Traveling back to 2018, users of the crypto exchange QuadrigaCX are upset because they have been waiting for weeks to withdraw their money from their customer accounts on the exchange. Then they receive the shocking news that Gerald Cotton, the founder of QuadrigaCX, has been found dead.
For their funds, this allegedly meant they were locked into QuadrigaCX wallets that only Cotton could access using the private keys. It got even worse: In the following months, six crypto-wallets were found that could be linked to QuadrigaCX, but where a large part of customer funds ($190 million) were missing.
It is clear that Cotton had embezzled these funds to finance his personal stock market speculation and his own lavish lifestyle. Between 2016 and 2018, Cotten lost $115 million speculating, $28 million trading on other exchanges and squandered another $24 million on vacation homes, sports cars and luxury vacations.
“Not your keys, not your crypto” is one of the guiding principles of the crypto scene. If you are not or are not the sole owner of the private key, there is a risk that third parties can dispose of your own funds and abuse them. This risk is not unique to exchanges: many client funds secured in smart contracts with protocols, decentralized applications or even in large blockchains are exposed to this so-called key man risk.
Key-Man has full access to the code and funds
A large majority of DeFi projects still have the ability to use a “God Mode” to make changes to key components of the project without community approval. These components reside in the projects’ smart contracts, which for example contain the funds and the code. This can be used to access the treasury, adjust smart contract parameters, or modify the code. A small handful of people, mostly the founders, have access to the keys that control this access via so-called multi-sigs: several digital signatures, e.g. B. 3 out of a total of 4 conclusions are necessary to exercise control.
The key man risk is the danger that the holders of the private keys to a smart contract will work together to embezzle the money or change significant parameters in the code.
This kind of centralized control by key holders, while increasing the risk to users and stakeholders, is also essential for many protocols to to implement new functions. This allows those in charge to keep up to date with rapidly changing technology.
Polygon’s $2 billion is at the center of the debate
Polygon Admin access is controlled by a five out of eight quorum ie. in this case, five of the eight administrators must agree to approve changes. Of the eight keys, four keys are controlled by the founders of the protocol, and four keys are held by parties selected by the founders.
What potential risks does this pose?
It would only take another party chosen by the founders to conspire with the founders to gain control of the smart contracts. This group would have control over all important functions of these smart contracts: They could change the rules, embezzle the entire Polygon contract ($2 billion TVL) or censor transactions.
A small intervention that can limit the risk would be to use larger multi-sigs. But larger multi-sigs are not automatically a better solution despite increased security. Large multi-sigs or fully decentralized governance increases response time to react to bugs, exploits and market developments. Above all, the team’s ability to implement new functionality in the code and to make quick product decisions decreases. Multiple participants must coordinate to respond quickly.
The question that arises is: Which involves the biggest security risk; the one-sided control over the keys or the slow response time and bugs or exploits?
In start-ups, but also in larger companies, the founders often have control over the company until they decide to resign. They unilaterally make key decisions about the company’s direction and product. Mark Zuckerberg, Facebook’s CEO, owns 55% of the company’s voting shares, giving him an absolute majority of the votes.
Protocols, DAOs, dApps are ultimately nothing more than companies offering a product or service to their customers. They can benefit from an enterprise-like approach that focuses on innovation, incrementally improving their products, and eliminating bugs and vulnerabilities in their code while keeping the end goal of decentralization in mind. As with classic companies, users and employees should trust that the founders intend the best for the company and its stakeholders.
However, since cryptocurrencies are about customer money, unlike traditional businesses, additional controls must exist that take into account the unique trade-off between innovation and security. The founders of a startup have the traditional controls, like boards of directors, and the traditional legal system to provide some security. The creators of a protocol or dApp must implement separate controls to enable risk reduction for users of the protocols.
Time locks and other interventions can reduce key man risk while enabling quick decisions
Keyman risk is a necessary evil for protocols to continue to improve and innovate, but should be mitigated with several interventions:
- time lock: It is possible to precode a fixed delay time for a change to the smart contract in an auditable way. Once this delay time is set, no one can change it. This system allows for a response time for customers within which, in the event of an unexpected, non-agreed or malicious change, the money can be removed from the log in a timely manner.
- boards: A board-like structure can exercise some control over the founders. Currently, most multi-sigs are controlled by the founders and a self-selected group of others, with the founders only needing approval from a minority of the other group to gain full access to the smart contracts. Protocols can introduce a control function where a panel of external advisers can veto certain decisions, particularly those relating to key contracts and financial management.
Gradual decentralization should remain a goal for the founders: they must eventually hand over the management key to a DAO (in the case of Polygon, to MATIC owners).
In summary: Key man risk is ignored by many users and investors, even though it can pose a significant threat to the money users invest. In today’s world, it is necessary to either remain in control of the keys that govern one’s money or to be aware of the risks in order to monitor the risk accordingly.
action point: To monitor this risk, check in your logs: (1) how the keys were generated, (2) who owns them, (3) if they use some restriction on their users (eg timelocks), (4 ) how big the incentives for wrongdoing are.
Nicolay Gerold is an analyst and investment researcher at Rudy Capital, a German crypto consultancy that enables institutional clients to generate stable returns in falling, rising and flat markets.
All information on our website has been investigated to the best of our knowledge and belief. The journalistic contributions are for general information purposes only. Any action taken by the reader based on the information on our website is entirely at his own risk.