KuCoin

We express our gratitude to the KuCoin team for the collaborative engagement that enabled the execution of this dApp Security Assessment.

KuCoin is a major global cryptocurrency exchange that was founded in 2017. Initially based in China, the company later moved its operations to Singapore and subsequently to Seychelles in response to evolving regulatory environments.

The system users should acknowledge all the risks summed up in the risks section of the report

Threat Model

Broken Access Control Lack of proper access control mechanisms and protections that could allow unauthorized users to perform restricted actions or access sensitive information.

Attack Scenario: An attacker manipulates URL parameters or API requests to gain unauthorized access to other users' accounts, modify their data, or perform restricted actions.

Potential Impact:

Unauthorized access to sensitive user data.

Unauthorized transactions or data modifications.

Authentication Issues Weaknesses in authentication mechanisms that could lead to account compromises.

Attack Scenarios:

Weak password policies that allow brute-force or dictionary attacks.

Failure to enforce Multi-Factor Authentication (MFA).

Insufficient session management, leading to session hijacking.

Credential stuffing using leaked or reused passwords.

Potential Impact:

Account takeovers.

Unauthorized access leading to fraudulent activities.

Sensitive Information Disclosure Improper handling of sensitive data in API responses, web pages, or logs.

Attack Scenario: Sensitive user information, such as API keys, credentials, or personal data, is exposed in API responses or error messages, allowing attackers to exploit this data.

Potential Impact:

Privacy violations and identity theft.

Data breaches leading to compliance violations.

Rate Limiting Issues Lack of proper rate limiting mechanisms on critical endpoints.

Attack Scenario: An attacker sends automated API requests at a high frequency to brute-force credentials or overload the system.

Potential Impact:

Denial of Service (DoS) attacks affecting availability.

Increased chances of successful credential brute-forcing.

Security Misconfigurations Incorrect system configurations exposing the platform to security risks.

Attack Scenarios:

Exposed admin panels or APIs without proper authentication.

Overly verbose error messages revealing system details.

Misconfigured CORS policies allowing unauthorized access.

Potential Impact:

Increased risk of targeted attacks.

Exposure of sensitive backend infrastructure.

Injection Attacks Exploiting unsanitized inputs to manipulate backend queries or execute malicious code.

Attack Scenario: An attacker injects SQL, NoSQL, or command injection payloads into API parameters, leading to unauthorized data access or modification.

Potential Impact:

Unauthorized access or alteration of database records.

Execution of arbitrary commands on the server.

Cross-Site Scripting (XSS) Allowing attackers to inject malicious scripts into web pages.

Attack Scenario: An attacker embeds JavaScript payloads into input fields (e.g., comment sections, chat windows), leading to session hijacking or credential theft.

Potential Impact:

Theft of user credentials or session cookies.

Unauthorized execution of actions on behalf of users.

Cross-Site Request Forgery (CSRF) Exploiting trusted user sessions to perform unauthorized actions.

Attack Scenario: A logged-in user clicks on a malicious link, triggering unauthorized requests (e.g., fund transfers, account changes) without their consent.

Potential Impact:

Unauthorized transactions or account modifications.

Loss of user trust and potential legal consequences.

Race-Condition Exploits Manipulating transaction timing to gain financial advantages.

Attack Scenario: An attacker submits concurrent API requests to withdraw more funds than their account balance permits.

Potential Impact:

Financial losses due to double-spending.

Integrity issues in transaction processing.

KuCoin is a major global cryptocurrency exchange that was founded in 2017. Initially based in China, the company later moved its operations to Singapore and subsequently to Seychelles in response to evolving regulatory environments. Since its launch, KuCoin has grown significantly, serving over 30 million users in more than 200 countries. It is known for its user-friendly interface, extensive range of trading options, and diverse selection of digital assets. The platform supports spot trading, futures trading, margin trading, staking, and lending, making it a versatile choice for both novice and experienced traders.

In terms of investment and funding, KuCoin secured $20 million in a Series A funding round in 2018, led by IDG Capital and Matrix Partners. In May 2022, it raised an additional $150 million in a Series B round, led by Jump Crypto, pushing its valuation to $10 billion. These investments have enabled the company to expand its ecosystem, enhance security measures, and improve platform infrastructure.

KuCoin has also introduced innovative products to stay ahead in the cryptocurrency industry. In January 2025, the company launched “KuCoin Pay,” a point-of-sale system that allows users to make payments directly from their KuCoin exchange balances. This initiative aims to integrate cryptocurrency transactions into mainstream financial activities, making digital assets more accessible for everyday use.

Despite its success, KuCoin has faced significant challenges. In September 2020, it suffered a major security breach that resulted in the theft of approximately $281 million worth of cryptocurrencies. However, through partnerships with blockchain tracking firms and law enforcement, KuCoin managed to recover most of the stolen assets and reinforced its security protocols to prevent future incidents.

More recently, in January 2025, KuCoin pleaded guilty to operating an unlicensed money-transmitting business in the United States. As part of a settlement with U.S. authorities, the company agreed to pay nearly $300 million in fines and forfeitures. Additionally, it will exit the U.S. market for at least two years, and its co-founders, Chun Gan and Ke Tang, will step down from their management roles.

Despite regulatory challenges, KuCoin remains a dominant force in the global cryptocurrency market. It continues to provide a wide range of financial services, attracting millions of users who rely on its advanced trading tools and liquidity. As the cryptocurrency industry evolves, KuCoin is expected to adapt and expand its offerings to maintain its position as a leading digital asset exchange.

The scope of the project includes the following Web & API endpoints:

Assets in Scope