Litecoin study
EXECUTIVE SUMMARY
This is the first study to systematically investigate key cryptocurrency industry sectors by collecting empirical, non-public data. The study gathered survey data from nearly 150 cryptocurrency companies and individuals, and it covers 38 countries from five world regions. The study details the key industry sectors that have emerged and the different entities that inhabit them.
KEY HIGHLIGHTS OF THE STUDY • The current number of unique active users of crypocurrency wallets is estimated to be between 2.9 million and 5.8 million.
• The lines between the different cryptocurrency industry sectors are increasingly blurred: 31% of cryptocurrency companies surveyed are operating across two cryptocurrency industry sectors or more, giving rise to an increasing number of universal cryptocurrency companies.
• At least 1,876 people are working full-time in the cryptocurrency industry, and the actual total figure is likely well above two thousend when large mining organisations and other organizations that did not provide headcount figures are added.
• Average security headcount and costs for payment companies and exchanges as a percentage of total headcount/operating expenses are similar, but significantly higher for wallets.
EXCHANGES • The exchanges sector has the highest number of operating entities and employs more people than any other industry sector covered in this study; a significant geographical dispersion of exchanges is observed.
• 52% of small exchanges hold a formal government license compared to only 35% of large exchanges.
• On average, security headcount corresponds to 13% of total employees and 17% of budget is spent on security.
WALLETS • Between 5.8 million and 11.5 million wallets are estimated to be currently ‘active’.
• The lines between wallets and exchanges are increasingly blurred: 52% of wallets surveyed provide an integrated currency exchange feature, of which 80% offer a national-to-cryptocurrency exchange service. In contrast with exchanges, the majority of wallets do not control access to user keys.
PAYMENTS • While 79% of payment companies have existing relationships with banking institutions and payment networks, the difficulty of obtaining and maintaining these relationships is cited as this sector's biggest challenge.
• On average, national-to-cryptocurrency payments constitute two-thirds of total payment company transaction volume, whereas national-to-national currency transfers and cryptocurrency-to-cryptocurrency payments account for 27% and 6%, respectively.
MINING • 70% of large miners rate their influence on protocol development as high or very high, compared to 51% of small miners.
• The cryptocurrency mining map shows that publicly known mining facilities are geographically dispersed, but a significant concentration can be observed in certain Chinese provinces.
Executive Summary
11
Global Cryptocurrency Benchmarking Study
METHODOLOGY The Cambridge Centre for Alternative Finance carried out four online surveys from September 2016 to January 2017 via secure web-based questionnaires. Each survey was directed at organizations and individuals operating in a specific sector of the cryptocurrency industry as defined by our taxonomy (specifically exchanges, wallets, payment service providers, and miners). All surveys were written and distributed in English, and the exchanges survey as well as the mining survey were translated and distributed in Chinese with the generous help of 8btc.com.
The research team collected data from cryptocurrency companies and organisations across 38 countries and five world regions. Over one hundred cryptocurrency companies and organisations as well as 30 individual miners participated in one or more of the four surveys. During the survey process, the research team communicated directly with individual organisations, explaining the study’s objectives. For cases in which currently active major companies did not contribute to our study, the dataset was supplemented with additional research and web scraping using commonly applied methodologies.
The collected data was encrypted and safely stored, accessible only to the authors of this study. All individual company-specific data was anonymised and analysed in aggregate by industry sector, type of activity, organisation size, region and country. We estimate that our benchmarking study captured more than 75% of the four cryptocurrency industry sectors covered in this report.
REPORT STRUCTURE The remainder of this report is structured as follows:
• The Exchanges section presents an overview of the cryptocurrency exchange sector and the different types of exchange activities, with a particular focus on security.
• The Wallets section explores the different types and formats of wallets, as well as widely offered features including currency exchange services.
• The Payments section features a taxonomy of the four major payment activity types, and compares national and cross-border payment channels and transaction sizes.
• The Mining section describes the mining value chain and features a map with publicly known mining facilities across the world; miners’ views on policy issues and operational challenges are also presented.
• Appendix A: Brief introduction to cryptocurrencies highlights the general concept of cryptocurrencies and presents their key properties and value propositions.
• Appendix B: The cryptocurrency industry offers a more detailed introduction to the emergence of the cryptocurrency industry.
• Appendix C: The geographical dispersion of cryptocurrency users discusses the geographical dispersion of cryptocurrency users and activity.
• References and Endnotes provide information on where outside information was gathered and further explanation of how some figures were calculated (e.g., employee figures by sector).
METHODOLOGY AND STUDY STRUCTURE
144 cryptocurrency organisations and individual miners are included in the research study sample
12
GLOSSARY EXCHANGES WALLETS
• Order-book exchange: platform that uses a trading engine to match buy and sell orders from users
• Brokerage service: service that lets users conveniently acquire and/or sell cryptocurrencies at a given price
• Trading platform: platform that provides a single interface for connecting to several other exchanges and/or offers leveraged trading and cryptocurrency derivatives
• Large exchange: exchange with more than 20 full-time employees and/or a non-negligible market share
• Custodial exchange/custodian: exchange that takes custody of users’ cryptocurrency funds
• Incorporated wallet: registered corporation that provides software and/or hardware wallets.
• Custodial wallet/custodian: wallet provider that takes custody of users’ cryptocurrency holdings by controlling the private key(s).
• Self-hosted wallet: wallet that lets users control private key(s), meaning that the wallet service does not have access to users’ cryptocurrency funds
• Large wallet: incorporated wallet that has more than 10 full-time employees
• Wallets with integrated currency exchange: wallets that provide currency exchange services within the wallet interface using one of three exchange models: • Centralised exchange/brokerage service model: wallet provider acts as central counterparty • Integrated third-party exchange model: wallet provider partners with a third-party exchange to provide exchange services • P2P exchange/marketplace model: wallet provider offers a built-in P2P exchange that lets users exchange currencies between themselves
Setting the Scene
GEOGRAPHY • Asia-Pacific: region that comprises East Asia, South Asia, South-East Asia and Oceania
• Africa and Middle East: region that comprises the African continent as well as the Middle East
• Europe: region that comprises Western Europe, Southern Europe and Eastern Europe including Russia
• Latin America: region that comprises South America and Central America including Mexico
• North America: region composed of Canada and the United States
13
Global Cryptocurrency Benchmarking Study
PAYMENTS
MINING
TECHNICAL
• National currency-focused: services that use cryptocurrency primarily as a ‘payment rail’ for fast and cost-efficient payments, which are generally denominated in national currencies • B2B payment services: platforms that provide payments for businesses, often times across borders • Money transfer services: services that provide primarily international money transfers for individuals (e.g., traditional remittances, bill payment services)
• Cryptocurrency-focused: services that facilitate the use of cryptocurrencies; generally payments are denominated in cryptocurrency, but can also be exchanged to national currencies • Merchant services: services that process payments for cryptocurrency-accepting merchants, and provide additional merchant services (e.g., shopping cart integrations, point-of-sale terminals) • General-purpose cryptocurrency platform: platforms that perform a variety of cryptocurrency transfer services (e.g., instant payments to other users of the same platform using cryptocurrency and/or national currencies, payroll, bill payment services)
• Mining value chain: the cryptocurrency mining sector is composed of the following principal activities: • Mining hardware manufacturing: design and building of specialised mining equipment • Self-mining: miners running their own equipment to find valid blocks • Cloud mining services: services that rent out hashing power to customers • Remote hosting services: services that host and maintain customer-owned mining equipment • Mining pool: structure that combines computational resources from multiple miners to increase the frequency and likelihood of finding a valid block; rewards are shared among participants
• Small miners: registered companies active in the mining industry, but operating with limited scale; individual miners operating as sole proprietors
• Large miners: mining organisations that engage in medium-to-large scale mining operations and occupy a significant position in the industry
• Blockchain: record of all validated transactions grouped into blocks, each cryptographically linked to predecessor transactions down to the genesis block, thereby creating a ‘chain of blocks’
• Keys: term used to describe a pair of cryptographic keys that consists of a private (secret) key and a corresponding public key: the private key can be compared to a password needed to ‘unlock’ cryptocurrency funds while the public key (if converted to an address) can be compared to a public email address or bank account number
• Multi-signature: mechanism to split control over an address among multiple private keys such that a specific threshold of keys are needed to unlock funds stored in that particular address
14
SETTING THE SCENE SETTING THE SCENE
15
Global Cryptocurrency Benchmarking Study
Figure 1: The world of cryptocurrencies beyond Bitcoin
CRYPTOCURRENCY OVERVIEW
BITCOIN, ALTCOINS, AND INNOVATION Bitcoin began operating in January 2009 and is the first decentralised cryptocurrency, with the second cryptocurrency, Namecoin, not emerging until more than two years later in April 2011. Today, there are hundreds of cryptocurrencies with market value that are being traded, and thousands of cryptocurrencies that have existed at some point.1
The common element of these different cryptocurrency systems is the public ledger (‘blockchain’) that is shared between network participants and the use of native tokens as a way to incentivise participants for running the network in the absence of a central authority. However, there are significant differences between some cryptocurrencies with regards to the level of innovation displayed (Figure 1).
The majority of cryptocurrencies are largely clones of bitcoin or other cryptocurrencies and simply feature different parameter values (e.g., different block time, currency supply, and issuance scheme). These cryptocurrencies show little to no innovation and are often referred to as ‘altcoins’. Examples include Dogecoin and Ethereum Classic.2
16
Setting the Scene
Figure 2: The total cryptocurrency market capitalisation has increased more than 3x since early 2016, reaching nearly $25 billion in March 2017
In contrast, a number of cryptocurrencies have emerged that, while borrowing some concepts from Bitcoin, provide novel and innovative features that offer substantive differences. These can include the introduction of new consensus mechanisms (e.g., proof-of-stake) as well as decentralised computing platforms with ‘smart contract’ capabilities that provide substantially different functionality and enable nonmonetary use cases. These ‘cryptocurrency and blockchain innovations’ can be grouped into two categories: new (public) blockchain systems that feature their own blockchain (e.g., Ethereum, Peercoin, Zcash), and dApps/Other that exist on additional layers built on top of existing blockchain systems (e.g., Counterparty, Augur).4
The combined market capitalisation (i.e., market price multiplied by the number of existing currency units) of all cryptocurrencies has increased more than threefold since early 2016 and has reached $27 billion in April 2017 (Figure 2). A relatively low, but not insignificant share of value is allocated to duplication (i.e., ‘altcoins’), while a growing share has been apportioned to innovative cryptocurrencies (‘cryptocurrency and blockchain innovations’).
Bitcoin Other cryptocurrencies
Data sourced from CoinDance3
17
Global Cryptocurrency Benchmarking Study
ETHEREUM (ETH) Decentralised computing platform which features its own Turing-complete programming language. The blockchain records scripts or contracts that are run and executed by every participating node, and are activated through payments with the native cryptocurrency ‘ether’. Officially launched in 2015, Ethereum has attracted significant interest from many developers and institutional actors.
As of April 2017, the following cryptocurrencies are the largest after bitcoin in terms of market capitalisation:
DASH Privacy-focused cryptocurrency launched in early 2014 that has recently experienced a significant increase in market value since the beginning of 2017. In contrast to most other cryptocurrencies, block rewards are being equally shared between miners and ‘masternodes’, with 10% of revenues going to the ‘treasury’ to fund development, community projects and marketing.
MONERO (XMR) Cryptocurrency system that aims to provide anonymous digital cash using ring signatures, confidential transactions and stealth addresses to obfuscate the origin, transaction amount and destination of transacted coins. Launched in 2014, it saw a substantial increase in market value in 2016.
RIPPLE (XRP) Only cryptocurrency in this list that does not have a blockchain but instead uses a ‘global consensus ledger’. The Ripple protocol is used by institutional actors such as large banks and money service businesses. A function of the native token XRP is to serve as a bridge currency between national currency pairs that are rarely traded, and to prevent spam attacks.
LITECOIN (LTC) Litecoin was launched in 2011 and is considered to be the ‘silver’ to bitcoin’s ‘gold’ due to its more plentiful total supply of 84 million LTC. It borrows the main concepts from bitcoin but has altered some key parameters (e.g., the mining algorithm is based on Scrypt instead of bitcoin’s SHA-265).
18
Figure 3: Bitcoin (BTC) has ceded significant ‘market cap share’ to other cryptocurrencies, most notably ether (ETH)
Although bitcoin remains the dominant cryptocurrency in terms of market capitalisation, other cryptocurrencies are increasingly cutting into bitcoin’s historically dominant market cap share: while bitcoin’s market capitalisation accounted for 86% of the total cryptocurrency market in March 2015, it has dropped to 72% as of March 2017 (Figure 3). Ether (ETH), the native cryptocurrency of the Ethereum network, has established itself as the second-largest cryptocurrency. The combined ‘other cryptocurrency’ category has doubled its share of the total market capitalisation from 3% in 2015 to 6% in 2017.
