![](http://i.imgur.com/Unj0IWF.jpg)

## Issue
3rd party, centralized exchanges like Poloniex and Bittrex might be vulnerable to a similar attack vector that yielded a $75,000,000 loss in the Bitfinex Heist. 

A malicious actor could empty the exchange wallets and take off with all STEEM/SBD deposited on the exchange, if he acquired the private key that is used to sign the transactions. 

> The withdrawals on Poloniex and Bittrex are instant, and thus it is safe to assume that all the transfers are signed via automated software, on a more-or-less hot (online) system. Both exchanges appear to have 1 hot wallet each, an no wallets dedicated to cold-storage.


## Proposal
A good way to mitigate risks is to make heists less profitable for thieves. Steem already does this, by having most of its value (97%+ at this time) secured in non-transferrable VESTS. Owners of compromised accounts are only vulnerable to a 1% max loss. 

Could we limit the exposure on STEEM and SBD assets as well?

**Example Implementation:**
Owners should have the ability to set an `active_limit` on their active keys (from `cli_wallet`).

If active_limit is set, transactions signed with the Active key cannot exceed a set amount of funds in a given time period.

If a transaction is signed with the Owner key, limits are ignored.
Furthermore, only the Owner key can be used to set/remove the limit.

The RPC call could be as simple as:
```
====> set_active_limit
{
    "STEEM": 0,  // no limit
    "SBD": 1000  // limit to 1,000 SBD in a 24hr period
}
```

This would essentially enable the exchange owners, as well as large stakeholders, to proactively limit their risks in an event of a hack.

**Exchange Owners:**
For example, if a major exchange holds $2,000,000 worth of STEEM and SBD, and their average daily STEEM/SBD withdrawals are $100,000 a day, they could set the limit to $200,000 a day. The automated withdrawal systems would be unaffected, and rarely - if ever - require human intervention.

In the above example, **only 10% of holdings are at risk**.

Exchange operators should store their Owner Key and Master password in a secure *(multi-sig encrypted)* cold *(offline)* storage, which can be accessed by the top executives only.

If the exchange is hacked, or if a rogue employee decides to rob his employer, the exchange and its users will suffer only a limited loss.

**Large Stakeholders**
This implementation also applies to savvy users, whom have larger amounts of STEEM and SBD on their accounts for market-making or investment purposes. These activities require access to unlocked wallet or in-memory storage of the active key - both being vulnerable to hacker/malware attacks.

----------

We will never be able to achieve bulletproof security, however, that doesn't mean we should wait until bad things happen. We need to be proactive and try and learn from others mistakes.