Crypto Exchange and Crypto Wallet Pentest Methodology

The necessity for a universal manual for testing crypto exchanges and crypto wallets

With the amount of money and attention entering the burgeoning cryptocurrency market, it’s no surprise that crypto wallets and exchanges run the risk of being hacked. Theoretically, the problem could be resolved by identifying vulnerabilities and bugs in the application’s logic; however, I still have yet to find a specific methodology that details exactly what factors one must be paying attention to during testing. Having already tested a dozen exchanges and wallets, I decided to create just such a strategic workflow.

While testing exchanges and wallets, I paid particular attention to the way they function and ultimately compiled a standardized workflow that testers can utilize to remain accurate and efficient in their analyses.

First of all, it is important to understand the necessity of security and thorough code review for exchange operators and cryptocurrency developers. It is paramount that systems remain uncompromised. Since, in fact, most exchanges and wallets are browser-based, an exchange operator may want to simulate a hacking attempt, i.e. Black Box test (see Table 1), but for a more comprehensible result, many choose to conduct a Gray Box test (see Table 1).

To test the logic at work, you need a sample cryptocurrency. Since each exchange has its own restrictions and policies on the input/output of funds, the amount of the cryptocurrency used in the test must be at least the minimum withdrawal allowance, and it would be sufficient to conduct at least 5 transactions of purchase-sale and/or input-output.

At Hacken, we perform pentests in the following order:

1. Study of publicly available information.
2. Testing by automated tools.
3. Manual verification.
4. Production of a conclusive report.

Peculiarities of testing crypto exchanges and wallets

1. KYC Verification testing is a must for most crypto-exchanges and ICOs.

This section examines the testing of file downloads (photos or screenshots of documents that confirm the identity of a person).

• Check for the ability to download executable files to the system server

• Check for the possibility of stealing scanned documents – brute-force the names of files and directories.
• Check for unauthorized access to the server file system

2. Input/Output Testing Tools

• Check the correctness of rounding of numbers when inputting/outputting funds.
• Check the wallet address at the input/output of funds (A very common yet critical mistake is not checking the wallet of the sender and receiver).
• Check the logic of the input-output of funds
• Attempt to bypass purchase-sale confirmation systems (two-factor authentication code, OTP, special password).
• Check Race Condition vulnerabilities in the withdrawal of funds.
• Check the possibility of going beyond the limits of the input/output of funds.

3. Testing of the purchase and sale of cryptocurrency (concerns only exchanges)

• Check the correctness of rounding numbers when buying and selling funds.
• Attempt to spoof addresses when buying-selling.
• Checking the logical workflow of trading funds.
• Analyzation of the possibility to substitute or modify a sell order.
• Attempt to bypass purchase-sale confirmation systems (two-factor authentication code, OTP, special password).
• Checking the possibility of a Race condition when buying/selling.
• Check for a possibility to change the receiving address of the wallet.

4. Testing the registration process

• Check the filtering of incoming parameters during registration.
• Verification of user confirmation functionality.
• Check the ability to search through usernames, e-mail addresses, and phone numbers.
• Check the possibility of circumventing the captcha check during registration.
• Check for vulnerabilities when resetting passwords and changing other user data.

5. Testing the Authentication Process

• Verification of filtering parameters during authentication.
• Verification of the possibility of producing a username and password based on dictionary phrases (protection against brute force).
• Check for CAPTCHA circumvention.
• Attempt to bypass two-factor authentication.
• Attempt to disable two-factor authentication.
• Check for data leakage during authentication.

6. Testing of frameworks and technologies used in the development of the exchange

While testing, it is necessary to determine the technologies and techniques (frameworks) on which the exchanges were developed. Thus, understanding the technology by which a wallet or an exchange was developed, it is far more likely to find potential exploits and vulnerabilities. It is also necessary to verify that no third-party libraries, frameworks, and software have publicly available vulnerabilities at the time of release, and are fully protected with properly configured security systems (for example, CloudFlare).

7. OWASP Testing

The OWASP (Open Web Application Security Project) methodology consists of a checklist that distinctly addresses all known security risks for a conventional website. While such a workflow exists, successfully securing potential high-value targets against would-be hackers largely depends on the experience, skills, and thoroughness of a pentester. The following are some very important extra steps a tester ought to include in their checklist:

• Check the filtering of parameters on the back end, often they are checked only on the front-end
• The absence of HTTP request flags, which are extremely critical, but may lead to password caching or the ability to perform a Clickjacking attack
• Check for session management faults: if an attacker steals a cookie or directly accesses a computer or phone, the hacker can perform operations as a “valid user”
• Check for vulnerable versions of open services
• Check for weak encryption algorithms in JSON Web Tokens (JWT)

8. API testing

• Test API for vulnerabilities by writing a program module to interact with the API and check for logical vulnerabilities on the client side, as well as the API.
• Use Swagger to view the structure of the request; this is necessary to determine exactly what to send to the server.

9. Testing WebSockets Software typically used for testing:

• BurpSuite
• Acunetix
• Zenmap
• Owasp ZAP
• SQLmap

Summing up

This article is written by one of the Hacken’s pentest experts. He attempted to formalize and structure a comprehensive workflow for testing exchanges, which we applied in more than 10 cases. With the rapid development of decentralized computing, the FAQs and methodologies become obsolete even faster than is typical under Moore’s Law; therefore, the article does not pretend to be an exclusive manual for testing crypto exchanges; it only expresses the experience gained in the course of repeated application of this procedure.

At Hacken, we have integrated this methodology as our primary method of testing crypto exchanges and wallets.
Contact a Specialist

Read also:

Hacken performed penetration testing of the Kuna crypto exchange