- Crypto custody company Fireblocks allegedly lost 38,178 ETH as a result of employee negligence.
- StakeHound brought a lawsuit against Fireblocks in Israeli courts.
Editor's note: An earlier version of this story incorrectly reported the way in which Fireblocks and StakeHound work together. The story has been updated for clarity, to provide comments from Fireblocks CEO Michael Shaulov, and to correct the value of the company's Series C raise.
Fireblocks, founded in 2018, is a crypto custody company that lets institutional customers shift money around cryptocurrency exchanges swiftly without sacrificing security.
Now, it's being sued in a Tel Aviv District Court for allegedly failing to live up to this promise.
Swiss-based staking platform StakeHound alleges that Fireblocks didn’t “back up the [StakeHound’s customer’s] private keys needed to open the relevant digital wallet, and for no apparent reason, the keys were deleted, preventing the plaintiff’s digital assets from being accessed.”
Digital wallets are software programs that help store cryptocurrencies. Private keys, like passwords, are a string of characters and numbers that allow the owner of a wallet to access it.
According to StakeHound’s allegations, Fireblocks acted negligently by losing the private keys it received from StakeHound, which irrecoverably cut off access to the relevant wallets of StakeHound customers. Fireblocks should have arranged a secure backup of private keys too, StakeHound claims.
Michael Shaulov, CEO of Fireblocks, told Decrypt that the allegations of failure to back up the keys are baseless because the company wasn’t contractually obligated to back up them.
“There was no contractual obligation for us to provide [StakeHound] any service with regard to that, and in our understanding, the only reason why we provided this service is that there was some pressure from some of [its] customers not to hold 100% of the key themselves,” Shaulov told Decrypt.
Founded in 2020, StakeHound lets users “stake” crypto assets—that is to say, pledge crypto assets to the network and earn rewards in return—by wrapping assets into “staked tokens” which represent the underlying asset on a 1:1 basis. The pledged crypto assets are custodied by companies including Fireblocks, according to StakeHound.
Shaulov explained that the keys in questions were generated by StakeHound for its customers staking in Ethereum 2.0, which lets customers lock up their ETH for rewards until the Ethereum network transition to Ethereum 2.0.
But Ethereum 2.0 staking relies on a system called Boneh-Lynn-Shacham (BLS) signature scheme, which Fireblocks’ infrastructure doesn’t support. BLS generates multiple keys, which are all required to unlock the wallet.
Fireblocks stored those keys on a local server, a computer, not in its multi-party computation, which is a technology that functions like a LastPass of crypto—it provides an encrypted but centralized custody of private keys. In April, Fireblocks surpassed $30 billion in transfers secured with this technology.
When StakeHound sent some of those keys to Fireblocks, Shaulov said that it was meant to be a temporary measure. StakeHound would create a backup in 14 days as per their agreement.
But in a recent disaster recovery drill, Fireblocks discovered that the computer which held the keys no longer holds them. It alerted StakeHound, and both parties realized nobody had a backup.
Shaulov declined to disclose the post-mortem report detailing what happened to the computer that held the keys. As for why Fireblocks accepted the keys to begin with, even though it couldn’t hold them in its multi-party computation system, Shaulov said: “That's something we are looking into.”
To bolster the safety of private keys, Fireblocks and other custodians work with companies like Coinover, which keeps back-ups of keys in offline vaults. Complicating the matter further, StakeHound claims that Fireblocks sent keys to Coinover, but it received the wrong keys from them.
A confidentiality agreement prevents Coinover from verifying the keys it receives from Fireblocks, according to StakeHound. So the only chance for recovery went out of the window. However, Shaulov denies the company has ever sent keys to Coinover. Legally, it can’t, said the CEO, since the keys belong to StakeHound customers, not its direct clients.
The allegations surrounding Fireblocks come three months after the company raised $133 million in a Series C round from Coatue, Ribbit, Stripes, SVB Capital, and BNY Mellon.
StakeHound did not immediately respond to Decrypt’s request for comment.