The Mass Exodus to Self-Custody Wallets (Fallout of CEX Failures)

Since reaching its all-time high of $68,789.63, Bitcoin and other cryptocurrencies have experienced a downturn for more than a year. This could be due to the halving cycle, a possible global recession, or several exchange incidents that have occurred recently. In fact, since early 2022, there has been a mass exodus from centralized platforms.

While market prices may eventually recover, trust may be difficult to regain. From November 2021 to 2022, cryptocurrency losses have increased from $7.4 billion to over $12 billion. Many of these losses resulted from trusting centralized exchanges (CEXs), a mistake that has been costly for some investors. Nearly 500 BTC have left these platforms, representing a 15% drop from the average balance of around 2.7 million in 2021, and a 45% decrease since March 2020, according to Glassnode.

The phrase "not your keys, not your coins" has been around for years, emphasizing the importance of owning one's private keys to protect their cryptocurrency assets. Many people have lost money in the past due to hacks, scams, or exchanges that went bankrupt. Have these incidents finally taught people a valuable lesson?

Finally, the question remains: where have all these coins gone?

Quick Takes:

• More and more investors are leaving CEXs and transferring funds to non-custodial platforms.
• The bear market has exposed the many weaknesses of traditional exchanges, which led to several bankruptcies and eventually the CEX exodus.
• Self-custody, MPC, hardware, and multisig wallets are exploding in sales and user volume. This may trigger a second wave of DeFi adoption.

Top Centralized Exchange Failures (2022)

Some of the centralized exchange failures of 2022 are considered the worst we've seen so far. We're talking of nine-figure losses in the Top 10 most popular exchanges worldwide. While some of them didn't have any issues, who says something similar can't happen in the next few months?

From interest-bearing platforms to CEXs, here are the most worrying incidents in 2022 alone (from least to most catastrophic):

1. Crypto.com lost over $35M on a security breach on January 17th. The attacker overcame the login security and extracted BTC/ETH from user accounts. Over 70M people use Crypto.com for its debit cards, interest rewards, and exchange.
2. Binance lost $560M worth of BNB tokens in a cross-chain bridge hack on October 6th (about 1% of the circulating supply). While the actual exchange didn't lose anything (in fact, BNB price barely changed), Binance "asked validators to temporarily halt the BSC blockchain." While no one lost any wallet funds, it has shown how centralized the BNB Chain really is— and what could happen if the loss were billions larger. (e.g., Had it not resumed, all crypto deposited on the BNB chain would be gone)
3. Genesis Global Capital has a +$1B liquidity problem and high bankruptcy risk. Genesis is an institutional trading firm with billions in managed assets, and it already suspended withdrawals on November 16th. It has hundreds of millions stranded in the bankrupt FTX exchange and a $575M loan to its parent company (Digital Currency Group) due in May 2023. It also partners with Gemini Exchange, which is also suspending/delaying services.
4. Voyager Digital filed for bankruptcy protection by July 3rd and went out of business with over $1.4B in debt. It was a top-choice US exchange and interest platform used by millions of Americans. But because of the markets and token devaluation, clients couldn't redeem the funds.
5. The FTX Exchange goes bankrupt on November 11th with $1B-$2B missing in investor assets. If you include the sister company (Alameda Research) and balances since its inception, FTX was already $3.7B in debt before 2022. The founder Sam Bankman-Fried not only used FTX's liquidity for Alameda but also took a $1B personal loan.
6. Three Arrows Capital (3AC) was liquidated on June 27th and went bankrupt days later. This firm managed as much as $10B in assets and went out of business owing investors over $3B. It was enough to shatter all cryptocurrency prices and put big partners in trouble.
7. BlockFi has suspended all services since November 11th as a response to FTX. This lending company was managing $10B-$20B in 2021 and only $4B in 2022. Customers can't redeem the amount until BlockFi decides to resume business operations (earlier in 2022, the SEC imposed BlockFi a $100M penalty for "misleading risk disclosures"). They also lent $7.5B to other platforms, some of which are on this list. This November 30th, they went bankrupt.
8. Celsius Network went bankrupt on July 13th with over $4.7B in consumer debt. The platform promised clients high yields by using their deposits for high-leverage loans (leaving the company vulnerable to sharp market movements). Celsius had $5.5B in liabilities, $4.3B in assets, and a $1.2B hole in its balance sheet.

Note: These numbers are approximations showing that companies lost at least* that amount. Losses can be inaccurate because everything is interconnected (one company's losses affect another) and they're estimated in cryptocurrencies (which always change prices).