Privacy-focused cryptocurrencies DASH and monero (XMR) have become increasingly popular and currently constitute a combined 4% of the total cryptocurrency market capitalisation.
Figure 4 shows that both DASH and monero have experienced the most significant growth in terms of price in recent months. While monero’s price already began skyrocketing in the summer of 2016, the price of DASH has increased exponentially since December 2016. The price of ether has also recovered since a series of attacks on the Ethereum ecosystem, starting with the DAO hack in June 2016, and increased 8x since its 2016 low of less than $7 in December. All listed cryptocurrencies have increased their market value in this time window.
Setting the Scene
Bitcoin (BTC)
% of total cryptocurrency market capitalisation
Ether (ETH)
Monero (XMR)DASH Ripple (XRP)
Litecoin (LTC) Other Data sourced from CoinMarketCap5
19
Global Cryptocurrency Benchmarking Study
Figure 5: Are ETH and DASH becoming the preferred ‘safe haven’ assets as Bitcoin’s scaling debate heats up or is their price rise a sign of growing interest in other cryptocurrencies?
Figure 4: Market prices of DASH, monero (XMR) and ether (ETH) have experienced the most significant growth since June 2016
Data sourced from CryptoCompare6 Note: the price multiplier variable shows the price evolution of each cryptocurrency since the beginning of June 2016. A value above 1 means that the price has increased by this factor, whereas a value below 1 indicates that the price has decreased during the specified time window.
Data sourced from CoinDance7 and CryptoCompare
DASH (right axis)
Ether (right axis)
Bitcoin (right axis)
Number of Bitcoin Unlimited Nodes (left axis)
Bitcoin (BTC)
Ether (ETH)
Monero (XMR)DASH Ripple (XRP)
Litecoin (LTC)
20
Figure 6: Bitcoin is the most widely supported cryptocurrency among participating exchanges, wallets and payment companies
When comparing the average number of daily transactions performed on each cryptocurrency’s payment network, Bitcoin is by far the most widely used, followed by considerably distant second-place Ethereum (Table 1). All other cryptocurrencies have rather low transaction volumes in comparison. However, a general trend towards rising transaction volumes can be observed for all analysed cryptocurrencies since Q4 2016 (except Litecoin, whose volumes are stagnant). Monero and DASH transaction volumes are growing the fastest.
If significant price movements and on-chain transaction volumes reflect the popularity of a cryptocurrency system, it can be established that DASH, Monero and Ethereum have
seen the greatest increase in popularity in recent months.
Nevertheless, Bitcoin remains the clear leader both in terms of market capitalisation and usage despite the rising interest in other cryptocurrencies. Bitcoin is also the cryptocurrency that is supported and used by the overwhelming majority of wallets, exchanges and payment service providers that participated in this study (Figure 6). As a result, the report will be mainly focused on bitcoin although we attempt to consider other cryptocurrencies whenever it is relevant to do so and sufficient data exists.
Table 1: Average daily number of transactions for largest cryptocurrencies
Bitcoin Ethereum DASH Ripple Monero Litecoin
Q1 2016 201,595 20,242 1,582 N/A 579 4,453
Q2 2016 221,018 40,895 1,184 N/A 435 5,520
Q3 2016 219,624 45,109 1,549 N/A 1,045 3,432
Q4 2016 261,710 42,908 1,238 N/A 1,598 3,455
January - February 2017 286,419 47,792 1,800 N/A 2,611 3,244
Setting the Scene
Bitcoin (BTC)
98%
Ether (ETH)
33%
Litecoin (LTC)
26%
Ripple (XRP)
13%
Dogecoin (DOGE)
11%
Ether Classic (ETC)
10%
DASH
9%
Monero (XMR)
8%
Other
16%
Data sourced from multiple block explorers8
21
Global Cryptocurrency Benchmarking Study
Table 2: The four key cryptocurrency industry sectors and their primary function
THE CRYPTOCURRENCY INDUSTRY
EMERGENCE OF A BUSINESS ECOSYSTEM A multitude of projects and companies have emerged to provide products and services that facilitate the use of cryptocurrency for mainstream users and build the infrastructure for applications running on top of public blockchains. A cryptocurrency ecosystem, composed of a diverse set of actors, builds interfaces between public blockchains, traditional finance and various economic sectors. The existence of these services adds significant value to cryptocurrencies as they provide the means for public blockchains and their native currencies to be used beyond in the broader economy.
CRYPTOCURRENCY INDUSTRY SECTORS While the cryptocurrency industry is composed of many important actors and groups, this study limits the analysis to what we believe are the four key cryptocurrency industry sectors today: exchanges, wallets, payments companies, and mining (Table 2).9
Industry sectors Primary function
Exchanges Purchase, sale and trading of cryptocurrency
Wallets Storage of cryptocurrency
Payments Facilitating payments using cryptocurrency
Mining
Securing the global ledger ('blockchain') generally by computing large amounts of hashes to find a valid block that gets added to the blockchain
22 23
Global Cryptocurrency Benchmarking StudySetting the Scene
Figure 7: The geographical distribution of study participants
> 20 3 – 5 1 – 2 6 – 20 Number of participants
Europe Total participants 29% Exchanges 37%
Wallets 42%
Payments 33%
Mining 13%
North America Total participants 27% Exchanges 18%
Wallets 39%
Payments 19%
Mining 33%
Latin America Total participants 6% Exchanges 14% Wallets 0% Payments 11% Mining 4%
Africa & Middle East Total participants 2% Exchanges 4% Wallets 0% Payments 4% Mining 0%
Asia-Pacific Total participants 36% Exchanges 27%
Wallets 19%
Payments 33%
Mining 50%
24
Exchanges can be used to buy, sell and trade cryptocurrencies for other cryptocurrencies and/or national currencies, thereby offering liquidity and setting a reference price. Wallets provide a means to securely store cryptocurrencies by handling key management. The payments sector is composed of companies that provide a wide range of services to facilitate cryptocurrency payments. Finally, the mining sector is responsible for confirming transactions and securing the global record of all transactions (the 'blockchain').
Each of these sectors has its own working taxonomy that subdivides actors and activities into more refined categories to account for the diversity of services within each industry sector. These taxonomies are presented at the beginning of each of the report sections.
While we have organised this report in a way that suggests distinct industry sectors, it should be noted that the lines between sectors are increasingly blurred. Some companies provide a platform featuring products and services across multiple industry sectors, whereas others are operating in multiple industry segments using different brands. In fact, 19% of cryptocurrency companies that participated in the study provide services that span two industry sectors, 11% are active in three industry sectors, and some entities operate across all four industry sectors. A growing number of companies in the industry can thus be considered universal cryptocurrency platforms given the diverse range of products and services they offer to their customers.
It can be observed that wallets are progressively integrating exchange services within the wallet interface as a means to load the wallet, while exchanges often also provide a means to securely store newly acquired cryptocurrency within their platform. Similarly, payment companies increasingly offer fullyfledged money transfer platforms that enable the storage and transfer of cryptocurrencies, and often include an integrated currency exchange service. As a result, putting cryptocurrency companies into fixed categories can represent a challenging task in some cases.
THE GEOGRAPHY OF THE CRYPTOCURRENCY INDUSTRY Our sample covers cryptocurrency companies, organisations and individuals across 38 countries. The United States leads with 32 study participants, closely followed by China where 29 participants are based (Figure 7). After a significant gap, the United Kingdom comes third with 16 participants, followed by Canada where 7 participants are based.
In terms of regional distribution, most study participants come from the Asia-Pacific region (36%). Europe and North America follow with 29% and 27%, respectively. Only a small proportion of study participants are based in Latin America (6%) as well as Africa and the Middle East (2%).
The lines between the different cryptocurrency industry sectors are increasingly blurred and a growing number of cryptocurrency companies can be characterised as ‘universal’ platforms
Setting the Scene
25
Global Cryptocurrency Benchmarking Study
At least 1,876 people work full-time in the cryptocurrency industry
Figure 9: North American cryptocurrency companies have the highest median number of employees
Figure 8: Cryptocurrency companies based in AsiaPacific and North America have the highest number of employees
EMPLOYEES Combining the participating entities of all industry sectors reviewed in this report (with the exception of miners, for which no employee data was collected), the lower bound of the total number of people employed in the cryptocurrency industry can be established at 1,876 employees.
Significant differences between regions can be observed (Figure 8). Most full-time employees of the cryptocurrency industry are employed by companies based in Asia-Pacific, followed closely by North America (and more specifically the US). With a considerable gap follows Europe, while the total number of people working for cryptocurrency firms based in Latin America and especially Africa and the Middle East are comparatively low. However, it should be noted that many companies have offices in several regions and not all employees work in the region where the employer is based.
Companies surveyed have 21 full-time employees on average, but the existence of several large companies with considerable headcount makes it useful to also examine the median number of employees, which is nine. Figure 9 shows that study participants based in North America have the highest median number of employees (12), whereas participants from Africa and the Middle East as well as from Europe have the lowest (seven).
720
346
105
29
676
12
10
9
7 7
North AmericaAsia-Pacific
EuropeLatin America
Asia-PacificNorth America
Latin America Europe Africa and Middle East
Africa and Middle East
Total Number of Employees Median Number of Employees by Company
26
USE CASES AND ACTIVITY
USE CASES As discussed in more detail in appendix A, the use cases for cryptocurrencies can be grouped into four major categories:
* Speculative digital asset/investment * Medium of exchange * Payment rail * Non-monetary use cases
Some evidence exists that as of today the main use case for cryptocurrencies is speculation. A 2016 joint report from Coinbase and ARK Invest estimates that 54% of Coinbase users use bitcoin strictly as an investment.10 Global bitcoin trading volumes have been significantly higher than network transaction volumes, a figure that is even higher for most other cryptocurrencies. However, it must also be noted that a rising number of cryptocurrency transactions are not performed ‘on-chain’ (i.e., directly on the blockchain network), but ‘offchain’ via internal accounting systems operated by centralised exchanges, wallets and payment companies. These off-chain transactions do not appear on a public ledger.
Estimates of the use of cryptocurrency for payments has varied significantly across different sources. For example, a 2016 report from the Boston Federal Reserve has estimated that 75% of US consumer who own cryptocurrencies have used them for payments within a 12 month period, while the Coinbase/ARK Invest report indicates that 46% of Coinbase users use bitcoin as a ‘transactional medium’ (defined as making at least one payment per year).11 While a growing number of merchants worldwide are accepting cryptocurrency as a payment method, it appears that cryptocurrencies are not primarily being used as a medium of exchange for daily purchases.12 This is due to several factors, including price volatility and the lack of a ‘closed loop’ cryptocurrency economy, in which people or businesses would get paid in cryptocurrency and then use cryptocurrency as a primary payment method for everyday expenses.
As will be discussed in more detail in the Payments section, a considerable number of companies have emerged that use cryptocurrency networks primarily as a ‘payment rail’ to make fast and cheap cross-border payments. However, following the recent surge in bitcoin transaction fees, some are reconsidering this strategy and shifting transactions towards private blockchain-based solutions. Ripple’s payment network is being used by large financial institutions, with 15 of the world’s largest banks working with Ripple’s global consensus ledger.
Finally, Ethereum has established itself as a major blockchain system for non-monetary applications, with nearly 400
Setting the Scene
27
Global Cryptocurrency Benchmarking Study
projects building on its decentralised computing platform.13 Ethereum is also increasingly being used as a platform for launching new cryptocurrencies that are powering applications built on Ethereum (dApp tokens). Non-monetary use of Bitcoin has also increased. For example, the use of the OP_RETURN feature in the bitcoin scripting language (frequently used for embedding metadata in bitcoin transactions, for enabling e.g., time-stamping services and overlay networks) has increased roughly 100x since January 2015.14
USERS Estimating both the number of cryptocurrency holders and users is a difficult endeavour as individuals can use multiple wallets from several providers at the same time. Moreover, one single user can have multiple wallets and exchange accounts for different cryptocurrencies and thus be counted multiple times. In addition, many individuals are using centralised wallet, exchange or payment platforms that pool funds together into
a limited number of large wallets or addresses, which further complicates the picture.
According to the earlier referenced 2016 report from the Boston Federal Reserve, 0.87% of US consumers are estimated to have owned cryptocurrency in 2015, which amounts to around 2.8 million people in the US alone. Based on calculations using their own user data, Coinbase and ARK Research estimate that in 2016 around 10 million people around the world have owned bitcoin.
Using data obtained from study participants and assuming that an individual holds on average two wallets, we estimate that currently there are between 2.9 million and 5.8 million unique users actively using a cryptocurrency wallet.15 This figure has significantly increased since 2013 (Figure 10). It is important to note that our estimate of the total number of active wallets does not include users whose exchange accounts serve as their de facto wallet to store cryptocurrency, nor users from payment service providers or other platforms that enable the storage of cryptocurrency. In other words, the total number of active cryptocurrency users is likely considerably higher than our estimate of unique active wallet users.
For a variety of reasons, determining the geographical distribution of cryptocurrency users is challening. Appendix C contains a discussion of the geographical dispersion of users based on data we collected and public data sources.
