當(dāng)我和世界其他人一起等待第一個(gè)比特幣ETF 獲得批準(zhǔn)時(shí)����,有一件事一直困擾著我:除了包括Fidelity 和VanEck 在內(nèi)的少數(shù)例外�,幾乎每個(gè)現(xiàn)貨比特幣ETF 的申請(qǐng)人都打算使用Coinbase 為其保管人。
David Schwed 是 Halborn 的營(yíng)運(yùn)長(zhǎng)����。
作為專注於區(qū)塊鏈的網(wǎng)路安全領(lǐng)導(dǎo)者���,這種風(fēng)險(xiǎn)的集中����、加密貨幣託管固有的高風(fēng)險(xiǎn)性質(zhì)以及安全最佳實(shí)踐仍在不斷發(fā)展的性質(zhì)讓我猶豫不決���。
讓我擔(dān)心的並不是 Coinbase 本身�。
該公司從未遭受已知的駭客攻擊,這解釋了為什麼如此多的傳統(tǒng)機(jī)構(gòu)信任其專業(yè)知識(shí)����。
然而���,不存在不可破解的目標(biāo)——只要有足夠的時(shí)間和資源�,任何人和任何人都可能受到損害���,這是我在網(wǎng)路安全和資產(chǎn)管理交叉領(lǐng)域的職業(yè)生涯中學(xué)到的教訓(xùn)����。
讓我擔(dān)心的是資產(chǎn)極端集中在單一託管人。
考慮到加密資產(chǎn)與現(xiàn)金類似的性質(zhì)���,這種情況本身就令人擔(dān)憂。
另請(qǐng)參閱:Gary Gensler 的比特幣 ETF 小丑秀
也許是時(shí)候重新考慮「合格託管人」的指定了���,這是一種監(jiān)管簽字����,其目前的形式不一定能確保基於區(qū)塊鏈的風(fēng)險(xiǎn)資產(chǎn)必然(或最好)受到保護(hù)�。
此外���,理想情況下�,數(shù)位資產(chǎn)託管人應(yīng)該受到比現(xiàn)在更嚴(yán)格的州和聯(lián)邦標(biāo)準(zhǔn)�、訓(xùn)練有素的監(jiān)管機(jī)構(gòu)更多的監(jiān)督。
如今�,大多數(shù)合格的託管人都保護(hù)股票���、債券或數(shù)位追蹤的法定餘額�,所有這些從根本上來(lái)說(shuō)都是合法協(xié)議�,不能簡(jiǎn)單地「竊取」。
但比特幣 [BTC] 與現(xiàn)金和黃金一樣,是所謂的不記名票據(jù)�。
一次成功的加密貨幣駭客攻擊就像狂野西部的銀行搶劫一樣�,一旦落入小偷手中,錢就消失了����。
因此����,對(duì)於加密貨幣託管人來(lái)說(shuō)����,只要犯一個(gè)錯(cuò)誤,資產(chǎn)就會(huì)完全消失�。
我們也知道����,全球加密貨幣犯罪的力量是強(qiáng)大且堅(jiān)定的����。
僅舉一個(gè)臭名昭著的例子�,北韓的 Lazarus Group 駭客團(tuán)隊(duì)據(jù)信在過(guò)去六年中竊取了價(jià)值 30 億美元的加密貨幣,而且沒(méi)有任何停止的跡象�。
預(yù)計(jì)第一個(gè)交易週流入比特幣 ETF 的資金將超過(guò) 60 億美元�,這使得這些基金成為主要目標(biāo)����。
如果 Coinbase 最終在其數(shù)位金庫(kù)中存有數(shù)百億比特幣,北韓可以輕鬆組織價(jià)值 5000 萬(wàn)美元的行動(dòng)來(lái)竊取這些資金,即使這需要多年時(shí)間。
像俄羅斯 Cozy Bear/APT29 組織這樣的威脅參與者也可能會(huì)發(fā)現(xiàn)���,隨著這些資金池變得越來(lái)越大(可能會(huì)更大),追捕機(jī)構(gòu)加密貨幣越來(lái)越有吸引力。
This is the level of threat that major banks prepare for. One widespread model of risk management for financial institutions utilizes three layers of oversight. First, the business management layer designs and implements security practices; second, the risk layer oversees and evaluates those practices; and third, the audit layer makes sure that risk mitigation practices are actually effective.
On top of that, a legacy financial institution will have external auditors and external IT oversight, as well as numerous state and federal regulators looking over their shoulders. Many, many eyes will examine every aspect of risk and security.
But these multiple levels of redundancy and nesting failsafes require one deceptively simple thing: headcount.
During my time as global head of digital assets technology at BNY Mellon, the investment bank had roughly 50,000 employees, of whom around 1,000 – or 2% – were in security roles. Coinbase, even after recent expansion, has fewer than 5,000 employees. BitGo, also a qualified custodian certified by the State of New York and other jurisdictions, has only a few hundred.
This is not to impugn the intentions or skill of any of these organizations or their employees. But real oversight requires redundancy that these new institutions may struggle to provide at a level appropriate for securing tens of billions of dollars in bearer instruments.
See also: Bitcoin ETFs: The Bull Case
Before those numbers get even bigger (and more enticing for the bad guys), it is well past time to refine the cybersecurity standards for qualified custodian designation. Right now, the designation accompanies trust or banking licensing, overseen by state and federal regulators. These are financial regulators largely focused on traditional banking, not cybersecurity experts, and certainly not crypto experts. They understandably focus on balance sheets, legal processes, and other financial operations.
But for crypto custodians, those aren’t the only kinds of oversight that matter, or even necessarily the most important. There are no industry-wide standards for cybersecurity and risk management practices by crypto custodians specifically, meaning that “qualified custodian” status isn’t quite as reassuring as it might sound. That exposes not just investors but an entire nascent sector to opaque risk with potentially dire consequences.
The approval of a cast of bitcoin ETFs is just the latest step in the continued integration of digital assets into the financial system. You don’t have to trust crypto partisans on that prediction – just ask Blackrock, a legacy giant that championed the ETF. As these developments continue, regulators truly interested in investor protection will focus on adapting to this new world: one in which rigorous cybersecurity standards are just as important to financial stability as honest disclosures and financial audits.
