Hacken is launching a monitoring tool. Get details and join our beta program


Cryptocurrency Exchange Security Assessment Methodology

Cryptocurrency Exchange Security Assessment Methodology
  • Discover
  • analitycal assessment
  • blockchain
  • CER
  • CERtified
  • crypto exchange

1 Nov 2019


With the amount of money and attention entering the burgeoning cryptocurrency market, it’s no surprise that crypto exchanges run the high risk of being hacked. Especially considering that many cryptocurrency transactions are irreversible, further raising the stakes.
Based on the experience of testing dozens of crypto exchanges, we’ve developed a methodology based on the OWASP Testing Guide with customized checks and business logic of cryptoсurrency exchanges. It takes into account typical assets, functions and common vulnerabilities for this type of product.

1. Scope

Usually, the scope of work for a crypto exchange includes:

  • Grey-box web application security assessment
  • API security assessment
  • Mobile security assessment (optional)

2. Objectives

The objectives of the web assessment are:

  • Perform application threat modeling
  • Circumvent authentication and authorization mechanisms
  • Escalate user privileges
  • Hijack accounts belonging to other users
  • Violate access controls placed by the administrator
  • Alter data or data presentation
  • Corrupt application and data integrity, functionality and performance 
  • Circumvent application business logic
  • Circumvent application session management
  • Break or analyze the use of cryptography within user-accessible components
  • Check blockchain implementation vulnerabilities

3. Deliverables

A consultant will provide: 

  • a proof of vulnerability (PoV) and remediation recommendations 
  • a detailed gap report indicating business risks

4. Limitations

This project is limited by the scope of this document. The following security tests shall be considered Out of Scope for this assessment:

  • Internal networks assessment
  • Application-level Denial of Service testing
  • Physical penetration testing
  • Social engineering testing

5. Methodology

The following section describes the suggested approach which is based on the latest version of the OWASP Testing Guide, complemented by our own proprietary security testing process and internal experience.

Areas  for assessing:

  • Authentication: Consultant will evaluate the adequacy of the application’s authentication control mechanism as it processes the identity of individuals or entities.
  • Authorization: Consultant will evaluate the efficacy of the application’s authorization control mechanism as it enforces which users may undertake which actions on which data through the application’s workflow. 
  • Session Management: Consultant will evaluate the adequacy of the application’s session management control mechanism as it traces the activities performed by authenticated application users. 
  • Data Validation: Consultant will evaluate the adequacy of the application’s input controls as the application processes inputs received from different interfaces, and/or, entry points by various injection attacks. 
  • Business Logic Bypass: Consultant will determine the possibility to manipulate balances, trading actions, deposit/withdrawals functions, transaction tampering, specific business logic, and KYC/AML processes.
  • Other Tests: Consultant will assess the application based on other attacks, tampering methods, and manipulations commonly used by hackers. 

5.1 Pre-Requirements

Usually, the Consultant is provided with 3 test accounts on a testing/production environment: 1 unverified user and 2 KYC verified users with test balances. 

If there is a unique distribution on a role on the exchange, the customer must describe the access rights for each role, and provide 2 testing accounts for each role.

Additionally, the admin panel can be in scope if requested, otherwise, the goal is just trying to get unauthorized access to it.

5.2 Typical Functions

  1. Authentication
    1. Registration
    2. Login
    3. Password recovery
    4. Session management
  2. Verification
    1. Upload documents
    2. Pass verification
  3. Account 
    1. Registration
    2. Edit
    3. Change password
    4. Delete
  4. Security Settings
    1. Multi-Factor Authentication (MFA) or 2 Factor Authentication (2FA)
    2. Withdrawal policy
  5. Wallet
    1. Deposit
    2. Withdraw
    3. Transfer
  6.  Trading
    1. Place an order
    2. Cancel order
    3. Market overview
  7. API
    1. Create API key
    2. Edit API key
    3. Authenticated interaction with API
  8. Other
    1. Non-exchange applications
    2. Third-party applications

5.3 Testing Workflow

5.3.1 Reconnaissance

  1. Conduct Search Engine Discovery and Reconnaissance for Information Leakage
  2. Fingerprint Web Server
  3. Review Webserver Metafiles for Information Leakage
  4. Enumerate Applications on Webserver
  5. Review Webpage Comments and Metadata for Information Leakage
  6. Identify application entry points
  7. Map execution paths through the application
  8. Fingerprint Web Application Framework
  9. Fingerprint Web Application
  10. Fingerprint Blockchain Applications
    1. Blockchain Nodes
    2. Smart Contracts
    3. dApps
  11. Map Application Architecture