Figure 10: The estimated number of unique active users of cryptocurrency wallets has grown significantly since 2013 to between 2.9 million and 5.8 million today
Estimated Number of Unique Active Users of Cryptocurrency Wallets
0m
1m
0.5m
1.5m
2.5m
3.5m
4.5m
2m
3m
4m
5m
5.5m
6m
2013
0.3m 0.8m
1.3m
2014
0.5m
1.3m
2m
2015
0.7m
1.4m
2.9m
2016
2.1m
3.5m
4.8m
2017 YTD
2.9m
4.3m
5.8m
Lower Bound Mid-Point Upper Bound
It is impossible to know precisely how many people use cryptocurrency
28
Wallets
EXCHANGES
Exchanges provide on-off ramps for users wishing to buy or sell cryptocurrency. The exchange sector is the first to have emerged in the cryptocurrency industry and remains the largest sector both in terms of the number of companies and employees.
29
Global Cryptocurrency Benchmarking Study
KEY FINDINGS
Services/Operations Security
• Of all industry sectors covered in this study, the exchange sector has the highest number of operating entities and employs the most people
• 52% of small exchanges hold a formal government license compared to only 35% of large exchanges
• 73% of small exchanges have one or two cryptocurrencies listed, while 72% of large exchanges provide trading support for two or more cryptocurrencies: bitcoin is supported by all exchanges, followed by ether (43%) and litecoin (35%)
• A handful of large exchanges and four national currencies (USD, EUR, JPY and CNY) dominate global cryptocurrency trading volumes
• Study participants reported cryptocurrency trading in 42 different national currencies
• 53% of exchanges support national currencies other than the five global reserve currencies (USD, CNY, EUR, GBP, JPY)
• Exchange services/activities fall into three categories - order-book exchanges, brokerage services and trading platforms: 72% of small exchanges specialise in one type of exchange activity (brokerage services being the most widely offered), while the same percentage of large exchanges are providing multiple exchange activities
• 73% of exchanges take custody of user funds, 23% let users control keys
• On average, security headcount corresponds to 13% of total employees, and 17% of budget is spent on security; small exchanges have slightly higher figures than large exchanges
• 80% of large exchanges and 69% of small exchanges use external security providers; large exchanges use a larger number of external security providers than small exchanges
• Optional two-factor authentication (2FA) is offered for customers by a majority of exchanges and required for employees for most operations; small exchanges tend to use 2FA less than large exchanges
• Exchanges use a variety of internal security measures; differences in approaches are observed between small and large exchanges
• Only 53% of small custodial exchanges have a written policy outlining what happens to customer funds in the event of a security breach resulting in the loss of customer funds, compared to 78% of large custodial exchanges
• 79% of exchanges provide regular security training programs to their staff
• 92% of exchanges use cold-storage systems; on average 87% of funds are kept in cold storage
• Multi-signature architecture is supported by 86% of large exchanges and 76% of small exchanges
• Frequency of formal security audits varies considerably between exchanges; large exchanges tend to perform them on a more regular basis
• 60% of large exchanges have external parties performing their formal security audits, while 65% of small exchanges perform them internally.
• 33% of custodial exchanges have a proof-of-reserve component as part of their formal security audit
30
Table 3: Taxonomy of exchange services
INTRODUCTION AND LANDSCAPE
INTRODUCTION Exchanges provide services to buy and sell cryptocurrencies and other digital assets for national currencies and other cryptocurrencies. Exchanges play an essential role in the cryptocurrency economy by offering a marketplace for trading, liquidity, and price discovery.
Throughout this section, we define a cryptocurrency exchange as any entity that allows customers to exchange (buy/sell) cryptocurrencies for other forms of money or assets. We use the taxonomy in Table 3 for categorising the three main types of activities provided by cryptocurrency exchanges.
LANDSCAPE Exchanges were one of the first services to emerge in the cryptocurrency industry: the first exchange was founded in early 2010 as a project to enable early users to trade bitcoin and thereby establish a market price. The exchange sector remains the most populated in terms of the number of active entities. One data services website alone lists daily trading volumes for 138 different cryptocurrency exchanges, which suggests that the total number of operating exchanges is likely considerably higher.1
We collected data from 51 exchanges based in 27 countries and representing all five world regions (Figure 11). Our sample contains more exchanges from Europe than any other region, followed by Asia-Pacific. With regards to individual countries, the United Kingdom and the United States are leading with 18% and 12%, respectively, of all cryptocurrency exchanges.
However, the market share in terms of bitcoin trading volume is substantially different: although there are a hundreds of companies providing cryptocurrency exchange services, fewer than a dozen order-book exchanges dominate bitcoin trading (Figure 12).2
Type of activity Description
Order-book exchange Platform that uses a trading engine to match buy and sell orders from users
Brokerage service Service that lets users conveniently acquire and/or sell cryptocurrencies at a given price
Trading platform Platform that provides a single interface for connecting to several other exchanges and/or offers leveraged trading and cryptocurrency derivatives
Exchanges
31
Global Cryptocurrency Benchmarking Study
Figure 11: Europe has the most number of exchanges in our study sample, followed by Asia-Pacific
Europe
Asia-Pacific
US
Canada
China
Japan
Other
UKLatin America
North America
Africa and Middle East
Figure 12: Trading volumes across the top exchanges are more evenly distributed following increased regulation of Chinese exchanges in early 2017
Data sourced from Bitcoinity3
Bitcoin trading volume market share of major exchanges Average market share (February-March 2017)
32
In terms of trading volumes by national currencies, there are major differences as well between the top-traded currencies and the most widely supported currencies. The US dollar (USD) is the most widely supported national currency, followed by the Euro (EUR) and the British Pound (GBP) (Figure 13). While reported trading in the Chinese Renminbi (CNY) appeared to represent an often significant majority of global bitcoin trading volumes from 2014 to 2016 (ranging from 50% to 90%)4, bitcoin trading denominated in CNY has plumetted in early 2017 after the tightening of regulation by the People's Bank of China (Figure 14).
The data demonstrate that the exchange market is dominated by a handful of exchanges that are responsible for the majority of global bitcoin trading volumes, of which the lion share is
denominated in a small number of international currencies. In contrast, the majority of exchanges (mostly small) specialise in local markets by supporting local currencies: 53% of all exchanges support national currencies other than the five reserve currencies. Trading volumes at most small exchanges are insignificant compared to the market leaders, but these exchanges service local markets and make cryptocurrencies more available in many countries.
TYPES Using the taxonomy of the three types of exchange activities introduced above, findings show that there are major differences between the services that small and large exchanges provide.5 While 72% of small exchanges specialise in one type of activity, the same percentage of large exchanges are providing multiple types of exchange activities (Figure 15). The most popular combination of two activities are order-book exchanges that also offer a trading platform.
22% of large exchanges and only 4% of small exchanges offer a platform that includes an order-book exchange, trading
While global cryptocurrency trading volume is dominated by four reserve currencies, trading in at least 40 other national currencies is supported
Figure 13: USD is the most widely supported national currency on exchanges; many specialise in local currencies
% of Exchanges Supporting National Currencies
USD
65%
EUR
49%
GBP
39%
JPY
18%
CNY
14%
Other
53%
Exchanges
33
Global Cryptocurrency Benchmarking Study
Figure 14: Trading in renminbi has plumetted since Chinese authorities tightened regulation
Figure 15: The majority of small exchanges specialise in a single type of exchange activity while large exchanges are generally engaged in more than one activity
Order-book exchange
Brokerage services
Trading platform
Two activities
All three combined
Order-book exchange
Brokerage services
Two activities
All three combined
Small Exchanges Large Exchanges
BTC Exchange Trading Volume Share by National Currency
Data sourced from Bitcoinity
34
platform and brokerage services. Over 40% of small exchanges specialise in the provision of brokerage services, compared to only 17% of large exchanges. 15% of small exchanges provide a stand-alone trading platform, while large exchanges generally combine this activity with an order-book exchange.
Despite many cases of internal fraud and bankruptcies of centralised exchanges, P2P exchanges have yet to gain more popularity: of the 51 exchanges represented in this study, only 2 provide a decentralised marketplace for exchanging cryptocurrencies.
SUPPORTED CRYPTOCURRENCIES All exchanges support bitcoin, while ether and litecoin are listed on 43% and 35% of exchanges, respectively (Figure 16). Only a minority of exchanges make markets for the exchange of cryptocurrencies other than the above three.
While 39% of exchanges solely support bitcoin, 25% have two listed cryptocurrencies, and 36% of all entities enable trading three or more cryptocurrencies. We observe that 72% of large exchanges provide trading support for two or more cryptocurrencies, while 73% of small exchanges have only one or two cryptocurrencies listed. 6% of survey participants also provide cryptocurrency-based derivatives, and 16% are offering margin trading.
EMPLOYEES There are 1,157 total employees at participating exchanges, making exchanges the largest employer in the cryptocurrency industry.6 Even though 37% of all exchanges are based in Europe, the total number of employees at European exchanges is considerably less than the total headcount at companies based in Asia-Pacific, where almost 60% of large exchanges are based (Figure 17).
On average, cryptocurrency exchanges employ 24 people. However, the distribution reveals that nearly half of exchanges have less than 11 employees (Figure 18), indicating that the majority of exchanges are small companies. Indeed, 20% of all exchanges have less than 5 employees. However, 9% of exchanges have more than 50 employees, with the largest employing around 150 people.
Figure 16: Bitcoin is listed on all surveyed exchanges; ether and litecoin are also widely supported
% of Exchanges Supporting the Listed Cryptocurrencies
The exchange industry sector employs more people than any other cryptocurrency sector
Exchanges
35
Global Cryptocurrency Benchmarking Study
Figure 18: Nearly half of exchanges have less than 11 employees
Figure 17: Asian-Pacific exchanges have the highest number of employees
Number of Employees per Exchange
Note: these figures include employees from universal cryptocurrency companies that are also active in industry sectors other than exchanges.
1-10 11-20 21-50 >50
Average number of employees by exchange
Total number of employees by region
36
Figure 19: More than half of small exchanges hold a government license compared to only 35% of large exchanges
LICENSE One notable observation is the difference between the share of small and large exchanges that hold a government license of some kind: 52% of small exchanges have a formal government license or authorisation compared to only 35% of large exchanges (Figure 19).
85% of all exchanges based in Asia-Pacific do not have a license, whereas 78% of North American-based exchanges hold a formal government license or authorisation. 47% and 43% of European and Latin American-based exchanges, respectively, hold a license as well. However, not having a formal license does not necessarily mean that the exchanges are not regulated, as appears to be the case now with many of the China-based exchanges.
OPERATIONAL CHALLENGES AND RISK FACTORS We presented a list of operational challenges to participating exchanges and asked them to rate these factors according to the level of risk that they currently pose to operations. Findings show that while small and large exchanges rate certain factors approximately similarly, there are substantial differences with regards to other factors (Table 4). Generally, small exchangs have a tendency to rate risks higher than large exchanges.
The highest risk factor for small exchanges and second highest risk factor for large exchanges are security breaches that could result in a loss of funds.
One finding that stands out is that large exchanges rate challenges posed by regulation in general as posing the highest risk to their operations – a factor that is rated lower by small exchanges.
52%
48%
35%
65%
License No License License No License
Small Exchanges Large Exchanges
Exchanges
37
Global Cryptocurrency Benchmarking Study
Small exchanges seem to have considerable difficulties with either obtaining or maintaining banking relationships, while large exchanges appear to have this risk factor under control. Small exchanges are also substantially more concerned about fraud than large exchanges, which suggests that they are either targeted more often than large exchanges or simply that fraud has more a more severe financial impact due to the limited scale of their operations and budget.
Respondents Scored these Categories on a 1 - 5 Scale Table 4: Operational risk factors rated by exchanges
Weighted average Small exchanges Large exchanges
IT security/hacking 3.70 3.93 3.17
Deteriorating banking relationships 3.45 3.79 2.67
Fraud 3.08 3.50 2.08
Regulation (in general) 3.08 2.89 3.50
Competitors/business model risk 2.88 3.00 2.58
Reputation risk 2.88 2.93 2.75
AML/KYC enforcement 2.68 2.64 2.75
Insufficient demand for services 2.58 2.82 2.00
Lack of talent 2.46 2.52 2.33
1: Very low risk 3: Medium risk 4: High risk 2: Low risk 5: Very high risk
Lowest average score Highest average score
38
Figure 20: 73% of exchanges take custody of users’ cryptocurrency funds by controlling the private keys
SECURITY EXCHANGES CONTINUE TO BE POPULAR TARGETS FOR CRIMINALS Cryptocurrencies are digital bearer assets that once transferred cannot easily be recovered (i.e., the payment cannot be reversed unless the recipient decides to do so). The surge in market prices of cryptocurrencies in recent years has made exchanges a popular target for criminals as they handle and store large amounts of cryptocurrencies. Numerous events have led to the loss of exchange customer funds, and a wide variety of schemes have been employed ranging from outside server breaches to insider theft. In many cases, exchanges where losses occurred were forced to close and customer funds were never recovered. One 2013 study analysing the survival rate of 40 bitcoin exchanges found that over 22% of exchanges had experienced security breaches, forcing 56% of affected exchanges to go out of business.7
73%
23%
4%
Exchange controls keys
User controls keys
Customers have the option
Exchanges
Figure 21: Order-book-only exchanges spend 2x more on security as a share of total budget than ‘pure’ brokerage services and trading platforms
Trading plaormsBrokerage servicesOrder-book exchanges
17%
28%
13%
14%
15%
14%
Exchanges Engaged in a Single Type of Activity
Average Security Headcount Average Security Cost
39
Global Cryptocurrency Benchmarking Study
73% of exchanges control customers’ private keys, making them a potentially attractive ‘honeypot’ for hackers as these exchanges have possession of user funds denominated in cryptocurrency (Figure 20). 23% of exchanges do not control customers’ private keys, thereby preventing exchanges from accessing customer holdings or not being able to return funds to users in the event the exchange ceases to function.8 Large exchanges act more often as custodians than small exchanges: only 11% of large exchanges let users control keys compared to 30% of small exchanges.