Before jumping to conclusions, there's another list you should watch. The worst DeFi incidents in 2022.

Top Decentralized App Failures (2022)

1. Axie Ronin Bridge lost $625M on a (Ronin) bridge exploit on March 29th. Axie was the most successful play-to-earn project, with ~1M monthly users and +$100 per AXS token at one point. The company is still recovering from the loss of 25.5M USDC and 173,600 ETH.
2. Wormhole Bridge was hacked on February 2nd, costing it +$320M. The attacker found a smart contract vulnerability on Solana and generated 120k wETH tokens.
3. Beanstalk lost +$180M on April 18th in a flash loan attack. It's a protocol that uses credit instead of collateral to issue fiat stablecoins. After the governance proposal hack, Beanstalk went from $35M total-value locked (TVL) to zero (and unlisted token).
4. Wintermute is a market maker and high-frequency trading (HTF) firm that lost $160M on smart contract exploits. What's worrying is that Wintermute insiders might have been behind the "attack." So while the team has corrected the code vulnerabilities, there might be others we don't know about that could be exploited later on.
5. Elrond suffered a security breach, resulting in $1.65M of free EGLD generated. This is a major smart-contract blockchain that hosts several decentralized applications (dApps). Attackers later sold all EGLD on Maiar (Elrond DEX), causing its price to drop by 95% in this dApp. By the time developers halted Maiar, the $1.95M hack turned into $113M.
6. Harmony One is another smart-contract competitor with cross-chain functionality. The Harmony bridge Horizon lost $100M in June 2022 after hackers discovered the exploit. Around the 22nd, the Harmony TVL dropped By 40% from 3.7B in ONE tokens (and is much lower now).

As you can see, 2022 hasn't been a good year for either DeFi or CeFi. However:

• Dapps have lost far less than centralized platforms
• The top 3 2022 dApp failures are the worst ones in DeFi history (since 2018). But the history of centralized exchanges goes as far as 2011. There have been many worse events before 2022 (and probably more in the future). Thus, CEXs are riskier.
• Many CEX failures happened because of asset mismanagement and fraud. When dApps fail, it's almost exclusively due to code vulnerabilities.
• In CEXs, hackers steal tokens. In DEXs, hackers mint tokens (generate).

That means that you only lose on the price of the particular project that was attacked. If you also hold other assets in your non-custodial wallet, they're safe, unaffected, and available. On the other hand, if the exchange that holds your coins collapses, you will lose your entire portfolio.

Giving up your keys is the opposite of why crypto was invented. And the way CEXs "manage" your assets isn't nearly as safe as the marketing suggests. Here's why.

How Do Centralized Exchanges Hold Your Crypto?

Centralized exchanges are custodial platforms, meaning that the company owns your account (If you don't believe it, try finding the private keys of your exchange's wallet.) That includes your legal information, account features, and cryptocurrencies. In exchange, you can trade hundreds of coins at low cost and high speed, along with extras such as debit cards and lending services.

How exactly exchanges hold your crypto is different for every company. Typically:

• Your funds go to one of the many collective wallets they own (similar to liquidity pools). You can see this when sending crypto anywhere from the exchange. After making the transaction, you view it on the block explorer, and one of the addresses will be one of those wallets (e.g., YourExchange: Hot Wallet 6).

• Exchanges use both hot and cold wallets (on and offline). Exchanges prioritizing the former have more liquidity and security risks while the latter is the opposite case (low liquidity makes them more prone to suspend withdrawals or even go bankrupt). You should find the allocation on the exchange website, although in practice these are variable.

As for for-profit businesses, CEXs want to make their services available for as many trading clients as possible. This comes down to liquidity management, which is challenging due to market crashes, cyberattacks, and other unpredictable events. Whenever these threaten liquidity, exchanges tend to suspend their services and financial promises until they restore liquidity. In this case, the secured creditors typically get made whole before the unsecured creditors. 

Not only do they hold your crypto, but you have no control over how long they hold it. Hence the mass exodus to self-custody exchanges.

The Exodus to Self-Custody Wallets

It's not that investors "panic sold" on a bear market. Because if people did sell, exchanges should have more Bitcoin, not less. Those coins didn't "vanish."

They were sent to non-custodial wallets, also called self-custody wallets.

How are they different from exchange wallets? Software-wise they're almost the same. It's about who controls the keys.

