min read

Crypto Security at Cabital: How We Keep Your Assets Safe

Our team is committed to constant security improvements. Read on to find out how we protect your assets at Cabital.

Further Readings

No items found.

In 2020, almost US$2 billion was stolen in crypto crime: mainly through fraud, followed by theft and ransomware. And in August 2021, the decentralised finance platform Poly Network lost more than $600 million worth of cryptocurrency because of an exploit by a hacker. While the saga ended happily, with the hacker returning most of the stolen assets, it serves as a reminder of the importance of cybersecurity in the crypto space.

At Cabital, we’re fully committed to keeping your assets safe and secure. Our team is constantly investing in security improvement: investigating upcoming insurance protocols and conducting tabletop exercises around the latest security threats facing the crypto industry. 

We’ve adopted a multipronged approach to protecting our customers’ assets, including: 

  • Our secure wallet solution that guards our digital assets
  • Our custodian has insurance on digital assets held by Cabital
  • Our internal security measures that limit the impact of attacks
cyber security crypto key points

Crypto Security: Cold Wallets vs Hot Wallets

Cryptocurrency is stored in a wallet, which holds and protects digital assets. At both a consumer and institutional level, wallets can either be ‘cold’ (offline) or ‘hot’ (online) based on their connectivity to the internet. 

The biggest difference between wallets held by consumers and institutions is that a company such as Cabital opts for a third-party custody solution that holds and manages digital assets for investments. In contrast, an individual usually opts for self-custody. 

Self-custody usually involves building their storage solution and managing their private keys—a random 256-bit long alphanumeric string of numbers and letters identifying the wallet owner. Should an individual lose their private key, they’ll lose access to their wallet and all the funds inside.

What is a Cold Wallet? 

A cold wallet is an offline solution that holds signing keys in hardware devices that are not connected to the internet and can’t be controlled remotely through software. Stealing funds held in a cold wallet usually requires physical possession or access to the cold wallet, on top of any PINs and passwords needed to unlock the funds. 

While cold wallets are essentially hack-proof, there are a couple of downsides to them. First, you’ll need to take precautions around storing your cold wallet, such as using personal safes. Another downside to using cold wallets is that you won’t earn interest on the cryptocurrency held within. After all, depositing crypto into a savings account (like Cabital) can earn you leading APY rates depending on cryptocurrency. 

What is a Hot Wallet?

One of the most common forms of hacking cryptocurrency exchanges involves infiltrating the private keys to the exchange’s hot wallet. Unlike a cold wallet, a hot wallet is connected to the internet, where the funds can then be used for transactions such as trades and transfers. Because it’s connected to the internet, hot wallets are more susceptible to hacks since the private keys are stored on the internet.

We ensure that our private key is never held in one place at any time. The technology from our security provider, Fireblocks, protects the key from being compromised as the private key is never concentrated on a single device while providing off-chain accountability through an audit log of all the keys used in each signing cycle. 

Choosing most secure wallet type
Table 1: Differences between Cold and Hot wallets

How We Keep Your Assets Safe with Fireblocks

As mentioned above, Fireblocks is our security provider, and they play a major role in guarding your assets. We’ve chosen Fireblocks because they’re one of the most secure crypto wallet solutions in the industry, securing more than US$1 Trillion in digital assets, with over 500 institutions relying on their infrastructure, including Revolut, eToro, and Crypto.com. 

Why is Fireblocks Secure?

Here’s how Fireblocks’ security works: 

First, there’s a private key protection layer that removes the single point of compromise by spreading the authentication process across multiple parties and multiple devices. Instead of a single private key, there’s an algorithm that calculates the key to unlock our wallet through the MPC (multi-party computation) solution.

Next, there’s a layer of hardware isolation, where keys stored cannot be extracted even if a hacker gets control over the server, as the memory and data are encrypted. For a hacker to move the asset to their address, they’ll need Cabital’s authorisation.

As a further layer of security, Fireblocks also has a policy and workflow engine that lets organisations configure the list of rules that decide how transactions are handled and approved.

What is Cabital’s Insurance Policy for Our Customers’ Assets?

Our custodian, Fireblocks, provides insurance that covers assets in storage, transfer and E&O (Errors and Omissions). To further protect our customers’ assets, we’ve also set aside a provision in case of unexpected events.

However, we generate our interest rates by investing our assets, and once these assets leave Cabital’s control, they are no longer covered by Fireblocks’ insurance. 

Our investment team has established a playbook of solid metrics and thresholds to select a diverse range of reliable investment projects to ensure our investments pay off. We only consider projects requiring over-collateralisation from the borrowers to ensure that our investment capital is always returned. We also conduct a comprehensive due diligence review on the project from a quantitative and qualitative perspective. On the quantitative side, that means reviewing project audit reports from a recognised audit firm and the total volume locked in the project. On the qualitative side, we look into the function of the protocol and incidents of negative coverage. 

Before investing in a specific project, it also requires approval from Cabital’s Risk Committee. The Risk Committee consists of experts in ALM (Asset and Liability Management), operations, legal, tech, finance, compliance, and more. The members have held leadership positions in banks like Citibank, and other financial institutions like Western Union, Nomura Securities and JP Morgan.