SECURITY HEADCOUNT AND COST On average, exchanges have 13% of their employees working full-time on security and spend 17% of their total budget on security. Order-book-only exchanges (i.e., entities not engaged in brokerage services and trading platforms) spend two times more of their budget on security than companies providing solely brokerage services or pure trading platforms (Figure 21).
Findings show that on average, small exchanges have slightly higher headcount (+5%) associated with security than large exchanges. The distribution indicates that the security headcount ranges for both small and large exchanges from 0% to 50% of their total employees (Figure 22). 55% of small exchanges and 74% of large exchanges have between 0% and 10% of employees working full-time on security. In fact, more than half of large exchanges have less than 6% of headcount associated with security.
Similar to security headcount, we observe that small exchanges have on average a slightly higher cost (+7%) as a percentage of their budget associated with security than large exchanges. 72% of large exchanges spend less than 11%, while 61% of small exchanges spend more than 10% (Figure 23). The upper limit that both small and large exchanges spend on security cost is 50% of their total budget.
Figure 23: Large exchanges are realising economies of scale as they spend less of their total budget on security than small exchanges
Figure 22: Small exchanges have a higher percentage of employees working full-time on security than large exchanges
55%
17% 74%
13%
13%28%
Small exchanges Large exchanges
% of Exchanges
Small exchanges Large exchanges
29%
32%
39%
14%
14%
72%
% of Exchanges
0 -10% 21 -50% 11-20%
% of Employees Working Full-Time on Security % of Total Budget Spent on Security
0 -10% 11 - 20% 21 -50%
40
Figure 24: Large exchanges use a greater number of external security providers than small exchanges
3 or more21
29%
25%
23%
50%
48%
25%
Number of External Security Providers
Small exchanges Large exchanges
EXTERNAL SECURITY PROVIDERS Over 70% of exchanges secure their systems with the help of external security providers, including external code reviewers, multi-signature wallet service providers and two-factor authentication (2FA) service providers. However, there are differences between small and large exchanges: 80% of large exchanges use external security providers as opposed to 69% of small exchanges.
While the majority of small exchanges that use external security providers place trust in one to two providers, half of large exchanges make use of three or more external security providers (Figure 24). More than half of exchanges indicate that they have not come to rely more on external security providers over time.
USE OF TWO-FACTOR AUTHENTICATION (2FA) Multi-factor authentication is an access control method that grants access to a computer system only if the requester can supply multiple ‘factors’ (e.g., password and a unique one-time generated token).9 The most widely used form in everyday
life is two-factor authentication (2FA) which requires the user to provide two factors in order to identify himself. 75% of exchanges offer customers the option to enable 2FA for logging into their exchange account, and 77% offer users 2FA for withdrawing funds (Figure 25). Only 51% of exchanges provide optional 2FA for trading.
40% of exchanges that control users’ private keys do not offer 2FA for trading, as they suppose enabling 2FA for login is enough to prevent an unauthorised person from gaining access to the exchange account features. It is important to note that 2FA is an optional security feature that most exchanges offer to their customers and encourage use, but that users are not required to activate 2FA. 48% of exchanges enable 2FA for all listed actions, but there are notable differences between small and large exchanges: 80% of large exchanges have 2FA enabled for all listed actions compared to 32% of small exchanges (Figure 26).
Percentage of Exchanges That Use External Security Providers
Exchanges
41
Global Cryptocurrency Benchmarking Study
Figure 26: Large exchanges enable optional 2FA for nearly all customer actions
Figure 25: Majority of exchanges enable optional 2FA for customers for logging in and withdrawing funds
Login
Withdrawal
Trading
14%
2% 75%
51%
77% 11%
35%
23%
12%
Small exchanges
% of Exchanges
Large exchanges
7% 13% 80%
14% 32% 22% 32%
Not Applicable Enabled Not Enabled
Customers - Optional 2FA
Note: the ‘not applicable’ option has been chosen for a variety of reasons, that include exchanges that do not offer accounts and do not hold customer funds
Number of 2FA-Enabled Actions for Users
0 enabled 1 enabled 2 enabled All 3 enabled
Note: these refer to the customer actions listed in Figure 25
42
Figure 27: The majority of exchanges require employees to use 2FA for sensitive operations
While the use of 2FA is mostly an optional feature offered to security-conscious customers, it is often required by exchanges for internal operations (Figure 27). In fact, 85% of exchanges have mandatory 2FA for at least one internal operation action: 80% require 2FA for administrator login, and 74% have mandatory use of 2FA for production access. 73% require 2FA for accessing private keys, which roughly matches the percentage of exchanges that do hold customer keys.
Some exchanges also indicate that they are using three-factor authentication (3FA) internally for access to all systems and require hardware devices such as YubiKeys or even hardware wallets as one factor. 82% of large exchanges and over 60% of small exchanges require the use of 2FA for all of the listed operational actions (Figure 28).
SECURITY MEASURES Exchanges use a variety of internal security measures to monitor production access and restrict access to sensitive information. However, large exchanges use them considerably more often than small exchanges (Figure 29).
91% of large exchanges and 83% of small exchanges use software to create a complete record of all internal processes and actions which allows them to quickly discover potential inconsistencies. The largest difference between small and large exchanges is observed regarding the use of special hardware dedicated to a single purpose (e.g., air-gapped device for cold storage of cryptocurrency funds), which are used by 91% of large exchanges compared to only 59% of small exchanges.
82% of large exchanges and 62% of small exchanges also use physical site location security systems or devices to monitor access to facilities. 73% of large exchanges use various types of ‘consensus mechanisms’ that require several employees to authorise a specific action (e.g., access to customer funds), as opposed to 55% of small exchanges. 64% of large exchanges and 38% of small exchanges use all four security measures.
85% of exchanges require that employees must be over a certain threshold of seniority within the company to get access to the production environment (Figure 30). Fingerprinting is only used by 15% of exchanges. Some exchanges also
8%
13% 74% 13%
80% 12%
23% 73% 4%
Administrator login
Production access
Accessing private keys
Employees – 2FA Required
Note: some exchanges have chosen the ‘not applicable’ option for various reasons, including security for employees being classified, and private keys not being accessible to staff
Not applicable Required Not required
Exchanges
43
Global Cryptocurrency Benchmarking Study
Small exchanges
Large exchanges
% of Exchanges
63% 15% 15% 7%
82% 18%
Figure 28: 82% of large exchanges require 2FA for employees for all listed actions; differences between small exchanges can be observed
Figure 29: Large exchanges use more internal security measures than small exchanges
Single-purpose dedicated hardware
Physical site location security systems
"Consensus mechanisms"
Audit trail
83%
91%
59%
91%
62%
82%
55%
73%
Number of actions where 2FA is required for employees
Small exchanges Large exchanges
All 3 required 2 required 1 required 0 required
Figure 30: Measures used by exchanges to vet staff for production access
Exceed specific treshold of seniority
Criminal record checks
Reference checks
Fingerprinting
15%
30%
60%
70%
85%
Credit history checks
% of Exchanges Using Security Measure % of Exchanges Using Security Measure
Note: these refer to the employee actions listed in Figure 27
44
Exchanges
commented that full credit history checks might constitute a breach of employee privacy and be difficult to defend before a tribunal, and also questioned whether such checks are e a good measure for deciding whether employees should be trusted with production access. Other exchanges indicated that personal relationships would play an important role as well. As for the internal security measures discussed above, large exchanges do make considerably more use of the referenced actions than small exchanges: 73% of large exchanges use three or more compared to 48% of small exchanges.
Only 53% of small exchanges that act as a custodian by controlling customer keys have a written policy that outlines what happens to customer funds in the event of a security breach that could lead to the loss of customer funds (Figure 31). In contrast, 78% of large custodial exchanges have such a written policy.
82% of large exchanges and 64% of small exchanges have a written policy on which employees and parties have access to sensitive information, such as private keys and user data (Figure 32). A major difference between small and large
exchanges can be observed with regards to production access: only 63% of small exchanges have a written policy on who has access to the production environment compared to 92% of large exchanges.
Having the most sophisticated security measures in place does not necessarily prevent malicious actors from successfully breaking into the exchange, as the human element is often the weakest link in any security system. It is essential that staff are well trained and familiar with popular social engineering attacks. 79% of exchanges do provide security training programs to their staff to educate them on security issues (Figure 33). Some exchanges provide ongoing education and training (e.g., daily or weekly case studies about possible attack vectors) while others offer periodic training sessions and best security practices reminders. We do not observe a substantial difference between small and large exchanges with regards to staff training programs.
KEY STORAGE This section refers to the key management systems that exchanges use to secure both customer and exchange keys.
Figure 31: Nearly half of small exchanges acting as custodians do not have a written policy that outlines what happens to customer funds in the event of a security breach
Measures Taken with Regards to Customer Funds in the Event of a Security Breach
Written policy No written policy
53% 47%
78%
Small custodial exchanges
Large custodial exchanges
22%
45
Global Cryptocurrency Benchmarking Study
Figure 32: Do you have a written policy on the following actions?
Figure 33: 21% of exchanges do not provide security training programs to their staff
Written policy No written policy
Staff training programs No staff training programs
Production Access
37%
63%
8%
92%
Access to Sensitive Information
Small exchanges Large exchanges Small exchanges Large exchanges
36%
64%
18%
82%
79%
21%
46
Exchanges
COLD STORAGE 92% of exchanges indicate that they are using some type of cold storage system (i.e., generating and keeping keys offline) to secure a portion of both customer and their own funds. Only 8% are not using any type of cold storage system and instead keep funds in hot wallets that are online. These figures are approximately the same for both small and large exchanges.
On average, exchanges keep 87% of total funds in cold storage (median corresponds to 95% of total funds). There is no significant difference between small and large exchanges with regards to the proportion of funds held in cold storage.
All large exchanges and 95% of small exchanges that use a cold storage system have their cold storage funds ‘air-gapped’, meaning that they reside on storage devices that are physically
isolated from a network connection. All large exchanges have multiple cold storage locations, as opposed to 68% of small exchanges. 78% of large exchanges also use external parties as part of their cold storage system, compared to only 53% of small exchanges.
MULTI-SIGNATURE AND PRIVATE KEY STORAGE Multi-signature is supported by 86% of production systems from large exchanges, but only by 76% of small exchanges. All exchanges that do not use cold storage systems have multisignature support. 85% of large exchanges and 75% of small exchanges that have cold storage systems in place also have multi-signature support. Large exchanges that support multisignature architectures also more often use external thirdparty multi-signature platforms than small exchanges (60% compared to 44%). While all large exchanges distribute keys of multi-signature wallets among multiple holders, 19% of small exchanges do not.
All large exchanges encrypt private keys when they are not in use, but 9% of small exchanges do not. 100% of large
92% of exchanges use some type of cold storage system
Average % of Funds Held in Cold Storage
Median % of Funds Held in Cold Storage
47
Global Cryptocurrency Benchmarking Study
Figure 34: Large exchanges appear to perform more frequent formal security audits than small exchanges
Figure 35: Large exchanges have more often external parties perform their formal security audits
exchanges and 91% of small exchanges store key back-ups in distinct geographical locations.
FORMAL SECURITY AUDITS AND PROOF OF RESERVES We observe that the frequency of formal security audits conducted at exchanges surveyed varies considerably for both small and large exchanges (Figure 34). It appears that large exchanges perform formal security audits on a more regular basis than small exchanges. However, it is not always clear what exchanges define as ‘formal’ security audits, as many exchanges also reported that they would perform standard security checks and audits on an ongoing basis.
