Cryptocurrency exchanges are major touchpoints for users to store or trade their crypto. Research confirms that exchanges currently hold over $40 billion worth of crypto in 2023.
Hackers also target exchanges due to the huge volume of funds. The Mt. Gox hack of over $460 million in 2014 remains among the first and most notable exchange hacks. The attacker stole $415 million from FTX and $35 million from Crypto.com in 2022.
Security audits are the only viable protective measure for exchanges to stay safe. Read this short blog post to discover the security issues that exchanges face, how to tackle them, and how to rate your exchange security accurately.
Hackers can break into crypto exchanges from a lot of angles.
Smart contracts are at the core of any crypto exchange; they dictate how the transactions on the exchange should run. Just like other programs, smart contracts can have loopholes that threat actors can exploit.
There have been a few cases of smart contract hacks among centralized exchanges. But it has been rampant among DeFi protocols and bridges. Some hackers exploited a vulnerability in the BNB Chain, the blockchain behind Binance, and took away around $100 million.
This vulnerability applies more to centralized exchanges because they keep their customers’ private keys. Threat actors can successfully predict other private keys when they can access two or more. Hence, exchanges must protect the private keys in a tamper-proof management system.
The weak private key vulnerability led to the Bitfinex hack of 2016, where the exchange lost over $60 million. The attacker breached the individual multisig wallets of approved transactions and redirected the funds to themselves.
Hackers also breached Deribit, a popular crypto exchange, in 2022 and exploited its wallet server. They compromised the private key and drained $28 million from the exchange’s wallet.
Every crypto transaction is approved through a digital signature. However, these signatures can be maneuvered. The world’s first largest exchange, Mt. Gox, fell due to this vulnerability. The hacker altered transaction hashes and went away with $500 million in 2014.
Attackers are not limited to smart contract vulnerabilities alone. They can also come in through the websites. An exchange faces various website-based cyber threats, including JavaScript injection, XSS, and cross-site request forgery attacks.
A typical exchange relies on various infrastructure providers for its services. Flaws in the software or server of their vendors can be a single point of failure. For example, Bitfinex once partnered with BitGo for multisig management. Attackers found a loophole in the BitGo code and stole around $72 million.
Crypto platforms are susceptible to myriads of cyberattacks. Thus, knowing how to surf the waters without getting drowned is crucial.
The crypto industry has some standard security organizations, including the popular CryptoCurrency Security Standard (CCSS), ISO 27001, and EEA EthTrust Security Levels Specification. These standards outline requirements for information security controls and security best practices..Their requirements often cut across every digital asset and data management security aspect. Exchanges that pass these and other relevant security certifications showcase higher levels of security
Although crypto is all about decentralization, some fair degree of centralized regulations is practically unavoidable. Governments want to ensure that crypto platforms neither defraud nor illegally use their citizens’ data. Therefore, getting the necessary operating licenses in any country is a great way to build trust with the government and the citizens there All the biggest exchanges have KYC policies and follow anti-money laundering laws.
Hackers have exploited some exchanges due to their weak digital asset management systems. Keep more funds in a multisig wallet; several signatories are required before funds can move out. At the same time, ensure the signatories are trustworthy to avoid insider attacks.
It is risky to keep the digital assets of an exchange in a hot wallet as it can be targeted in phishing and other forms of online attacks.
The crypto industry is risky and has matured to a stage where users want to confirm every important information and be assured of the underlying assets. Proof of reserves audit is a credible way to inform users that the exchange is secure and solvent.
Penetration testing is a cybersecurity practice where ethical hackers try to test every part of a software or management system for potential vulnerabilities.
The main essence of pen testing is the report and recommendations. The pen testing team should report their findings. They should also recommend how the team can improve.
The idea behind pen testing is to assess the level of the exchange’s security. Most times, the pen testing teams are often some of the in-house cybersecurity team members.
Blackhats often cause terrible havoc when they breach an exchange’s security; they can take away all the funds. Bug bounty programs are a better way to ameliorate this.
These programs encouraged whitehats to show an attempted exploit and win a bounty. Rather than a blackhat leaving the exchange in debt.
Kucoin is a commendable example. They set up a $1 million bounty on Hackenproof as a reward for whitehats.
Every exchange has two major sides: the on-chain and the off-chain component. Threat actors often come in from those angles. Security audits are effective measures for experts to assess your platform and discover timely vulnerabilities.
A comprehensive security audit by a trusted third-party can help crypto trading platforms fix bugs and be more secure, as in the recent case of WhiteBIT. Audits must accompany every major update to effectively cover a large share of the codebase.
Code scanning is essential to detect code vulnerabilities on time before mainnet deployment. The scanning tools analyze the codebase with different assessment methods, including static analysis, interactive analysis, dynamic analysis, and source composition analysis.
This is a more proactive and antagonistic approach where a team does all within its power to break an organization’s security to steal funds or gain access to sensitive data. Think of it as the most extreme version of pentesting, where the read team may even utilize physical attack vectors to achieve their aim. This can include attempting to steal the cold wallets of the exchange. If the red team eventually wins, they must provide feedback on improvement. Albeit rigorous, we recommend the red team approach to exchanges that want to take their security to the next level.
Some key metrics can be used to track the security of a crypto exchange; they form the rating methodology. Most of the rating mechanisms are adaptations of the OWASP testing guide.
The score for rating the metrics differ based on assessing platforms. See a list of rated crypto exchanges here.
Crypto exchanges must prioritize security to safeguard users’ funds and data. Judging by the recent cases of hacks over the years, exchanges have to move beyond basic security measures. This article discussed various vulnerabilities and actionable ways crypto companies can be more secure.
One of our foremost goals at Hacken is to ensure crypto has tamper-proof security. We audited Gate.io and pentested Kucoin. These exchanges have tight and unbreachable security to date. Take the security of your crypto exchange to the next level. Reach out to book a full crypto exchange security audit today!
Be the first to receive our latest company updates, Web3 security insights, and exclusive content curated for the blockchain enthusiasts.
Table of contents
Tell us about your project
11 min read
Discover
4 min read
Discover