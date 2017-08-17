Investor trust in the Xapo Vault and deep cold storage is required to "sleep well at night" about the Bitcoin underlying GBTC.

Xapo is the Bitcoin custodian of the Grayscale Bitcoin Investment Trust, which matters due to the protection and security Xapo provides.

Grayscale Bitcoin Investment Trust Bitcoins are not covered by insurance, and the current insurance situation is explained.

Wesley Eddy's article about the Grayscale Bitcoin Investment Trust (OTCQX:GBTC), "Divergence Between Bitcoin And GBTC: An Arbitrage Opportunity," caught my attention because of this:

"The latest quarterly report discusses a risk that Xapo has not been able to insure its Bitcoin holdings. Since the monetary value of holdings is substantial, and Xapo serves other customers in addition to the trust, Xapo may targeted by sophisticated cybercriminals, insiders, or other threats. Without insurance, this could wipe out the value of GBTC shares."

Before I talk about the risk, let me quickly expose you to Xapo. The public view goes like this:

With Xapo, you can buy, transact, store, manage and spend your bitcoins. Keep the bitcoins you want to use for daily spending in your Xapo Wallet, and the bitcoins you want to store in your secure Xapo Vault.



The Xapo Wallet has no delays nor geographical limitations. There is a fee for receiving an external transaction less than this specific limit and the Xapo Wallet is also linked directly to the Xapo Debit Card - the world's first bitcoin debit card! If the Xapo Debit Card is available in your country then you can spend your bitcoins at any online or offline establishment that accepts Visa.

While that doesn't tell us much about Xapo's relationship with GBTC, it does give us a view into some of the things that Xapo provides. It's pretty plain vanilla Bitcoin stuff and doesn't explain why GBTC is cozy with it.

Instead, we need to look at the Xapo Vault:

The Vault is Xapo's core product. The Vault has become the preferred storage solution of many of the largest institutions and individuals in the world and it holds one of the largest stores of bitcoins in existence. The Vault caters to large and small holders of bitcoin who need highly secure and diversified measures to protect their holdings. The Vault is based in Three different continents: America, Europe, and Oceania. Additional locations are being evaluated to diversify any geographic risk. A team with two decades of experience each in international financial and transactional security developed our proprietary storage product, the Xapo Vault. The Vault offers advanced encryption and key management, multisignature bitcoin addresses, military grade physical security (like faraday cages and former military bases) and highly secure processes to keep bitcoins offline and geographically dispersed across three continents.

I've highlighted the important parts for quick reference. Xapo provides Bitcoin security, and that's what we care about here.

Grayscale doesn't hide this on its site:

What matters right now is that Wesley Eddy has told us that Xapo isn't able to insure its Bitcoin holdings. And since GBTC uses Xapo, that means the Bitcoins inside GBTC are not insured. Is that really true?

Let's look at what the GBTC quarterly report ending June 30th, 2017 has to say:

"We have been advised that our Custodian did not renew its insurance coverage."

That is to say, Xapo did not renew insurance coverage for its Bitcoins. That is the truth per the quarterly report. Wesley Eddy is correct.

In fact, this is further explained under Risks and Uncertainties in that same report:

There is a risk that some or all of the Trust’s bitcoins could be lost or stolen. The Trust does not have insurance protection on its bitcoins which exposes the Trust and its shareholders to the risk of loss of the Trust’s bitcoins. Further, bitcoin transactions are irrevocable. Stolen or incorrectly transferred bitcoin may be irretrievable. As a result, any incorrectly executed bitcoin transactions could adversely affect an investment in the Trust.

We need to assume that the Bitcoins that Xapo holds are at risk. To make matters worse, if there is hacking and the Bitcoins "move," it's pretty much impossible to get them back because those transaction are irrevocable.

Being digital, Bitcoins are significantly easier to "move" and "hide," so that's bigger risk than, let's say, some kind of gold or silver backing a trust.

It's confusing that Grayscale indicates in its FAQ section that Xapo provides insurance:

In any event, I think it's best for us to just assume per the GBTC quarterly report ending June 30th, 2017, that there's a lack of insurance.

Now, how about hacking? Is it easy to steal Bitcoins from Xapo?

Xapo has an excellent article on this exact topic on its blog:

If Xapo’s hot wallet were hacked, Xapo would cover the loss from its own reserve of bitcoins. Less than 3% of bitcoins are kept in our hot wallet, so our bitcoin reserve would cover the full loss. Over 97% percent of the bitcoins we hold for our customers are held in deep cold storage in multiple locations. “Deep cold storage” means that the private keys necessary to move those bitcoins are in servers that have never been online and will never be online; they are “air-gapped” and stored inside bunkered vaults with multiple access controls, mantraps, guards and surveillance systems.

For reference regarding deep cold storage:

Cold storage refers to the process of storing bitcoins offline, but the private keys associated with this process may be online and/or exposed to the internet at some time during the generation of signing process. Deep cold storage, however, is a type of cold storage where not only are bitcoins stored offline, but also the system that holds the bitcoins were never online or connected to any kind of network. The private keys associated with that system were generated in offline systems, and the signing process of the transactions is also made in offline systems. The systems used in this type of storage never touch the Internet; they are created offline, they are stored offline, and they are offline when signing transactions.

Regular cold storage has online exposure, but deep cold storage is "extremely" offline, so to speak; Bitcoin storage machines were never online.

And here's more about what Xapo is doing to circumvent the insurance issues that spills over to GBTC.

"Until recently, Xapo maintained third-party crime insurance on bitcoin stored in the Vault. The insurance policies kept getting narrower and narrower, covering less and less risk. We eventually decided that the insurance policies were not covering any significant risk and we decided not to renew the insurance. Instead, we implemented the Xapo Bitcoin Reserve. The Xapo Bitcoin Reserve is an amount of bitcoins that Xapo owns and keeps in deep cold storage; the Reserve encompasses an amount of bitcoins that is bigger than the funds kept in our hot wallet at any given time. As such, we are essentially self insuring against a hack of our hot wallet. If our hot wallet got hacked Xapo would cover the loss for its customers in full."

In any case, the security of Bitcoins backing GBTC has been offloaded to Xapo. We know that Xapo has no insurance. In this sense, GBTC Bitcoins are naked.

We also know that security is all about Xapo deep cold storage. This method of security is generally robust and fairly redundant. The only immediate and direct risk to deep cold-stored Bitcoins would be employees of Xapo, or others who might otherwise have direct physical access.

Ultimately, confidence in the Bitcoin in GBTC is directly tied to the trust you have in the security of the Xapo Vault and its deep cold storage. Insurance won't save you, and trust in Xapo Vault is required to sleep well at night.