60% of large exchanges have their formal security audit performed by external parties, while 65% of small exchanges perform the audit internally (Figure 35). Findings also show that custodial exchanges are more likely to use external parties for their formal security audit. Two-thirds of large exchanges and over 90% of small exchanges do not publicly share information about their for
This is the first study to systematically investigate key cryptocurrency industry sectors by collecting empirical, non-public data. The study gathered survey data from nearly 150 cryptocurrency companies and individuals, and it covers 38 countries from five world regions. The study details the key industry sectors that have emerged and the different entities that inhabit them.
KEY HIGHLIGHTS OF THE STUDY • The current number of unique active users of crypocurrency wallets is estimated to be between 2.9 million and 5.8 million.
• The lines between the different cryptocurrency industry sectors are increasingly blurred: 31% of cryptocurrency companies surveyed are operating across two cryptocurrency industry sectors or more, giving rise to an increasing number of universal cryptocurrency companies.
• At least 1,876 people are working full-time in the cryptocurrency industry, and the actual total figure is likely well above two thousend when large mining organisations and other organizations that did not provide headcount figures are added.
• Average security headcount and costs for payment companies and exchanges as a percentage of total headcount/operating expenses are similar, but significantly higher for wallets.
EXCHANGES • The exchanges sector has the highest number of operating entities and employs more people than any other industry sector covered in this study; a significant geographical dispersion of exchanges is observed.
• 52% of small exchanges hold a formal government license compared to only 35% of large exchanges.
• On average, security headcount corresponds to 13% of total employees and 17% of budget is spent on security.
WALLETS • Between 5.8 million and 11.5 million wallets are estimated to be currently ‘active’.
• The lines between wallets and exchanges are increasingly blurred: 52% of wallets surveyed provide an integrated currency exchange feature, of which 80% offer a national-to-cryptocurrency exchange service. In contrast with exchanges, the majority of wallets do not control access to user keys.
PAYMENTS • While 79% of payment companies have existing relationships with banking institutions and payment networks, the difficulty of obtaining and maintaining these relationships is cited as this sector's biggest challenge.
• On average, national-to-cryptocurrency payments constitute two-thirds of total payment company transaction volume, whereas national-to-national currency transfers and cryptocurrency-to-cryptocurrency payments account for 27% and 6%, respectively.
MINING • 70% of large miners rate their influence on protocol development as high or very high, compared to 51% of small miners.
• The cryptocurrency mining map shows that publicly known mining facilities are geographically dispersed, but a significant concentration can be observed in certain Chinese provinces.
Executive Summary
11
Global Cryptocurrency Benchmarking Study
METHODOLOGY The Cambridge Centre for Alternative Finance carried out four online surveys from September 2016 to January 2017 via secure web-based questionnaires. Each survey was directed at organizations and individuals operating in a specific sector of the cryptocurrency industry as defined by our taxonomy (specifically exchanges, wallets, payment service providers, and miners). All surveys were written and distributed in English, and the exchanges survey as well as the mining survey were translated and distributed in Chinese with the generous help of 8btc.com.
The research team collected data from cryptocurrency companies and organisations across 38 countries and five world regions. Over one hundred cryptocurrency companies and organisations as well as 30 individual miners participated in one or more of the four surveys. During the survey process, the research team communicated directly with individual organisations, explaining the study’s objectives. For cases in which currently active major companies did not contribute to our study, the dataset was supplemented with additional research and web scraping using commonly applied methodologies.
The collected data was encrypted and safely stored, accessible only to the authors of this study. All individual company-specific data was anonymised and analysed in aggregate by industry sector, type of activity, organisation size, region and country. We estimate that our benchmarking study captured more than 75% of the four cryptocurrency industry sectors covered in this report.
REPORT STRUCTURE The remainder of this report is structured as follows:
• The Exchanges section presents an overview of the cryptocurrency exchange sector and the different types of exchange activities, with a particular focus on security.
• The Wallets section explores the different types and formats of wallets, as well as widely offered features including currency exchange services.
• The Payments section features a taxonomy of the four major payment activity types, and compares national and cross-border payment channels and transaction sizes.
• The Mining section describes the mining value chain and features a map with publicly known mining facilities across the world; miners’ views on policy issues and operational challenges are also presented.
• Appendix A: Brief introduction to cryptocurrencies highlights the general concept of cryptocurrencies and presents their key properties and value propositions.
• Appendix B: The cryptocurrency industry offers a more detailed introduction to the emergence of the cryptocurrency industry.
• Appendix C: The geographical dispersion of cryptocurrency users discusses the geographical dispersion of cryptocurrency users and activity.
• References and Endnotes provide information on where outside information was gathered and further explanation of how some figures were calculated (e.g., employee figures by sector).
METHODOLOGY AND STUDY STRUCTURE
144 cryptocurrency organisations and individual miners are included in the research study sample
12
GLOSSARY EXCHANGES WALLETS
• Order-book exchange: platform that uses a trading engine to match buy and sell orders from users
• Brokerage service: service that lets users conveniently acquire and/or sell cryptocurrencies at a given price
• Trading platform: platform that provides a single interface for connecting to several other exchanges and/or offers leveraged trading and cryptocurrency derivatives
• Large exchange: exchange with more than 20 full-time employees and/or a non-negligible market share
• Custodial exchange/custodian: exchange that takes custody of users’ cryptocurrency funds
• Incorporated wallet: registered corporation that provides software and/or hardware wallets.
• Custodial wallet/custodian: wallet provider that takes custody of users’ cryptocurrency holdings by controlling the private key(s).
• Self-hosted wallet: wallet that lets users control private key(s), meaning that the wallet service does not have access to users’ cryptocurrency funds
• Large wallet: incorporated wallet that has more than 10 full-time employees
• Wallets with integrated currency exchange: wallets that provide currency exchange services within the wallet interface using one of three exchange models: • Centralised exchange/brokerage service model: wallet provider acts as central counterparty • Integrated third-party exchange model: wallet provider partners with a third-party exchange to provide exchange services • P2P exchange/marketplace model: wallet provider offers a built-in P2P exchange that lets users exchange currencies between themselves
Setting the Scene
GEOGRAPHY • Asia-Pacific: region that comprises East Asia, South Asia, South-East Asia and Oceania
• Africa and Middle East: region that comprises the African continent as well as the Middle East
• Europe: region that comprises Western Europe, Southern Europe and Eastern Europe including Russia
• Latin America: region that comprises South America and Central America including Mexico
• North America: region composed of Canada and the United States
13
Global Cryptocurrency Benchmarking Study
PAYMENTS
MINING
TECHNICAL
• National currency-focused: services that use cryptocurrency primarily as a ‘payment rail’ for fast and cost-efficient payments, which are generally denominated in national currencies • B2B payment services: platforms that provide payments for businesses, often times across borders • Money transfer services: services that provide primarily international money transfers for individuals (e.g., traditional remittances, bill payment services)
• Cryptocurrency-focused: services that facilitate the use of cryptocurrencies; generally payments are denominated in cryptocurrency, but can also be exchanged to national currencies • Merchant services: services that process payments for cryptocurrency-accepting merchants, and provide additional merchant services (e.g., shopping cart integrations, point-of-sale terminals) • General-purpose cryptocurrency platform: platforms that perform a variety of cryptocurrency transfer services (e.g., instant payments to other users of the same platform using cryptocurrency and/or national currencies, payroll, bill payment services)
• Mining value chain: the cryptocurrency mining sector is composed of the following principal activities: • Mining hardware manufacturing: design and building of specialised mining equipment • Self-mining: miners running their own equipment to find valid blocks • Cloud mining services: services that rent out hashing power to customers • Remote hosting services: services that host and maintain customer-owned mining equipment • Mining pool: structure that combines computational resources from multiple miners to increase the frequency and likelihood of finding a valid block; rewards are shared among participants
• Small miners: registered companies active in the mining industry, but operating with limited scale; individual miners operating as sole proprietors
• Large miners: mining organisations that engage in medium-to-large scale mining operations and occupy a significant position in the industry
• Blockchain: record of all validated transactions grouped into blocks, each cryptographically linked to predecessor transactions down to the genesis block, thereby creating a ‘chain of blocks’
• Keys: term used to describe a pair of cryptographic keys that consists of a private (secret) key and a corresponding public key: the private key can be compared to a password needed to ‘unlock’ cryptocurrency funds while the public key (if converted to an address) can be compared to a public email address or bank account number
• Multi-signature: mechanism to split control over an address among multiple private keys such that a specific threshold of keys are needed to unlock funds stored in that particular address
14
SETTING THE SCENE SETTING THE SCENE
15
Global Cryptocurrency Benchmarking Study
Figure 1: The world of cryptocurrencies beyond Bitcoin
CRYPTOCURRENCY OVERVIEW
BITCOIN, ALTCOINS, AND INNOVATION Bitcoin began operating in January 2009 and is the first decentralised cryptocurrency, with the second cryptocurrency, Namecoin, not emerging until more than two years later in April 2011. Today, there are hundreds of cryptocurrencies with market value that are being traded, and thousands of cryptocurrencies that have existed at some point.1
The common element of these different cryptocurrency systems is the public ledger (‘blockchain’) that is shared between network participants and the use of native tokens as a way to incentivise participants for running the network in the absence of a central authority. However, there are significant differences between some cryptocurrencies with regards to the level of innovation displayed (Figure 1).
The majority of cryptocurrencies are largely clones of bitcoin or other cryptocurrencies and simply feature different parameter values (e.g., different block time, currency supply, and issuance scheme). These cryptocurrencies show little to no innovation and are often referred to as ‘altcoins’. Examples include Dogecoin and Ethereum Classic.2
16
Setting the Scene
Figure 2: The total cryptocurrency market capitalisation has increased more than 3x since early 2016, reaching nearly $25 billion in March 2017
In contrast, a number of cryptocurrencies have emerged that, while borrowing some concepts from Bitcoin, provide novel and innovative features that offer substantive differences. These can include the introduction of new consensus mechanisms (e.g., proof-of-stake) as well as decentralised computing platforms with ‘smart contract’ capabilities that provide substantially different functionality and enable nonmonetary use cases. These ‘cryptocurrency and blockchain innovations’ can be grouped into two categories: new (public) blockchain systems that feature their own blockchain (e.g., Ethereum, Peercoin, Zcash), and dApps/Other that exist on additional layers built on top of existing blockchain systems (e.g., Counterparty, Augur).4
The combined market capitalisation (i.e., market price multiplied by the number of existing currency units) of all cryptocurrencies has increased more than threefold since early 2016 and has reached $27 billion in April 2017 (Figure 2). A relatively low, but not insignificant share of value is allocated to duplication (i.e., ‘altcoins’), while a growing share has been apportioned to innovative cryptocurrencies (‘cryptocurrency and blockchain innovations’).
Bitcoin Other cryptocurrencies
Data sourced from CoinDance3
17
Global Cryptocurrency Benchmarking Study
ETHEREUM (ETH) Decentralised computing platform which features its own Turing-complete programming language. The blockchain records scripts or contracts that are run and executed by every participating node, and are activated through payments with the native cryptocurrency ‘ether’. Officially launched in 2015, Ethereum has attracted significant interest from many developers and institutional actors.
As of April 2017, the following cryptocurrencies are the largest after bitcoin in terms of market capitalisation:
DASH Privacy-focused cryptocurrency launched in early 2014 that has recently experienced a significant increase in market value since the beginning of 2017. In contrast to most other cryptocurrencies, block rewards are being equally shared between miners and ‘masternodes’, with 10% of revenues going to the ‘treasury’ to fund development, community projects and marketing.
MONERO (XMR) Cryptocurrency system that aims to provide anonymous digital cash using ring signatures, confidential transactions and stealth addresses to obfuscate the origin, transaction amount and destination of transacted coins. Launched in 2014, it saw a substantial increase in market value in 2016.
RIPPLE (XRP) Only cryptocurrency in this list that does not have a blockchain but instead uses a ‘global consensus ledger’. The Ripple protocol is used by institutional actors such as large banks and money service businesses. A function of the native token XRP is to serve as a bridge currency between national currency pairs that are rarely traded, and to prevent spam attacks.
LITECOIN (LTC) Litecoin was launched in 2011 and is considered to be the ‘silver’ to bitcoin’s ‘gold’ due to its more plentiful total supply of 84 million LTC. It borrows the main concepts from bitcoin but has altered some key parameters (e.g., the mining algorithm is based on Scrypt instead of bitcoin’s SHA-265).
18
Figure 3: Bitcoin (BTC) has ceded significant ‘market cap share’ to other cryptocurrencies, most notably ether (ETH)
Although bitcoin remains the dominant cryptocurrency in terms of market capitalisation, other cryptocurrencies are increasingly cutting into bitcoin’s historically dominant market cap share: while bitcoin’s market capitalisation accounted for 86% of the total cryptocurrency market in March 2015, it has dropped to 72% as of March 2017 (Figure 3). Ether (ETH), the native cryptocurrency of the Ethereum network, has established itself as the second-largest cryptocurrency. The combined ‘other cryptocurrency’ category has doubled its share of the total market capitalisation from 3% in 2015 to 6% in 2017.
