Introducing the next-generation vault for cryptocurrencies

2

When it comes to cryptocurrency storage solutions, people usually want two features that are inherently incompatible:1. Convenience: Deposit and withdraw crypto funds from any device and at any time2. Security: Provide iron wall securityConvenience decreases security while security suffers from convenience.

The problem

You need a security system that offers maximum security and sufficient flexibility to deposit and send crypto funds at any time and from any device. Our Software team has developed a patent-pending system that does just that.

The solution

To comprehend how our solution works, one first needs to understand a few basics. Cryptocurrencies utilize so-called wallets which can be compared to PayPal user accounts.

Back to the basics

3

Cryptocurrency wallets do not store any assets inside them. All assets exist on the blockchain, and it’s impossible to take a token itself offline. There is no such thing as a Bitcoin, neither physically, nor as a computer file.

Instead, cryptocurrencies use unspent transactions outputs (UTXOs) on the blockchain to represent value. When you receive a Bitcoin, your wallet is really just reading a receipt on the Bitcoin transaction ledger that says someone else sent a Bitcoin to your address. So, if there’s no such thing as a physical Bitcoin, what is in your wallet?

In order to spend the coins sent to a public address, you’ll need that address’s corresponding private key. Wallets store public-private key pairs for accessing and transferring assets that exist on the blockchain.

What is a Wallet?

WALLET

What is a hot and cold wallet?

4

HOT wallet

COLD wallet

In contrast, a cold wallet keeps key pairs completely offline, e.g. on a piece of paper or on an USB stick, making them impenetrable to cyber criminals. It makes sense to have both a hot and a cold wallet, one for convenience and one for security reasons.

A hot wallet refers to a crypto wallet that is online and connected in some way to the internet. In other words, the hot wallet keeps the public-private key pair online, making it very flexible when it comes to executing transactions, but naturally vulnerable to cyberattacks.

It makes sense to have both a hot and a cold wallet, one for convenience and one for security reasons.

““

WALLET

IW World Exchange’s hybrid wallet

5

IW World Exchange's wallet structure comes with a dual wallet solution standard that includes both a hot and cold

wallet. What sets our wallet apart from our competition is our hot wallet. To offer convenience without

compromising security, we have developed a hot wallet that is 100% unassailable and yet offers all the amenities

you need to make payments.

ARCHITECTURE

6

Our general wallet architecture

IW World Exchange’s hot wallet contains 3 components:

1. a frontend user interface for the end user

2. a database cluster that stores essential information such aswithdrawal requests and user info

3. the actual wallet which is permanently synced to the blockchain

The frontend and wallet component each have their own server. Separate servers increase security because they spread the risk.

If someone hacks into frontend, for instance, the funds in the wallet still remain inaccessible because they are located elsewhere.

Synchronization with the blockchain enables the hot wallet to send cryptocurrency funds to other wallet addresses and to cold storage.

1. publickey

privatekey

3.

Blockchain

ColdStorage

2.

Hot Wallet

7

Our security system builds on the existing wallet

architecture by implementing additional measures of

protection to cover every possible point of attack. These

layers are composed of multiple encryption

mechanisms, database grant statements and a wallet

firewall.

Our Security System

SECURITY

Multiple encryption mechanisms

8

To ensure a secured communication between the frontend and the wallet server, we add several intermediate layers that center around a random generated string which we name secret.

Layer 1: We never store any user passwords. Instead, we store secrets and encrypt them with user passwords. If hackers manage to somehow hack into a user account, they still cannot withdraw any funds because withdrawing funds requires entering that user’s password which only the user knows.

Layer 2: We use secrets to encrypt withdrawal requests. Our hot wallet component only accepts encrypted withdrawal requests. In other words, if a hacker writes code to issue a withdrawal request, the wallet will not react as the request is not encrypted.

Layer 3: Depending on the purpose, we encrypt and decrypt our secrets in different ways. During the registration procedure, we use so-called asymmetric key pairs to safely pass along decrypted secrets to the wallet server. While during the withdrawal procedure, we use a symmetric key match in conjunction with our secret encryption/decryption method to ensure a secured processing of withdrawal requests.

SECURITY

Secured database and frontend communication

9

Our database features specific grant statements that prohibit any writing access from the frontend server sider. This prevents any database manipulation from the frontend side.

Wallet firewall

Our wallet server is protected by a firewall that prevents unauthorized wallet server access from unknown IPs.

Altogether, these components form an impenetrable wallet system that ensures maximum security from multiple angles.

10

Application Scenarios

The following scenarios provide a deeper understanding of the

registration and withdrawal procedures.

USER SCENARIOS

11

User registers to create an account

1. A user registers. Upon registration each user is asked to create apassword.

2. Next, a random string called ‘secret’ is generated for the user. Each secretis linked to a user account.

3. The secret is encrypted by the user password. The encrypted secret isstored in the database cluster. The user password itself is never stored!

4. Each hot wallet setup is always equipped with two keys: a public key onthe frontend server side and a private key on the wallet server side. Similarto step 3, the public key is used to encrypt the secret. Hence the secret isalways encrypted twice, once by the user password and once by the publickey. The secret encrypted by the public key is also stored in the databasecluster. Finally, the secret encrypted by the public key is sent to the walletserver via the database cluster.

5. The private key on the wallet server is used to decrypt the secret. Thedecrypted secret is stored on the file system of the wallet server.

password

privatekey

Hot Wallet

publickey

1.

3.

2.

4.

5.

secret

USER SCENARIOS

12

User withdraws cryptocurrency funds

1. A user wants to make a withdrawal. The user is asked to enter his userpassword.

2. The entered user password is subsequently used to decrypt the secretstored in the database.

3. Our database contains a so-called action list. An action can be either awithdrawal request or the sending of an encrypted secret to the wallet.The previously decrypted secret is used to encrypt the withdrawalrequest and the encrypted withdrawal request is then stored in theaction list.

4. The wallet server receives the encrypted withdrawal request from theaction list of the database. Next, the wallet decrypts that encryptedrequest with the decrypted secret from its file system (see step 5 of theregistration scenario). The decrypted withdrawal request can then beexecuted.

password

privatekey

Hot Wallet

publickey

1.

3.

2.

4.

13

ATTACK SCENARIOS

To demonstrate how IW World Exchange's hot wallet fends off cyberattacks, three

possible hacker scenarios are examined.

ATTACK SCENARIOS

14

Indirect Attack1. Scenario:Hacker uses a loophole on the frontend side and hacks into a user’s account. Then he tries to withdraw cryptocurrency funds from the hacked account.

Our Security SolutionThe withdraw request needs to be encrypted with the user’s password in order to be accepted by the wallet server. However, the Hacker has no access to the user's password as it’s generally not stored in the system.

2. Scenario:Hacker registers as a regular user and tries to manipulate the database through the frontend side by changing the account balance.

Our Security SolutionAccount balances generally can’t be changed from the frontend side because of our detailed database grants.

1.

2.

Hot Wallet

ATTACK SCENARIOS

15

Direct Attack3. Scenario:Hacker directly attacks the wallet server to access the cryptocurrency funds.

Our Security Solution The hacker is not able to intrude the server as the wallet server’s firewall allows no access from unknown IP addresses.

Hot Wallet

UnknownIP

Blockchainis our

Passion