When you create a non-custodial wallet (or cold wallet), typically you first see a list of 12-24 words called "seed phrase." This list is an alternative code to your private key, which is an alphanumeric code that's hidden in the settings and is meant to be secret. The public key is the address you share with others when sending cryptocurrency.

(If you want to know why public keys are safe to share and private ones aren't, check our article on common encryption methods.)

Let's say you lose your device. You can use another one, download the app, and enter the private key (or seed phrase) to recover your account balance. Because no one knows your secret key, nobody can access your wallet. How does that compare to exchanges?

Let's say you let another person use this wallet, but you keep your private key secret. That means the other person can use the wallet like it's theirs: deposit, send, receive crypto. But you can still access it because of the private keys, meaning that you could use the person's balance however you want.

That's what CEX custodial wallets are. Except it's also like using the same device. You can't access the wallet if the exchange website is down.

According to Glassnode, exchanges have consistently lost their BTC balance since January 2020. In spite of recent events, the drop is as steep as 45% below March 2020.

And here's where most of it has gone:

Trezor

Celsius, 3AC, and FTX may be bad news for other exchanges, but definitely not for non-custodial providers. One of them, Trezor, has reported a 300%+ sales revenue increase since FTX failed. The rate is still increasing, and as other CEXs become more restrictive, Trezor will make even more revenue.

For someone who never heard about them, it might sound opportunistic. But Trezor has been around for years as a trusted hardware (wallet) provider. Your private keys aren't kept by the company, but rather on the device that you buy (Trezor One for ~$72 and Trezor T for $255).

One difference from its direct competitor is that you won't need a phone to access the wallet (although you can connect it). Trezor devices have a screen where you can set your address and start receiving payments.

Ledger

The incidents of November 2022 have also benefited Ledger with an all-time high in sales. That's about 7x more sales than the average week since the fall of FTX (with +5M in total). Already before the "exodus" started, Ledger was as, if not more, popular than Trezor.

Some reasons for this are that:

• Ledger products have a wider price range
• There are at least 5,500 tradeable tokens, as it includes all from ERC-20 and BEP-20.
• Thanks to their partners, Ledger wallets can hold NFTs, swap tokens, and connect to dApps.
• You can connect it to your computer or phone with the Ledger Live app, and also other wallets like Metamask.

On one occasion, cyberattackers breached Ledger's client's records. But all they found were postal codes, names, email addresses, and phone numbers. There were no funds to steal because Ledger doesn't keep custody of your coins.

Even if they did, they would probably use a multi-sig like Gnosis Safe.

Gnosis Safe

Multi-signature wallets are multi-user wallets with decentralized asset management. That means that if five people are members of a multi-sig wallet, you can't spend those funds unless a majority of people authorize it.

Here's how a Gnosis "Safe" works:

• Get a wallet like Metamask and pay a one-time fee to create the Safe
• Set up management conditions. e.g., At least three member confirmations to send crypto, two to sign smart contracts, four to add new members, and so on.
• You can then transfer funds from other wallets to Gnosis Safe and invite other users.
• Other users connect with their own wallets and can also add funds to your balance. Those users might be your secondary accounts.
• The Gnosis Wallet doesn't have any less functionality than a Metamask wallet.

Let's say a thief gets access to the Gnosis Safe wallet. Maybe they stole your phone or discovered your seed phrase. The thief still can't do anything if any action needs approval from other members. You know everyone's wallet activity because you immediately get a notification to confirm.

While there's no physical device, it might be safer than hardware wallets. It's why there's over 1.6M ETH stored on Gnosis Safe contracts. Depending on market prices and including ERC-20 tokens, that's 30M to 100M USD.

Gnosis Safe also leverages the dApp ecosystem of its own EVM blockchain, Gnosis Chain.

What The Exodus Means To Crypto Finance

"If we can have a way to allow people to hold their own assets in their own custody securely and easily, that 99% of the general population can do it, centralized exchanges will not exist or probably don't need to exist, which is great.” - Changpeng Zhao

The last person you would expect to think such a thing is the owner of the largest, most successful CEX. But the Binance CEO knows that traditional exchanges won't be necessary as self-custody wallets popularize. So far, their biggest selling point is the on and off-ramps that allow crypto-fiat conversions.

While decentralized exchanges don't have those yet, it's quickly becoming irrelevant for two reasons. More and more businesses accept crypto for goods and services, and there's a digital economy in DeFi that's independent of traditional finance. And self-custody wallets are closely tied to DeFi apps.

Just like there's a sales boom on non-custodial wallets, DeFi may see huge increases in traffic and TVL. Potentially, the return of 2020's DeFi summer.