Privacy-focused cryptocurrencies DASH and monero (XMR) have become increasingly popular and currently constitute a combined 4% of the total cryptocurrency market capitalisation.
Figure 4 shows that both DASH and monero have experienced the most significant growth in terms of price in recent months. While monero’s price already began skyrocketing in the summer of 2016, the price of DASH has increased exponentially since December 2016. The price of ether has also recovered since a series of attacks on the Ethereum ecosystem, starting with the DAO hack in June 2016, and increased 8x since its 2016 low of less than $7 in December. All listed cryptocurrencies have increased their market value in this time window.
Setting the Scene
Bitcoin (BTC)
% of total cryptocurrency market capitalisation
Ether (ETH)
Monero (XMR)DASH Ripple (XRP)
Litecoin (LTC) Other Data sourced from CoinMarketCap5
19
Global Cryptocurrency Benchmarking Study
Figure 5: Are ETH and DASH becoming the preferred ‘safe haven’ assets as Bitcoin’s scaling debate heats up or is their price rise a sign of growing interest in other cryptocurrencies?
Figure 4: Market prices of DASH, monero (XMR) and ether (ETH) have experienced the most significant growth since June 2016
Data sourced from CryptoCompare6 Note: the price multiplier variable shows the price evolution of each cryptocurrency since the beginning of June 2016. A value above 1 means that the price has increased by this factor, whereas a value below 1 indicates that the price has decreased during the specified time window.
Data sourced from CoinDance7 and CryptoCompare
DASH (right axis)
Ether (right axis)
Bitcoin (right axis)
Number of Bitcoin Unlimited Nodes (left axis)
Bitcoin (BTC)
Ether (ETH)
Monero (XMR)DASH Ripple (XRP)
Litecoin (LTC)
20
Figure 6: Bitcoin is the most widely supported cryptocurrency among participating exchanges, wallets and payment companies
When comparing the average number of daily transactions performed on each cryptocurrency’s payment network, Bitcoin is by far the most widely used, followed by considerably distant second-place Ethereum (Table 1). All other cryptocurrencies have rather low transaction volumes in comparison. However, a general trend towards rising transaction volumes can be observed for all analysed cryptocurrencies since Q4 2016 (except Litecoin, whose volumes are stagnant). Monero and DASH transaction volumes are growing the fastest.
If significant price movements and on-chain transaction volumes reflect the popularity of a cryptocurrency system, it can be established that DASH, Monero and Ethereum have
seen the greatest increase in popularity in recent months.
Nevertheless, Bitcoin remains the clear leader both in terms of market capitalisation and usage despite the rising interest in other cryptocurrencies. Bitcoin is also the cryptocurrency that is supported and used by the overwhelming majority of wallets, exchanges and payment service providers that participated in this study (Figure 6). As a result, the report will be mainly focused on bitcoin although we attempt to consider other cryptocurrencies whenever it is relevant to do so and sufficient data exists.
Table 1: Average daily number of transactions for largest cryptocurrencies
Bitcoin Ethereum DASH Ripple Monero Litecoin
Q1 2016 201,595 20,242 1,582 N/A 579 4,453
Q2 2016 221,018 40,895 1,184 N/A 435 5,520
Q3 2016 219,624 45,109 1,549 N/A 1,045 3,432
Q4 2016 261,710 42,908 1,238 N/A 1,598 3,455
January - February 2017 286,419 47,792 1,800 N/A 2,611 3,244
Setting the Scene
Bitcoin (BTC)
98%
Ether (ETH)
33%
Litecoin (LTC)
26%
Ripple (XRP)
13%
Dogecoin (DOGE)
11%
Ether Classic (ETC)
10%
DASH
9%
Monero (XMR)
8%
Other
16%
Data sourced from multiple block explorers8
21
Global Cryptocurrency Benchmarking Study
Table 2: The four key cryptocurrency industry sectors and their primary function
THE CRYPTOCURRENCY INDUSTRY
EMERGENCE OF A BUSINESS ECOSYSTEM A multitude of projects and companies have emerged to provide products and services that facilitate the use of cryptocurrency for mainstream users and build the infrastructure for applications running on top of public blockchains. A cryptocurrency ecosystem, composed of a diverse set of actors, builds interfaces between public blockchains, traditional finance and various economic sectors. The existence of these services adds significant value to cryptocurrencies as they provide the means for public blockchains and their native currencies to be used beyond in the broader economy.
CRYPTOCURRENCY INDUSTRY SECTORS While the cryptocurrency industry is composed of many important actors and groups, this study limits the analysis to what we believe are the four key cryptocurrency industry sectors today: exchanges, wallets, payments companies, and mining (Table 2).9
Industry sectors Primary function
Exchanges Purchase, sale and trading of cryptocurrency
Wallets Storage of cryptocurrency
Payments Facilitating payments using cryptocurrency
Mining
Securing the global ledger ('blockchain') generally by computing large amounts of hashes to find a valid block that gets added to the blockchain
22 23
Global Cryptocurrency Benchmarking StudySetting the Scene
Figure 7: The geographical distribution of study participants
> 20 3 – 5 1 – 2 6 – 20 Number of participants
Europe Total participants 29% Exchanges 37%
Wallets 42%
Payments 33%
Mining 13%
North America Total participants 27% Exchanges 18%
Wallets 39%
Payments 19%
Mining 33%
Latin America Total participants 6% Exchanges 14% Wallets 0% Payments 11% Mining 4%
Africa & Middle East Total participants 2% Exchanges 4% Wallets 0% Payments 4% Mining 0%
Asia-Pacific Total participants 36% Exchanges 27%
Wallets 19%
Payments 33%
Mining 50%
24
Exchanges can be used to buy, sell and trade cryptocurrencies for other cryptocurrencies and/or national currencies, thereby offering liquidity and setting a reference price. Wallets provide a means to securely store cryptocurrencies by handling key management. The payments sector is composed of companies that provide a wide range of services to facilitate cryptocurrency payments. Finally, the mining sector is responsible for confirming transactions and securing the global record of all transactions (the 'blockchain').
Each of these sectors has its own working taxonomy that subdivides actors and activities into more refined categories to account for the diversity of services within each industry sector. These taxonomies are presented at the beginning of each of the report sections.
While we have organised this report in a way that suggests distinct industry sectors, it should be noted that the lines between sectors are increasingly blurred. Some companies provide a platform featuring products and services across multiple industry sectors, whereas others are operating in multiple industry segments using different brands. In fact, 19% of cryptocurrency companies that participated in the study provide services that span two industry sectors, 11% are active in three industry sectors, and some entities operate across all four industry sectors. A growing number of companies in the industry can thus be considered universal cryptocurrency platforms given the diverse range of products and services they offer to their customers.
It can be observed that wallets are progressively integrating exchange services within the wallet interface as a means to load the wallet, while exchanges often also provide a means to securely store newly acquired cryptocurrency within their platform. Similarly, payment companies increasingly offer fullyfledged money transfer platforms that enable the storage and transfer of cryptocurrencies, and often include an integrated currency exchange service. As a result, putting cryptocurrency companies into fixed categories can represent a challenging task in some cases.
THE GEOGRAPHY OF THE CRYPTOCURRENCY INDUSTRY Our sample covers cryptocurrency companies, organisations and individuals across 38 countries. The United States leads with 32 study participants, closely followed by China where 29 participants are based (Figure 7). After a significant gap, the United Kingdom comes third with 16 participants, followed by Canada where 7 participants are based.
In terms of regional distribution, most study participants come from the Asia-Pacific region (36%). Europe and North America follow with 29% and 27%, respectively. Only a small proportion of study participants are based in Latin America (6%) as well as Africa and the Middle East (2%).
The lines between the different cryptocurrency industry sectors are increasingly blurred and a growing number of cryptocurrency companies can be characterised as ‘universal’ platforms
Setting the Scene
25
Global Cryptocurrency Benchmarking Study
At least 1,876 people work full-time in the cryptocurrency industry
Figure 9: North American cryptocurrency companies have the highest median number of employees
Figure 8: Cryptocurrency companies based in AsiaPacific and North America have the highest number of employees
EMPLOYEES Combining the participating entities of all industry sectors reviewed in this report (with the exception of miners, for which no employee data was collected), the lower bound of the total number of people employed in the cryptocurrency industry can be established at 1,876 employees.
Significant differences between regions can be observed (Figure 8). Most full-time employees of the cryptocurrency industry are employed by companies based in Asia-Pacific, followed closely by North America (and more specifically the US). With a considerable gap follows Europe, while the total number of people working for cryptocurrency firms based in Latin America and especially Africa and the Middle East are comparatively low. However, it should be noted that many companies have offices in several regions and not all employees work in the region where the employer is based.
Companies surveyed have 21 full-time employees on average, but the existence of several large companies with considerable headcount makes it useful to also examine the median number of employees, which is nine. Figure 9 shows that study participants based in North America have the highest median number of employees (12), whereas participants from Africa and the Middle East as well as from Europe have the lowest (seven).
720
346
105
29
676
12
10
9
7 7
North AmericaAsia-Pacific
EuropeLatin America
Asia-PacificNorth America
Latin America Europe Africa and Middle East
Africa and Middle East
Total Number of Employees Median Number of Employees by Company
26
USE CASES AND ACTIVITY
USE CASES As discussed in more detail in appendix A, the use cases for cryptocurrencies can be grouped into four major categories:
* Speculative digital asset/investment * Medium of exchange * Payment rail * Non-monetary use cases
Some evidence exists that as of today the main use case for cryptocurrencies is speculation. A 2016 joint report from Coinbase and ARK Invest estimates that 54% of Coinbase users use bitcoin strictly as an investment.10 Global bitcoin trading volumes have been significantly higher than network transaction volumes, a figure that is even higher for most other cryptocurrencies. However, it must also be noted that a rising number of cryptocurrency transactions are not performed ‘on-chain’ (i.e., directly on the blockchain network), but ‘offchain’ via internal accounting systems operated by centralised exchanges, wallets and payment companies. These off-chain transactions do not appear on a public ledger.
Estimates of the use of cryptocurrency for payments has varied significantly across different sources. For example, a 2016 report from the Boston Federal Reserve has estimated that 75% of US consumer who own cryptocurrencies have used them for payments within a 12 month period, while the Coinbase/ARK Invest report indicates that 46% of Coinbase users use bitcoin as a ‘transactional medium’ (defined as making at least one payment per year).11 While a growing number of merchants worldwide are accepting cryptocurrency as a payment method, it appears that cryptocurrencies are not primarily being used as a medium of exchange for daily purchases.12 This is due to several factors, including price volatility and the lack of a ‘closed loop’ cryptocurrency economy, in which people or businesses would get paid in cryptocurrency and then use cryptocurrency as a primary payment method for everyday expenses.
As will be discussed in more detail in the Payments section, a considerable number of companies have emerged that use cryptocurrency networks primarily as a ‘payment rail’ to make fast and cheap cross-border payments. However, following the recent surge in bitcoin transaction fees, some are reconsidering this strategy and shifting transactions towards private blockchain-based solutions. Ripple’s payment network is being used by large financial institutions, with 15 of the world’s largest banks working with Ripple’s global consensus ledger.
Finally, Ethereum has established itself as a major blockchain system for non-monetary applications, with nearly 400
Setting the Scene
27
Global Cryptocurrency Benchmarking Study
projects building on its decentralised computing platform.13 Ethereum is also increasingly being used as a platform for launching new cryptocurrencies that are powering applications built on Ethereum (dApp tokens). Non-monetary use of Bitcoin has also increased. For example, the use of the OP_RETURN feature in the bitcoin scripting language (frequently used for embedding metadata in bitcoin transactions, for enabling e.g., time-stamping services and overlay networks) has increased roughly 100x since January 2015.14
USERS Estimating both the number of cryptocurrency holders and users is a difficult endeavour as individuals can use multiple wallets from several providers at the same time. Moreover, one single user can have multiple wallets and exchange accounts for different cryptocurrencies and thus be counted multiple times. In addition, many individuals are using centralised wallet, exchange or payment platforms that pool funds together into
a limited number of large wallets or addresses, which further complicates the picture.
According to the earlier referenced 2016 report from the Boston Federal Reserve, 0.87% of US consumers are estimated to have owned cryptocurrency in 2015, which amounts to around 2.8 million people in the US alone. Based on calculations using their own user data, Coinbase and ARK Research estimate that in 2016 around 10 million people around the world have owned bitcoin.
Using data obtained from study participants and assuming that an individual holds on average two wallets, we estimate that currently there are between 2.9 million and 5.8 million unique users actively using a cryptocurrency wallet.15 This figure has significantly increased since 2013 (Figure 10). It is important to note that our estimate of the total number of active wallets does not include users whose exchange accounts serve as their de facto wallet to store cryptocurrency, nor users from payment service providers or other platforms that enable the storage of cryptocurrency. In other words, the total number of active cryptocurrency users is likely considerably higher than our estimate of unique active wallet users.
For a variety of reasons, determining the geographical distribution of cryptocurrency users is challening. Appendix C contains a discussion of the geographical dispersion of users based on data we collected and public data sources.
