Hacken & KuCoin: pentests and bug bounties as CEXs’ keys to users’ trust

After a breach in 2020, KuCoin exchange announced plans to increase cybersecurity spending, restructured its security team, and, generally, upgraded its entire security system. In May 2021, the KuCoin team reached Hacken to order a pentest.

Hacken’s first cybersecurity assessment for KuCoin

The first complex cybersecurity assessment of KuCoin performed by Hacken was completed in July 2021. Our specialists detected 34 security flaws: 12 medium-severity vulnerabilities, 14 low-severity bugs, and 8 informational issues. The majority of issues (12) were related to API. Based on the results of this assessment, the exchange was estimated as medium secure. 

Table 1. Distribution of vulnerabilities found in KuCoin during security assessment

	High	Medium	Low	Informational
Web	0	2	3	6
Android	0	5	3	1
iOS	0	5	4	1
API	0	0	4	0
Overall	0	12	14	8

KuCoin’s team introduced some fixes recommended by Hacken and during the first remediation check, our specialists detected 24 security flaws including 8 medium-severity bugs, 11 low-severity issues, and 5 informational flaws. As a result of the first complex security assessment, the exchange got 6 out of 10 security score.

Table 2. Distribution of vulnerabilities found in KuCoin after the first remediation check

	High	Medium	Low	Informational
Web	0	0	0	4
Android	0	3	3	0
iOS	0	5	4	1
API	0	0	4	0
Overall	0	8	11	5

By introducing some fixes, the exchange improved its security score to 7 out of 10. 

Two weeks later Hacken specialists performed the third remediation check for KuCoin. The exchange’s security team managed to address all medium-severity issues and, thus, there remained only 11 low-severity and 5 informational security flaws. Thus, throughout the whole security assessment, the client improved its security score by 50% to 9 out of 10. 

Table 3. Distribution of vulnerabilities found in KuCoin after the third remediation check

	High	Medium	Low	Informational
Web	0	0	0	4
Android	0	0	4	1
iOS	0	0	3	0
API	0	0	4	0
Overall	0	0	11	5

When performing this security assessment, Hacken specialists applied test cases, manual methods, and exploitation and automated tools. 

Why Hacken?

Although KuCoin’s internal security team unites around 30 highly-skilled specialists, the exchange has realized that for such a big and influential market player cooperation with reputable security vendors is a must-have. The key factor determining KuCoin’s decision to choose Hacken among all major Web 3.0 auditors was our comprehensive approach to security. Also, the other strong side of Hacken admitted by KuCoin is the successful cooperation with a number of leading crypto exchanges such as OKX, Gate.io, and Huobi, to name a few.

Further cooperation 

In April 2022, Jeff, the head of KuCoin Wallet, reached our team to apply for security testing of the new wallet app which was announced to be launched very soon. During this testing, Hacken specialists did not detect any high-severity security flaws but found 8 medium- and 5 low-severity bugs. Our team provided the client with detailed recommendations on how to effectively address all these flaws. 

The decision of KuCoin to complete a complex security testing of its wallet app prior to its official release was the demonstration of the right approach to security whereby users’ personal security is a number 1 priority. Namely, the Hacken audit was finished on 21 June 2022 while the app went live 1 week later. 

Generally, performing the wallet security audit was obligatory for the exchange that had been previously involved in the private key leakage. Thereby KuCoin strived to show its broad audience that its wallet would be 100% safe for the end users. 

KuCoin wallet app corresponded to all essential wallet security standards. The exchange’s team has been instructed on how to eliminate meaningful security flaws such as local storage containing sensitive data and possible running of the application on jailbroken devices. 

For users’ confidence in KuCoin’s security, you can find below the most effective wallet app security parameters and recommendations and check whether they are followed by KuCoin.

Wallet app main security parameters

1. Confidentiality: only authorized users have access to data;
2. Integrity: prevention of non-authorized modifications;
3. Availability: ensuring users have access to data when required.

Other important security tips

1. ensure API and web server security;
2. integrate education materials and tips for users about the secure use of the wallet app;
3. embed device verification feature;
4. implement reverse engineering and tampering protection;
5. encrypt wallet data before putting it to Keychain/Keystore;
6. limit the lifecycle of sensitive data;
7. perform regular audits of all dependencies.

KuCoin security in 2022

In June 2022, KuCoin launched a brand new educational series called “ThinkBeforeYouInvest” aimed at teaching users basic safety tips, techniques to be followed to identify common scams, and effective crypto investment strategies. In the first article of this series, KuCoin shared with the audience recommendations on how to secure their KuCoin accounts. 

KuCoin has been following the “security first” philosophy since its first contact with Hacken. In July 2022, KuCoin launched the bug bounty program on the HackenProof platform with the highest reward of $5K per reported bug. Researchers have already submitted 13 reports on security issues found in KuCoin.

In terms of security results, the efforts taken by KuCoin towards making its product a secure choice for users have allowed the exchange to get the security status of A by Cer.live thereby becoming one of the top-50 crypto exchanges by security. It’s worth pointing out that the exchange’s server security is estimated at the level of 98.2%, almost the highest possible level. The only flaw outlined by CER.live is the lack of ISO 27001 compliance. 

Final thoughts

KuCoin exchange has undergone a fundamental security transformation. Now it is fairly treated by the crypto community as one of the most reputable and secure crypto trading platforms worldwide. The risk of any serious security breach of its products today is many times lower than it used to be in 2020 if the same attack vectors applied. The main lessons to be learned from this case are that security is the main building element of the modern Web 3.0 infrastructure and the best hack recovery strategy is recognizing own mistakes and investing in security.