PAYFAIR P2P EXCHANGE
DESCRIPTION OF EVENTS
“On October 2, PayFair—a decentralized escrow and P2P exchange—closed its website because one of its main cold wallets was emptied, leading many to speculate about a possible exit scam. On September 29, Payfair disclosed on its Telegram channel that the private key to one of its cold wallets was compromised, which led to a hack. Their team says it is still unsure of how the private key was compromised but is conducting an internal investigation into the matter. While user funds have since been transferred to backup wallets, part of the ETH that was stolen has not been recovered. Despite announcing that the platform would only be down “until the end of the week,” the PayFair.io website still appears to be down and they have not updated their social media since July 29.”
Ethereum is tricky to set up as a proper multi-signature wallet, since the functionality is not built-in and must instead be done through a smart contract. Smart contracts often have exploitable vulnerabilities. But more importantly, it does not make sense to trust an unknown entity in an unidentified country with your funds, regardless of whether the exchange claims to be “P2P” or not. The same issues with centralized exchanges apply to any escrow service as well.
HOW COULD THIS HAVE BEEN PREVENTED?
Let this be a reminder that claiming to be "decentralized" doesn't always mean that there is no custody of any funds. The proper storage of funds offline in a multi-signature wallet with keys held by multiple reputable people has never been breached.