Figure 10: The estimated number of unique active users of cryptocurrency wallets has grown significantly since 2013 to between 2.9 million and 5.8 million today
Estimated Number of Unique Active Users of Cryptocurrency Wallets
0m
1m
0.5m
1.5m
2.5m
3.5m
4.5m
2m
3m
4m
5m
5.5m
6m
2013
0.3m 0.8m
1.3m
2014
0.5m
1.3m
2m
2015
0.7m
1.4m
2.9m
2016
2.1m
3.5m
4.8m
2017 YTD
2.9m
4.3m
5.8m
Lower Bound Mid-Point Upper Bound
It is impossible to know precisely how many people use cryptocurrency
28
Wallets
EXCHANGES
Exchanges provide on-off ramps for users wishing to buy or sell cryptocurrency. The exchange sector is the first to have emerged in the cryptocurrency industry and remains the largest sector both in terms of the number of companies and employees.
29
Global Cryptocurrency Benchmarking Study
KEY FINDINGS
Services/Operations Security
• Of all industry sectors covered in this study, the exchange sector has the highest number of operating entities and employs the most people
• 52% of small exchanges hold a formal government license compared to only 35% of large exchanges
• 73% of small exchanges have one or two cryptocurrencies listed, while 72% of large exchanges provide trading support for two or more cryptocurrencies: bitcoin is supported by all exchanges, followed by ether (43%) and litecoin (35%)
• A handful of large exchanges and four national currencies (USD, EUR, JPY and CNY) dominate global cryptocurrency trading volumes
• Study participants reported cryptocurrency trading in 42 different national currencies
• 53% of exchanges support national currencies other than the five global reserve currencies (USD, CNY, EUR, GBP, JPY)
• Exchange services/activities fall into three categories - order-book exchanges, brokerage services and trading platforms: 72% of small exchanges specialise in one type of exchange activity (brokerage services being the most widely offered), while the same percentage of large exchanges are providing multiple exchange activities
• 73% of exchanges take custody of user funds, 23% let users control keys
• On average, security headcount corresponds to 13% of total employees, and 17% of budget is spent on security; small exchanges have slightly higher figures than large exchanges
• 80% of large exchanges and 69% of small exchanges use external security providers; large exchanges use a larger number of external security providers than small exchanges
• Optional two-factor authentication (2FA) is offered for customers by a majority of exchanges and required for employees for most operations; small exchanges tend to use 2FA less than large exchanges
• Exchanges use a variety of internal security measures; differences in approaches are observed between small and large exchanges
• Only 53% of small custodial exchanges have a written policy outlining what happens to customer funds in the event of a security breach resulting in the loss of customer funds, compared to 78% of large custodial exchanges
• 79% of exchanges provide regular security training programs to their staff
• 92% of exchanges use cold-storage systems; on average 87% of funds are kept in cold storage
• Multi-signature architecture is supported by 86% of large exchanges and 76% of small exchanges
• Frequency of formal security audits varies considerably between exchanges; large exchanges tend to perform them on a more regular basis
• 60% of large exchanges have external parties performing their formal security audits, while 65% of small exchanges perform them internally.
• 33% of custodial exchanges have a proof-of-reserve component as part of their formal security audit
30
Table 3: Taxonomy of exchange services
INTRODUCTION AND LANDSCAPE
INTRODUCTION Exchanges provide services to buy and sell cryptocurrencies and other digital assets for national currencies and other cryptocurrencies. Exchanges play an essential role in the cryptocurrency economy by offering a marketplace for trading, liquidity, and price discovery.
Throughout this section, we define a cryptocurrency exchange as any entity that allows customers to exchange (buy/sell) cryptocurrencies for other forms of money or assets. We use the taxonomy in Table 3 for categorising the three main types of activities provided by cryptocurrency exchanges.
LANDSCAPE Exchanges were one of the first services to emerge in the cryptocurrency industry: the first exchange was founded in early 2010 as a project to enable early users to trade bitcoin and thereby establish a market price. The exchange sector remains the most populated in terms of the number of active entities. One data services website alone lists daily trading volumes for 138 different cryptocurrency exchanges, which suggests that the total number of operating exchanges is likely considerably higher.1
We collected data from 51 exchanges based in 27 countries and representing all five world regions (Figure 11). Our sample contains more exchanges from Europe than any other region, followed by Asia-Pacific. With regards to individual countries, the United Kingdom and the United States are leading with 18% and 12%, respectively, of all cryptocurrency exchanges.
However, the market share in terms of bitcoin trading volume is substantially different: although there are a hundreds of companies providing cryptocurrency exchange services, fewer than a dozen order-book exchanges dominate bitcoin trading (Figure 12).2
Type of activity Description
Order-book exchange Platform that uses a trading engine to match buy and sell orders from users
Brokerage service Service that lets users conveniently acquire and/or sell cryptocurrencies at a given price
Trading platform Platform that provides a single interface for connecting to several other exchanges and/or offers leveraged trading and cryptocurrency derivatives
Exchanges
31
Global Cryptocurrency Benchmarking Study
Figure 11: Europe has the most number of exchanges in our study sample, followed by Asia-Pacific
Europe
Asia-Pacific
US
Canada
China
Japan
Other
UKLatin America
North America
Africa and Middle East
Figure 12: Trading volumes across the top exchanges are more evenly distributed following increased regulation of Chinese exchanges in early 2017
Data sourced from Bitcoinity3
Bitcoin trading volume market share of major exchanges Average market share (February-March 2017)
32
In terms of trading volumes by national currencies, there are major differences as well between the top-traded currencies and the most widely supported currencies. The US dollar (USD) is the most widely supported national currency, followed by the Euro (EUR) and the British Pound (GBP) (Figure 13). While reported trading in the Chinese Renminbi (CNY) appeared to represent an often significant majority of global bitcoin trading volumes from 2014 to 2016 (ranging from 50% to 90%)4, bitcoin trading denominated in CNY has plumetted in early 2017 after the tightening of regulation by the People's Bank of China (Figure 14).
The data demonstrate that the exchange market is dominated by a handful of exchanges that are responsible for the majority of global bitcoin trading volumes, of which the lion share is
denominated in a small number of international currencies. In contrast, the majority of exchanges (mostly small) specialise in local markets by supporting local currencies: 53% of all exchanges support national currencies other than the five reserve currencies. Trading volumes at most small exchanges are insignificant compared to the market leaders, but these exchanges service local markets and make cryptocurrencies more available in many countries.
TYPES Using the taxonomy of the three types of exchange activities introduced above, findings show that there are major differences between the services that small and large exchanges provide.5 While 72% of small exchanges specialise in one type of activity, the same percentage of large exchanges are providing multiple types of exchange activities (Figure 15). The most popular combination of two activities are order-book exchanges that also offer a trading platform.
22% of large exchanges and only 4% of small exchanges offer a platform that includes an order-book exchange, trading
While global cryptocurrency trading volume is dominated by four reserve currencies, trading in at least 40 other national currencies is supported
Figure 13: USD is the most widely supported national currency on exchanges; many specialise in local currencies
% of Exchanges Supporting National Currencies
USD
65%
EUR
49%
GBP
39%
JPY
18%
CNY
14%
Other
53%
Exchanges
33
Global Cryptocurrency Benchmarking Study
Figure 14: Trading in renminbi has plumetted since Chinese authorities tightened regulation
Figure 15: The majority of small exchanges specialise in a single type of exchange activity while large exchanges are generally engaged in more than one activity
Order-book exchange
Brokerage services
Trading platform
Two activities
All three combined
Order-book exchange
Brokerage services
Two activities
All three combined
Small Exchanges Large Exchanges
BTC Exchange Trading Volume Share by National Currency
Data sourced from Bitcoinity
34
platform and brokerage services. Over 40% of small exchanges specialise in the provision of brokerage services, compared to only 17% of large exchanges. 15% of small exchanges provide a stand-alone trading platform, while large exchanges generally combine this activity with an order-book exchange.
Despite many cases of internal fraud and bankruptcies of centralised exchanges, P2P exchanges have yet to gain more popularity: of the 51 exchanges represented in this study, only 2 provide a decentralised marketplace for exchanging cryptocurrencies.
SUPPORTED CRYPTOCURRENCIES All exchanges support bitcoin, while ether and litecoin are listed on 43% and 35% of exchanges, respectively (Figure 16). Only a minority of exchanges make markets for the exchange of cryptocurrencies other than the above three.
While 39% of exchanges solely support bitcoin, 25% have two listed cryptocurrencies, and 36% of all entities enable trading three or more cryptocurrencies. We observe that 72% of large exchanges provide trading support for two or more cryptocurrencies, while 73% of small exchanges have only one or two cryptocurrencies listed. 6% of survey participants also provide cryptocurrency-based derivatives, and 16% are offering margin trading.
EMPLOYEES There are 1,157 total employees at participating exchanges, making exchanges the largest employer in the cryptocurrency industry.6 Even though 37% of all exchanges are based in Europe, the total number of employees at European exchanges is considerably less than the total headcount at companies based in Asia-Pacific, where almost 60% of large exchanges are based (Figure 17).
On average, cryptocurrency exchanges employ 24 people. However, the distribution reveals that nearly half of exchanges have less than 11 employees (Figure 18), indicating that the majority of exchanges are small companies. Indeed, 20% of all exchanges have less than 5 employees. However, 9% of exchanges have more than 50 employees, with the largest employing around 150 people.
Figure 16: Bitcoin is listed on all surveyed exchanges; ether and litecoin are also widely supported
% of Exchanges Supporting the Listed Cryptocurrencies
The exchange industry sector employs more people than any other cryptocurrency sector
Exchanges
35
Global Cryptocurrency Benchmarking Study
Figure 18: Nearly half of exchanges have less than 11 employees
Figure 17: Asian-Pacific exchanges have the highest number of employees
Number of Employees per Exchange
Note: these figures include employees from universal cryptocurrency companies that are also active in industry sectors other than exchanges.
1-10 11-20 21-50 >50
Average number of employees by exchange
Total number of employees by region
36
Figure 19: More than half of small exchanges hold a government license compared to only 35% of large exchanges
LICENSE One notable observation is the difference between the share of small and large exchanges that hold a government license of some kind: 52% of small exchanges have a formal government license or authorisation compared to only 35% of large exchanges (Figure 19).
85% of all exchanges based in Asia-Pacific do not have a license, whereas 78% of North American-based exchanges hold a formal government license or authorisation. 47% and 43% of European and Latin American-based exchanges, respectively, hold a license as well. However, not having a formal license does not necessarily mean that the exchanges are not regulated, as appears to be the case now with many of the China-based exchanges.
OPERATIONAL CHALLENGES AND RISK FACTORS We presented a list of operational challenges to participating exchanges and asked them to rate these factors according to the level of risk that they currently pose to operations. Findings show that while small and large exchanges rate certain factors approximately similarly, there are substantial differences with regards to other factors (Table 4). Generally, small exchangs have a tendency to rate risks higher than large exchanges.
The highest risk factor for small exchanges and second highest risk factor for large exchanges are security breaches that could result in a loss of funds.
One finding that stands out is that large exchanges rate challenges posed by regulation in general as posing the highest risk to their operations – a factor that is rated lower by small exchanges.
52%
48%
35%
65%
License No License License No License
Small Exchanges Large Exchanges
Exchanges
37
Global Cryptocurrency Benchmarking Study
Small exchanges seem to have considerable difficulties with either obtaining or maintaining banking relationships, while large exchanges appear to have this risk factor under control. Small exchanges are also substantially more concerned about fraud than large exchanges, which suggests that they are either targeted more often than large exchanges or simply that fraud has more a more severe financial impact due to the limited scale of their operations and budget.
Respondents Scored these Categories on a 1 - 5 Scale Table 4: Operational risk factors rated by exchanges
Weighted average Small exchanges Large exchanges
IT security/hacking 3.70 3.93 3.17
Deteriorating banking relationships 3.45 3.79 2.67
Fraud 3.08 3.50 2.08
Regulation (in general) 3.08 2.89 3.50
Competitors/business model risk 2.88 3.00 2.58
Reputation risk 2.88 2.93 2.75
AML/KYC enforcement 2.68 2.64 2.75
Insufficient demand for services 2.58 2.82 2.00
Lack of talent 2.46 2.52 2.33
1: Very low risk 3: Medium risk 4: High risk 2: Low risk 5: Very high risk
Lowest average score Highest average score
38
Figure 20: 73% of exchanges take custody of users’ cryptocurrency funds by controlling the private keys
SECURITY EXCHANGES CONTINUE TO BE POPULAR TARGETS FOR CRIMINALS Cryptocurrencies are digital bearer assets that once transferred cannot easily be recovered (i.e., the payment cannot be reversed unless the recipient decides to do so). The surge in market prices of cryptocurrencies in recent years has made exchanges a popular target for criminals as they handle and store large amounts of cryptocurrencies. Numerous events have led to the loss of exchange customer funds, and a wide variety of schemes have been employed ranging from outside server breaches to insider theft. In many cases, exchanges where losses occurred were forced to close and customer funds were never recovered. One 2013 study analysing the survival rate of 40 bitcoin exchanges found that over 22% of exchanges had experienced security breaches, forcing 56% of affected exchanges to go out of business.7
73%
23%
4%
Exchange controls keys
User controls keys
Customers have the option
Exchanges
Figure 21: Order-book-only exchanges spend 2x more on security as a share of total budget than ‘pure’ brokerage services and trading platforms
Trading plaormsBrokerage servicesOrder-book exchanges
17%
28%
13%
14%
15%
14%
Exchanges Engaged in a Single Type of Activity
Average Security Headcount Average Security Cost
39
Global Cryptocurrency Benchmarking Study
73% of exchanges control customers’ private keys, making them a potentially attractive ‘honeypot’ for hackers as these exchanges have possession of user funds denominated in cryptocurrency (Figure 20). 23% of exchanges do not control customers’ private keys, thereby preventing exchanges from accessing customer holdings or not being able to return funds to users in the event the exchange ceases to function.8 Large exchanges act more often as custodians than small exchanges: only 11% of large exchanges let users control keys compared to 30% of small exchanges.
