- OKEx suspended withdrawals October 16 after its founder was taken away by police.
- Rumors circulated that it uses a single signature Bitcoin cold wallet.
- OKEx denies those, pointing to its security policy.
OKEx, the cryptocurrency exchange that has paused cryptocurrency withdrawals since October 16, told Decrypt that the source for a story purporting to be from Chinese blockchain news site Jinse Caijing is not accurate.
That story, originally spotted by Sino Global Capital CEO Matthew Graham, and reported on by Decrypt, claimed that OKEx relied on a single-signature Bitcoin wallet. That would be an important development, given that the exchange has paused withdrawals after founder Xu Mingxing, who is a private key holder, was taken away by Chinese police earlier this month.
But while it remains unclear what must happen for withdrawals to resume—a spokesperson told Decrypt on October 16 that it could not "reveal any information that may put our users' funds at risk"—it is likely that the Jinse Caijing story is not a story after all, but an internet fabrication.
Graham, a China resident, deleted his original post, believing that it might have been photoshopped:
I’m deleting this tweet because it may be photoshopped, I’m sorry about the FUD https://t.co/Szs4luBUgM
— Matthew Graham (@mattysino) October 29, 2020
There's no record of a story currently on Jinse Caijing's website.
When asked whether OKEx uses a single-signature Bitcoin wallet, an OKEx spokesperson pointed Decrypt to an incident report detailing August's 51% attacks on Ethereum Classic, which details the withdrawal process, including its "semi-offline multisig" for hot wallets.
According to the report, however, 95% of funds are stored in cold wallets. A page detailing cold wallet security states that, when generating private keys, the Advanced Encryption Standard (AES) password is "controlled by two OKEx company personnel in separate locations—one in OKEx's Beijing office, one in a city on the West Coast of the United States."
To withdraw funds, the following happens:
A staff member goes to "the bank safe near the office and retrieve[s] the appropriate number of unused encrypted private keys." They then scan the keys' QR code into two separate offline computers. Then "the holder of the AES master password decrypts the encrypted private key on a completely offline computer" before scanning the QR code into another offline computer.
The final, albeit confusing, step is "signing trading on another computer completely offline, and after the transaction signature synchronized to a computer with internet broadcast transaction through USB drive."
Regardless of the procedures, and whether they've been adhered to, OKEx users are undoubtedly getting restless. Though the exchange maintains that funds remain "safe," they remain inaccessible for withdrawals.