
Open-Sourcing Subzero: Square’s Bitcoin Cold Storage Solution - mcpherrinm
https://medium.com/square-corner-blog/open-sourcing-subzero-ee9e3e071827
======
aeternus
>One specific customization we implemented is the ability to enforce that cold
wallets can only send funds to a Square-owned hot wallet.

This actually seems like a significant risk. Cold storage is based on the idea
that hot wallets are more easily compromised.

If someone does manage to compromise Square's hot wallet private keys, they
can basically hold all cold storage funds hostage. Perhaps Square has some way
to modify the allowed addresses, but that somewhat defeats the purpose of the
restriction.

~~~
mcpherrinm
The code which implements the restrictions on destination is just code. We can
add new destinations if needed, but that requires a quorum of codesigners and
a more arduous process than simply withdrawing funds.

The goal here is the normal operation, cold withdrawal, is very low risk.

If we ever did suspect our hot wallet keys were breached, we'd have to do that
or else we would be stuck as you suggested.

~~~
jstanley
So what's the material difference between the cold wallet and the hot wallet
if funds from the cold wallet can be moved into the hot wallet freely?

~~~
sneak
Moving funds from multisig cold storage is not “freely” when it at the minimum
requires two people to travel to two different key storage/signing locations.
You’re generally looking at a 12-48h process at a minimum.

“Cold” refers to it being entirely offline.

~~~
londons_explore
In this case, the people are really just part of the system.

If an attacker can fool the people into getting funds out of the cold wallet,
then they are available for an attacker to steal.

The only way to avoid the people being fooled is to have full auditing of
every customer account balance. One needs to ensure that hot wallet + cold
wallet >= all customers account balances.

Doing that auditing in a secure way is really hard.

~~~
qmarchi
Square tried to minimize the impact that a human can have on the system:

* Several people would have to be compromised * The people are geographically diverse * Subzero will refuse to redirect funds to anything but a Square hotwallet. * And, they specifically built the Beancounter system for auditing of these accounts.

------
Uptrenda
I'm glad that exchanges are starting to take security more seriously. But the
security of cold wallet funds is much easier to maintain. The issue here with
centralization and hot wallets is that funds have to sit on publicly
accessible servers. So really, any improvements made to cold wallet storage
are nothing more than a red herring that distracts from the real issue that
centralized exchanges were never designed to handle cryptocurrencies.

There are far more problems to this approach than just wallet security too.
With an inherent lack of transparency that comes from centralized exchanges
how is the user to know that trades are being executed fairly? The exchange
still has an edge over every trader in that market and can skim profits off of
anyone. If we observe Mtgox it was the result of what can happen when
everything goes wrong (hot and cold wallets mismanaged and order books
manipulated.)

So call me a skeptic but I don't see how this solves anything. I did enjoy the
hand waving though. Very cool, and I'm sure Squares customers will be happy
with it when their convoluted security protocols are inevitability broken by a
rubber mallet.

~~~
pat2man
You can always trade on a decentralized exchange like
[https://www.radarrelay.com](https://www.radarrelay.com)

~~~
snissn
anyone who works at radar relay - could we chat about listing 0xBitcoin?
thanks!

------
haneefmubarak
This is neat, but I think it'd be interesting to see a writeup that talked
more about why they needed a new solution and what they did differently that
solved their particular problem.

In particular, they mention an onion model - what does that look like for
them? Hot/warm/cold can take a variety of forms...

~~~
amenghra
The main motivation to build vs use an existing solution was a solid backup/DR
story and the desire to be able to write custom business logic which is
enforced inside the HSM.

It’s things like controlling where funds can go, or requiring specific
authorization based on amount being move around, etc.

Being able to leverage hardware we are already familiar with or which has
various certifications (such as Fips) is a neat bonus.

If you look at the code, you’ll see that the funds flow from “anywhere -> hot
-> cold -> warm -> anywhere”. This is the minimal setup and you can add more
layers if needed.

~~~
tudorconstantin
With HD wallets you can generate receiving addresses based on the master
public key of a wallet, without needing any private key.

Is there a reason for not receiving funds straight into the cold wallet?

Edit: in the docs it seems that you indeed receive funds directly in the cold
wallet

~~~
amenghra
You are right. You can go from external entity to cold wallet directly. The
important piece is how the funds leave the cold wallet.

------
dannyw
Speaking of hardware security modules, are there any that can be easily and
cheaply acquired by hobbyists?

~~~
franciscrick1
Pieces of paper work pretty well.

Edit: literally any text data storage medium that can be powered down and
locked in a safe will work perfectly well for any of this. It doesn't matter
if it's a flash drive, floppy disk, CD ROM, piece of paper, or sheet of gold
with characters scratched into it. Literally anything will work. You do not
have to buy these $50 glorified flash drives to store your bitcoin.

~~~
nybble41
That takes care of offline key storage, but you'll need a lot more than just a
piece of paper (and a safe) to actually _use_ the key securely: a secure
offline computer, for a start, and a process for transferring the key and
transaction data into that computer, signing the transaction, and getting the
signed transaction back to a connected system for upload. At which point
you've basically re-invented an ad-hoc, inefficient, and quite likely insecure
hardware wallet / HSM.

Or were you just planning to scan the private key QR code with your
(compromised) smartphone?

HSMs are a lot more than "glorified flash drives". The most important
difference is that they keep the key data securely stored on the HSM and only
allow it to be used in specific ways, such as signing individual transactions.
Depending on the HSM you may even be able to program it to only sign
transactions which meet specific requirements, such as transfers from cold
storage to known hot wallet addresses.

------
SEJeff
This project looks pretty interesting:

[https://github.com/square/beancounter/](https://github.com/square/beancounter/)

Allows mapping a date to blocks or see what the wallet balance was at any
given time.

------
o_nate
If it's taught us nothing else, I'm grateful for the whole bitcoin mania for
teaching us some humility about computer security. It seems the consensus is
forming that a computer that's connected to the network is pretty much
insecure by definition.

------
tommoor
I'd love to see a writeup on why they even went with the central storage model
at all – I'm sure there were many considerations but it seems as though
CashApp was perfectly positioned to become a mainstream Bitcoin wallet with
the private keys in the hands of the users.

~~~
pat2man
Users lose their keys all the time. The cost of support calls alone would
probably be higher than the cost of developing a cold wallet solution,
especially since it sounds like they already had HSMs and the expertise to use
them.