SECURITY HEADCOUNT AND COST On average, exchanges have 13% of their employees working full-time on security and spend 17% of their total budget on security. Order-book-only exchanges (i.e., entities not engaged in brokerage services and trading platforms) spend two times more of their budget on security than companies providing solely brokerage services or pure trading platforms (Figure 21).
Findings show that on average, small exchanges have slightly higher headcount (+5%) associated with security than large exchanges. The distribution indicates that the security headcount ranges for both small and large exchanges from 0% to 50% of their total employees (Figure 22). 55% of small exchanges and 74% of large exchanges have between 0% and 10% of employees working full-time on security. In fact, more than half of large exchanges have less than 6% of headcount associated with security.
Similar to security headcount, we observe that small exchanges have on average a slightly higher cost (+7%) as a percentage of their budget associated with security than large exchanges. 72% of large exchanges spend less than 11%, while 61% of small exchanges spend more than 10% (Figure 23). The upper limit that both small and large exchanges spend on security cost is 50% of their total budget.
Figure 23: Large exchanges are realising economies of scale as they spend less of their total budget on security than small exchanges
Figure 22: Small exchanges have a higher percentage of employees working full-time on security than large exchanges
55%
17% 74%
13%
13%28%
Small exchanges Large exchanges
% of Exchanges
Small exchanges Large exchanges
29%
32%
39%
14%
14%
72%
% of Exchanges
0 -10% 21 -50% 11-20%
% of Employees Working Full-Time on Security % of Total Budget Spent on Security
0 -10% 11 - 20% 21 -50%
40
Figure 24: Large exchanges use a greater number of external security providers than small exchanges
3 or more21
29%
25%
23%
50%
48%
25%
Number of External Security Providers
Small exchanges Large exchanges
EXTERNAL SECURITY PROVIDERS Over 70% of exchanges secure their systems with the help of external security providers, including external code reviewers, multi-signature wallet service providers and two-factor authentication (2FA) service providers. However, there are differences between small and large exchanges: 80% of large exchanges use external security providers as opposed to 69% of small exchanges.
While the majority of small exchanges that use external security providers place trust in one to two providers, half of large exchanges make use of three or more external security providers (Figure 24). More than half of exchanges indicate that they have not come to rely more on external security providers over time.
USE OF TWO-FACTOR AUTHENTICATION (2FA) Multi-factor authentication is an access control method that grants access to a computer system only if the requester can supply multiple ‘factors’ (e.g., password and a unique one-time generated token).9 The most widely used form in everyday
life is two-factor authentication (2FA) which requires the user to provide two factors in order to identify himself. 75% of exchanges offer customers the option to enable 2FA for logging into their exchange account, and 77% offer users 2FA for withdrawing funds (Figure 25). Only 51% of exchanges provide optional 2FA for trading.
40% of exchanges that control users’ private keys do not offer 2FA for trading, as they suppose enabling 2FA for login is enough to prevent an unauthorised person from gaining access to the exchange account features. It is important to note that 2FA is an optional security feature that most exchanges offer to their customers and encourage use, but that users are not required to activate 2FA. 48% of exchanges enable 2FA for all listed actions, but there are notable differences between small and large exchanges: 80% of large exchanges have 2FA enabled for all listed actions compared to 32% of small exchanges (Figure 26).
Percentage of Exchanges That Use External Security Providers
Exchanges
41
Global Cryptocurrency Benchmarking Study
Figure 26: Large exchanges enable optional 2FA for nearly all customer actions
Figure 25: Majority of exchanges enable optional 2FA for customers for logging in and withdrawing funds
Login
Withdrawal
Trading
14%
2% 75%
51%
77% 11%
35%
23%
12%
Small exchanges
% of Exchanges
Large exchanges
7% 13% 80%
14% 32% 22% 32%
Not Applicable Enabled Not Enabled
Customers - Optional 2FA
Note: the ‘not applicable’ option has been chosen for a variety of reasons, that include exchanges that do not offer accounts and do not hold customer funds
Number of 2FA-Enabled Actions for Users
0 enabled 1 enabled 2 enabled All 3 enabled
Note: these refer to the customer actions listed in Figure 25
42
Figure 27: The majority of exchanges require employees to use 2FA for sensitive operations
While the use of 2FA is mostly an optional feature offered to security-conscious customers, it is often required by exchanges for internal operations (Figure 27). In fact, 85% of exchanges have mandatory 2FA for at least one internal operation action: 80% require 2FA for administrator login, and 74% have mandatory use of 2FA for production access. 73% require 2FA for accessing private keys, which roughly matches the percentage of exchanges that do hold customer keys.
Some exchanges also indicate that they are using three-factor authentication (3FA) internally for access to all systems and require hardware devices such as YubiKeys or even hardware wallets as one factor. 82% of large exchanges and over 60% of small exchanges require the use of 2FA for all of the listed operational actions (Figure 28).
SECURITY MEASURES Exchanges use a variety of internal security measures to monitor production access and restrict access to sensitive information. However, large exchanges use them considerably more often than small exchanges (Figure 29).
91% of large exchanges and 83% of small exchanges use software to create a complete record of all internal processes and actions which allows them to quickly discover potential inconsistencies. The largest difference between small and large exchanges is observed regarding the use of special hardware dedicated to a single purpose (e.g., air-gapped device for cold storage of cryptocurrency funds), which are used by 91% of large exchanges compared to only 59% of small exchanges.
82% of large exchanges and 62% of small exchanges also use physical site location security systems or devices to monitor access to facilities. 73% of large exchanges use various types of ‘consensus mechanisms’ that require several employees to authorise a specific action (e.g., access to customer funds), as opposed to 55% of small exchanges. 64% of large exchanges and 38% of small exchanges use all four security measures.
85% of exchanges require that employees must be over a certain threshold of seniority within the company to get access to the production environment (Figure 30). Fingerprinting is only used by 15% of exchanges. Some exchanges also
8%
13% 74% 13%
80% 12%
23% 73% 4%
Administrator login
Production access
Accessing private keys
Employees – 2FA Required
Note: some exchanges have chosen the ‘not applicable’ option for various reasons, including security for employees being classified, and private keys not being accessible to staff
Not applicable Required Not required
Exchanges
43
Global Cryptocurrency Benchmarking Study
Small exchanges
Large exchanges
% of Exchanges
63% 15% 15% 7%
82% 18%
Figure 28: 82% of large exchanges require 2FA for employees for all listed actions; differences between small exchanges can be observed
Figure 29: Large exchanges use more internal security measures than small exchanges
Single-purpose dedicated hardware
Physical site location security systems
"Consensus mechanisms"
Audit trail
83%
91%
59%
91%
62%
82%
55%
73%
Number of actions where 2FA is required for employees
Small exchanges Large exchanges
All 3 required 2 required 1 required 0 required
Figure 30: Measures used by exchanges to vet staff for production access
Exceed specific treshold of seniority
Criminal record checks
Reference checks
Fingerprinting
15%
30%
60%
70%
85%
Credit history checks
% of Exchanges Using Security Measure % of Exchanges Using Security Measure
Note: these refer to the employee actions listed in Figure 27
44
Exchanges
commented that full credit history checks might constitute a breach of employee privacy and be difficult to defend before a tribunal, and also questioned whether such checks are e a good measure for deciding whether employees should be trusted with production access. Other exchanges indicated that personal relationships would play an important role as well. As for the internal security measures discussed above, large exchanges do make considerably more use of the referenced actions than small exchanges: 73% of large exchanges use three or more compared to 48% of small exchanges.
Only 53% of small exchanges that act as a custodian by controlling customer keys have a written policy that outlines what happens to customer funds in the event of a security breach that could lead to the loss of customer funds (Figure 31). In contrast, 78% of large custodial exchanges have such a written policy.
82% of large exchanges and 64% of small exchanges have a written policy on which employees and parties have access to sensitive information, such as private keys and user data (Figure 32). A major difference between small and large
exchanges can be observed with regards to production access: only 63% of small exchanges have a written policy on who has access to the production environment compared to 92% of large exchanges.
Having the most sophisticated security measures in place does not necessarily prevent malicious actors from successfully breaking into the exchange, as the human element is often the weakest link in any security system. It is essential that staff are well trained and familiar with popular social engineering attacks. 79% of exchanges do provide security training programs to their staff to educate them on security issues (Figure 33). Some exchanges provide ongoing education and training (e.g., daily or weekly case studies about possible attack vectors) while others offer periodic training sessions and best security practices reminders. We do not observe a substantial difference between small and large exchanges with regards to staff training programs.
KEY STORAGE This section refers to the key management systems that exchanges use to secure both customer and exchange keys.
Figure 31: Nearly half of small exchanges acting as custodians do not have a written policy that outlines what happens to customer funds in the event of a security breach
Measures Taken with Regards to Customer Funds in the Event of a Security Breach
Written policy No written policy
53% 47%
78%
Small custodial exchanges
Large custodial exchanges
22%
45
Global Cryptocurrency Benchmarking Study
Figure 32: Do you have a written policy on the following actions?
Figure 33: 21% of exchanges do not provide security training programs to their staff
Written policy No written policy
Staff training programs No staff training programs
Production Access
37%
63%
8%
92%
Access to Sensitive Information
Small exchanges Large exchanges Small exchanges Large exchanges
36%
64%
18%
82%
79%
21%
46
Exchanges
COLD STORAGE 92% of exchanges indicate that they are using some type of cold storage system (i.e., generating and keeping keys offline) to secure a portion of both customer and their own funds. Only 8% are not using any type of cold storage system and instead keep funds in hot wallets that are online. These figures are approximately the same for both small and large exchanges.
On average, exchanges keep 87% of total funds in cold storage (median corresponds to 95% of total funds). There is no significant difference between small and large exchanges with regards to the proportion of funds held in cold storage.
All large exchanges and 95% of small exchanges that use a cold storage system have their cold storage funds ‘air-gapped’, meaning that they reside on storage devices that are physically
isolated from a network connection. All large exchanges have multiple cold storage locations, as opposed to 68% of small exchanges. 78% of large exchanges also use external parties as part of their cold storage system, compared to only 53% of small exchanges.
MULTI-SIGNATURE AND PRIVATE KEY STORAGE Multi-signature is supported by 86% of production systems from large exchanges, but only by 76% of small exchanges. All exchanges that do not use cold storage systems have multisignature support. 85% of large exchanges and 75% of small exchanges that have cold storage systems in place also have multi-signature support. Large exchanges that support multisignature architectures also more often use external thirdparty multi-signature platforms than small exchanges (60% compared to 44%). While all large exchanges distribute keys of multi-signature wallets among multiple holders, 19% of small exchanges do not.
All large exchanges encrypt private keys when they are not in use, but 9% of small exchanges do not. 100% of large
92% of exchanges use some type of cold storage system
Average % of Funds Held in Cold Storage
Median % of Funds Held in Cold Storage
47
Global Cryptocurrency Benchmarking Study
Figure 34: Large exchanges appear to perform more frequent formal security audits than small exchanges
Figure 35: Large exchanges have more often external parties perform their formal security audits
exchanges and 91% of small exchanges store key back-ups in distinct geographical locations.
FORMAL SECURITY AUDITS AND PROOF OF RESERVES We observe that the frequency of formal security audits conducted at exchanges surveyed varies considerably for both small and large exchanges (Figure 34). It appears that large exchanges perform formal security audits on a more regular basis than small exchanges. However, it is not always clear what exchanges define as ‘formal’ security audits, as many exchanges also reported that they would perform standard security checks and audits on an ongoing basis.
60% of large exchanges have their formal security audit performed by external parties, while 65% of small exchanges perform the audit internally (Figure 35). Findings also show that custodial exchanges are more likely to use external parties for their formal security audit. Two-thirds of large exchanges and over 90% of small exchanges do not publicly share information about their for