How Liquid’s Security & Wallet Team Protects our Clients

In Announcements

Our CISO and I were inspired to write this article following the recent crypto-news reporting on domain takeovers and the theft of clients’ personal data at two exchanges based in Japan (details can be found here & here). Like many others in the exchange space, our team was concerned to see this happen, so we want to reassure and inform our users about the procedures we have in place to prevent this ever happening at Liquid. 

DNS Security

Message from Liquid CISO team

As part of our implementation of security controls such as least privilege and role based access, Liquid implemented DNS Security (DNSSEC) in 2018. One of the most common problems Internet users face is being exposed to potential DNS attacks that allow attackers to redirect traffic to their own servers instead of displaying a website’s original content. This is known as hijacking or “spoofing” customer communications. By implementing DNSSEC, we further secured the traffic from our servers to the customers' browser and email inbox.

The DNSSEC protocol was established in 2005 but because of the complexity, the adoption of this security control has been slow. Currently only 11.7% of the websites in Japan have implemented this complex security control. This has increased by 5% from when Liquid first implemented this security feature. 

Liquid takes security of customer communications very seriously and implements controls that provide assurance to our customers.  Liquid remains unaffected by the recent hacks and data breaches.

Given all our safety measures already in place, and based on our knowledge of events, Liquid is not susceptible to the recent attacks at other exchanges.

A few safety measures, as part of our in-depth strategy, include:

  • Mandatory multi-factor authentication
  • DNSSEC to prevent domain takeovers and email hijacking
  • Three factor authentication imposed for high risk operations

MPC Wallet Migration

Message from Liquid COO, Seth Melamed

After implementing MPC technology for managing our withdrawal wallets beginning in 2019, we saw the next logical step in leveraging this robust technology: to strengthen our security & improve service levels at the same time.  Beginning in May 2020 Liquid began to migrate our user deposit wallets to addresses in which the Master Private Key (MPK) essentially does not exist. This is because it’s created and managed in a distributed manner, using Multi Party Computation (MPC) technology.  As of mid-June we have completed roughly half the migration of user’s assets and expect to implement full custody crypto deposits made to Liquid using MPC technology in the coming weeks.

How is this of value to you?The MPC infrastructure we are building at Liquid gives our users maximum protection and superior service.  Using MPC to protect wallets, it is extremely difficult (practically impossible) to break into a wallet. Additionally, using the MPC technology we implemented a distributed approval process. 

How has the embrace of MPC technology impacted Liquid’s service levels?As of June 2020, Liquid is processing 94.7% of all BTC withdrawal requests in 5 minutes or less.  Liquid is rapidly headed towards reaching our Target Operating Model (TOM) of servicing 99% of all crypto withdrawal requests in 1 minute. 

Today there are no people, servers, cloud services, devices or any group of such entities at Liquid, that have access to the keys that control our client’s assets.  Using MPC, the private keys do not exist in their full format. They are created in a distributed manner and shared between various people and machines, assuring that no one has the full key during the complete lifecycle of keys and transactions.

The segregation wallet for Quoine Corp user’s crypto assets are still managed with Private Keys stored in an offline device, using a fully cold wallet infrastructure.  Liquid is engaging with the JFSA and industry working groups to achieve acceptance of MPC technology as the equivalent to “cold” wallets, where the private keys are stored in an offline device.

Liquid sees greater acceptance of MPC technology as a virtuous circle: dramatically improved service levels will lead to greater adoption of cryptographic assets as a means of storing value and as a viable peer-to-peer payment system.  

Looking to Liquid’s future pipeline & continual platform improvements:

  • For hedge funds and traders, Liquid is enabling efficient use of their balance sheets 
  • For wallets and point of sale providers, Liquid is helping to turn the promise of crypto as a payment solution into a reality 

Liquid is proud to be the first large-scale exchange to adopt MPC technology, thus helping crypto currency to reach its next phase of development: mainstream adoption.

All guest authors’ opinions are their own. Liquid does not endorse or adopt any such opinions, and we cannot guarantee any claims made in content written by guest authors.

This content is not financial advice and it is not a recommendation to buy or sell any cryptocurrency or engage in any trading or other activities. You must not rely on this content for any financial decisions. Acquiring, trading, and otherwise transacting with cryptocurrency involves significant risks. We strongly advise our readers to conduct their own independent research before engaging in any such activities.

Liquid does not guarantee or imply that any cryptocurrency or activity described in this content is available or legal in any specific reader’s location. It is the reader’s responsibility to know the applicable laws in his or her own country.


Security team and Seth Melamed

Liquid's Security team and COO of Liquid.