decrypt.co
Fireblocks, founded in 2018, is a crypto custody company that lets institutional investors like banks shift money around cryptocurrency exchanges swiftly without, purportedly, sacrificing security.
Now, they’re being sued for failing to live up to this promise, as reported by Israeli newspaper Calcalist today.
Swiss-based staking platform StakeHound alleges that Fireblocks didn’t “back up the [StakeHound’s customer’s] private keys needed to open the relevant digital wallet, and for no apparent reason, the keys were deleted, preventing the plaintiff’s digital assets from being accessed.”
Founded in 2020, StakeHound lets users stake crypto—pledge crypto assets to the network and earn rewards in return—by wrapping assets into “staked tokens” which represent the underlying asset on a 1:1 basis. The pledged crypto assets are custodied by companies including Fireblocks, according to StakeHound.
Lior Lamesh, who closely follows the lawsuit, told Decrypt that the case involves a major mishap in Ethereum 2.0 staking service offered by StakeHound, for which Fireblocks acts as the custodian of private keys. Lamesh has previously worked as a cybersecurity expert in the Israeli prime minister’s office and is now the CEO of crypto custody company GK8.
Fireblocks custody goes wrong
Customers who stake in Ethereum 2.0—by locking up their ETH for rewards until the network transition to Ethereum 2.0—receive two private keys.
The first key is the validator, which allows staking ETH. The second key is withdrawal credentials, which lets holders withdraw staked ETH and trade it through the validator.
Presumably, said Lamesh, StakeHound manages the validator for its customers, while Fireblocks holds the withdrawal credentials of those customers in its multi-party computation (MPC), which is a technology that functions like a LastPass of crypto—it provides an encrypted but centralized custody of private keys. In April, Fireblocks surpassed $30 billion in transfers secured with this technology. Keys are safe once encrypted, but it takes a human to store the correct keys and not remove them.
It’s not yet clear whether the employee deleted the keys or they somehow disappeared due to a technical glitch, according to Calcalist.
To bolster the safety of private keys, Fireblocks works with Coinover, a company that keeps back-ups of keys in offline vaults. Complicating the matter further, Coinover allegedly received the wrong keys from Fireblocks. A confidentiality agreement prevents Coinover from verifying the keys it receives from Fireblocks, according to StakeHound. So the only chance for recovery went out of the window.
Lior Yaffe, a blockchain developer at the Israeli software company Jelurida familiar with MPC, told Decrypt, “I can only speculate that for this disaster to happen, the MPC creation process was not followed correctly, thus producing a faulty deposit address.”
Backing up the seed with Coincover wouldn't have helped in that case since the MPC process itself was faulty or incomplete, he explained. “What is more difficult to understand is why this recovery process was not practiced on a small amount first before locking such a huge amount of ETH, or if it was practiced [earlier], what caused it to fail later,” he said.
The Allegations surrounding Fireblocks come three months after the company raised $163 million in a Series C round from Coatue, Ribbit, Stripes, SVB Capital, and BNY Mellon.
The lawsuit was filed today at the Tel Aviv District Court. Fireblocks and StakeHound couldn’t be reached for comment by press time.