We’re aware that there are some DeFi projects that offer insurance on cryptocurrency that’s invested in projects. We acknowledge that this field is still a rising industry, and there is plenty of room for it to improve and develop further, and in time we look forward to leveraging advancements in DeFi insurance to provide us with further protection on our investments. 

How Cabital Protects Your Assets

We have multiple tiers of defence to protect your assets. This includes establishing measures that protect your assets and your private information, such as 

  • Limiting exposure of non-public information provided by our clients
  • Firewalls to protect your assets and information
  • Encryption to prevent information theft
  • Multiple factors authentication
  • Access control mechanisms to control access to systems and data, where only restricted users can access critical customer data
  • Tabletop exercises, in which team members run through a cybersecurity crisis simulation, testing their processes and proficiency in overcoming cyber attacks from a strategic and technical perspective

Policy and Controls in Daily Operations

Besides the above systems and measures, we implement policy and controls in our daily operations. We practice duty segregation across the organisation and individual teams’ setups and their roles and responsibilities to avoid the case of an individual (or team) playing the role of an athlete and a referee at the same time. Team members who handle sensitive information must undergo strict background checks, regular security awareness and skill training, and pass internal security tests to ensure that our customers’ data and assets are safe.

For critical activities (especially the ones related to our funds), we’ve set up dual control, where it requires two gatekeepers to approve an action before proceeding. 

What Happens in an Emergency?

In the event of a cyberattack, we will immediately take action to limit the impact of these attacks. We’ve set up different zones within our infrastructure to protect our customers’ information and assets. This lets us disable certain features and shut down some entries to remove entry into the system from outside threats. 

Finally, we’ve also established a business recovery plan in case of emergencies, and we constantly revisit and revise it based on the latest developments in the cryptocurrency and cybersecurity industries. 

What Happens if a Customer’s Account is Hacked?

Sometimes unfortunate circumstances happen, like a stolen device or a well-crafted phishing scam, and a customer’s account is compromised. Once we receive the report that a customer’s account is hacked, our team’s priority is to protect the customer’s funds

  1. We’ll suspend the account for a period of time to protect the funds as we investigate
  2. The Operations team will reach out and verify the customer’s identification to confirm the report
  3. Meanwhile, the tech and security teams will examine the account’s behaviour as they identify the breach
  4. Once the investigation is done and the breach is sealed, we will reset the customer’s sign-in credentials and send them over in a safe way

The Future of Cryptocurrency Cybersecurity with Cabital

At Cabital, we know the cybersecurity field is constantly evolving. We’ll keep on working to build a crypto security program that combines a seamless user experience with industry best practices so that you can sit back and watch your money grow without worrying about the security of your assets and information.

As we move forward, you can rest assured that we’ll always maintain an open communication channel to address any security concerns you may have while constantly updating you about how we’re staying prepared. 

On our side, we’ll always be taking proactive measures to protect our customers and their assets through tabletop exercises and drills based on the latest cryptocurrency and cybersecurity updates. 

We understand that investing a significant portion of your holdings at once can be daunting. Test out our platform’s security with a small deposit of USDT for a 30-Day Fixed Savings subscription. With no minimum sum required or any other preconditions like the need to hold platform tokens, you’ll be able to earn the industry-leading interest rate right away. 

Get started with Cabital today

This article has been prepared by Cabital Fintech (LT) UAB  (the “Company”) and is general background information about some of the Company’s activities at the date of this presentation.

This article does not contain all the information that is or may be material to you and should not be considered as advice or a recommendation to you in respect of the holding, purchasing or selling of digital assets and does not take into account your particular objectives, financial situation or needs. This article has been made to you solely for information purposes. This presentation may be amended and supplemented as the Company sees fit, may not be relied upon for the purpose of entering into any transaction and should not be construed as, nor be relied on in connection with, any offer or invitation to purchase or subscribe for, underwrite or otherwise acquire, hold or dispose of any digital assets, and shall not be regarded as a recommendation in relation to any such transaction whatsoever. The contents of this presentation should not be considered to be legal, tax, investment or other advice, and you  should consult with your own counsel and advisers as to all legal, tax, regulatory, financial and related matters concerning an investment in or a disposal of such digital assets and as to their suitability for you.

This presentation and its contents are proprietary to the Company, and no part of it or its subject matter may be reproduced, redistributed, passed on, or the contents otherwise divulged, directly or indirectly, to any other person (excluding the relevant person’s professional advisers) or published in whole or in part for any purpose without the prior written consent of the Company.

This article contains forward‐looking statements. Such forward‐looking statements involve known and unknown risks, uncertainties and other important factors. Certain forward‐looking statements are based on assumptions or future events which may not prove to be accurate, and no reliance whatsoever should be placed on any forward-looking statements in this article.

The information in this article has not been independently verified. No representation or warranty, express or implied, is made as to the fairness, accuracy or completeness of the presentation and the information contained herein and no reliance should be placed on it. Information in this article (including market data and statistical information) has been obtained from various sources (including third party sources) and the Company does not guarantee the accuracy or completeness of such information.