1 November just before midnight our hot wallet was compromised and a total value of USD 28m spread over BTC, ETH and USDC (quickly converted into ETH afterwards) were stolen. The compromised assets did not move until 5 November when the funds started moving to cryptocurrency mixer, Tornado Cash.
Platform trading, client assets, the Insurance Fund, Fireblocks, Copper Clearloop, Cobo Loop or any of our cold storage addresses were not affected. It’s company procedure to keep 99% of our user funds in cold storage to limit the impact of these types of events. Deribit has immediately confirmed the loss is covered by company reserves.
After the security incident was noticed Deribit initiated emergency security protocols which included, as a precaution, quickly locked all withdrawals including connections to third-party integrations like Copper Clearloop, Cobo Loop and Banxa and even new client verification via external applications.
- 2 November 3:30 PM Deribit had re-enabled Copper Clearloop and Cobo Loop withdrawals.
- 2 November 11 PM Deribit re-enabled regular on-chain withdrawals.
There are no indications of client or account information being compromised, zero unauthorised client withdrawals have taken place. We do not store passwords nor their hashes in our database as we are using SRP protocol for password authentication. Passports and other KYC information are stored by our third-party partner and hence not stored on Deribit servers.
The solution implemented by Deribit
In order to ensure that similar instances will not happen again, we have on 2 November transitioned the entirety of our hot wallet setup to Fireblocks to include BTC, ETH, and USDC in addition to SOL, which was already on Fireblocks. Consequently, no single aspect of our legacy technology or hardware was reused for the new setup. Moving forward, all withdrawals need a manual (read: human) confirmation by a Deribit administrator. After the manual confirmation, withdrawals will be processed. This means that withdrawals are not instant, but we aim to process most withdrawals within 60 minutes.
The user impact of this change was minimal. However, please do not send funds to your previous BTC, ETH, and USDC deposit addresses any longer. We require our users to create new Fireblocks deposit addresses for BTC, ETH and USDC from the Deribit front end and use those moving forward. SOL addresses do not need to be updated as they’re already on Fireblocks.
As of now, it is impossible for any hacker to initiate withdrawals from our hot wallets since 100% of hot wallet activity requires additional human confirmation. We believe this is the best approach going forward as we ensure that this will not happen on our platform again.
Forensics
Deribit has appointed three specialist firms to assist in analysing the security breach. For the moment we cannot disclose initial findings.
Next steps
Besides manual approval for all withdrawals, we will want to emphasize the importance of setting up Two Factor Authentication for account access. We furthermore want to stress that we allow for split key management (Click here for more info about using security keys). For example, we offer the ability to use a different 2FA for login, account management and withdrawals to further reduce risk. Also, we recommend all clients to set a withdrawal timer to at least multiple days, meaning any newly added withdrawal addresses cannot be used until this minimum period has passed.
Finally, we are working towards offering Fireblocks exchange integration as a third integrated custody solution for clients besides Copper Clearloop and Cobo loop.
Once again, thank you for your patience, support and understanding. We realise trust is of the utmost importance in our industry and for that reason we have tried to remain as transparent as possible.
AUTHOR(S)
We are the best resource for Crypto Derivatives trading. Deribit is not available in the United States or other restricted countries.