. For entrepreneurs, in the course of business, they must understand the local laws and regulations clearly to avoid unnecessary risks and legal responsibilities.