5.3.2 Testing Checklist

  1. Configuration and Deploy Management Testing
    1. Test Network/Infrastructure Configuration
    2. Test Application Platform Configuration
    3. Test File Extensions Handling for Sensitive Information
    4. Review Old, Backup and Unreferenced Files for Sensitive Information
    5. Enumerate Infrastructure and Application Admin Interfaces
    6. Test HTTP Methods
    7. Test HTTP Strict Transport Security
    8. Test HTTP Verb Tampering
    9. Test RIA cross-domain policy
    10. Test File Permission
    11. Test SSL/TLS 
  2. Identity Management Testing
    1. Test Role Definitions
    2. Test User Registration Process
    3. Test Account Provisioning Process
    4. Test Account Suspension/Resumption Process
    5. Test Password Reset Process
  3. Authentication Testing
    1. Testing for default credentials
    2. Testing for bypassing authentication schema
    3. Testing for Weak password policy
    4. Testing for Weak password change or reset functionalities
    5. Testing for Weaker authentication in alternative channel
    6. Testing Multiple Factors Authentication
  4. Authorization Testing 
    1. Testing Directory traversal/file include
    2. Testing for Bypassing authorization schema
    3. Testing for Privilege Escalation
    4. Testing for Insecure Direct Object References
  5. Session Management Testing
    1. Testing for Bypassing Session Management Schema
    2. Testing for Cross-Site Request Forgery
    3. Testing for Session Fixation and Rotation
  6. Data Validation Testing
    1. Testing for Reflected Cross-Site Scripting
    2. Testing for Stored Cross-Site Scripting
    3. Testing for HTTP Parameter pollution
    4. Testing for SQL Injection
    5. Testing for XML Injection
    6. Testing for SSI Injection
    7. Testing for XPath Injection
    8. IMAP/SMTP Injection
    9. Testing for Code Injection
    10. Testing for Command Injection
    11. Testing for incubated vulnerabilities
    12. Testing for HTTP Splitting/Smuggling
    13. Test Upload of Unexpected File Types
    14. Test Upload of Malicious Files
    15. Test for Sensitive Data Exposed in Query Parameters
  7. Client-Side Testing
    1. Testing for DOM-based Cross-Site Scripting
    2. Test Cross-Origin Resource Sharing
    3. Testing for Cross-Site Flashing
    4. Testing for Clickjacking
    5. Testing WebSockets
    6. Test Web Messaging
    7. Test Local Storage
  8. Error Handling
    1. Analysis of Error Codes
    2. Analysis of Stack Traces
    3. Analysis of Logs
  9. Business Logic Testing
    1. Test Business Logic Data Validation
    2. Test Ability to Forge Requests
    3. Test Integrity Checks
    4. Test for Process Timing
    5. Test Number of Times a Function Can be Used Limits
    6. Testing for the Circumvention of Work Flows
    7. Test Defenses Against Application Mis-use
  10. Exchange-Specific Functionality Testing
    1. Test User Input for XSS and Template Injection

This check is Exchange-specific because in most exchanges the admin panel functionality has been implemented for managing client accounts (including verification), therefore account verification fields and all other parameters should be tested on a blind XSS given this.

  1. Test transfer of funds between internal accounts for Race Conditions and Rounding Errors
  2. Testing deposit function for blockchain implementations vulnerability (where applicable)
    1. Race attack and other Time of Check versus Time of Use  specific attacks
    2. BTC
      1. Alternative history attack
      2. Finney attack
      3. Vector76
    3. ETH
      1. ERC20 short address attack (ETH)
      2. ERC20 approve front-running attack (ETH)
      3. Smart Contracts Known Attacks
    4. Omni protocol validity attack (USDT)
    5. Partial Payments (XRP)
    6. False Top-Up Attack (EOS)

5.4 Test Mapping

All typical functions should be tested by the following methods:

Authentication Verification Account Security Settings Wallet Trading API Other
Configuration and Deploy Management Testing

Identity Management Testing

Authentication Testing

Authorization Testing

Session Management Testing

Data Validation Testing

Client-Side Testing

Error Handling

Business Logic Testing

Exchange Specific Functionality Testing


The suggested methodology includes a short version of the OWASP Testing Guide’s most valuable checks which can lead to high-risk issues at crypto exchanges. It’s also complemented by proprietary security testing processes, our experience of participating in penetration testing, and from performing and participating in bug bounty programs for crypto exchanges. 

This version, which is the first draft, will go under a peer review of security auditors and cryptocurrency exchange developers. Once reviewed, this document will become a public methodology. 

share via social

Subscribe to our research

Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email

    Interested in getting to know whether your systems are vulnerable to cyberattacks?

    Tell us about your project

    • This field is required
    • This field is required
      • whatsapp icon WhatsApp
      • telegram icon Telegram
      • wechat icon WeChat
      • signal icon Signal
    • This field is required
    • This field is required
    • This field is required
    • This field is required
    This field is required
    departure icon

    Thank you for your request

    Get security score on

    • certified logo
    • coingeco logo
    • coin market cap logo

    1,070+ projects audited

    companies logos

    Apply for partnership

    • This field is required
    • This field is required
    • This field is required
    • This field is required
      • Foundation
      • VC
      • Angel investments
      • IDO or IEO platform
      • Protocol
      • Blockchain
      • Legal
      • Insurance
      • Development
      • Marketing
      • Influencer
      • Other
    This field is required
    This field is required
    departure icon

    Thank you for your request

    Get security score on

    • certified logo
    • coingeco logo
    • coin market cap logo

    1,070+ projects audited

    companies logos

    Get in touch

    • This field is required
    • This field is required
    • This field is required
    • This field is required
    This field is required
    By submitting this form you agree to the Privacy Policy and information beeing used to contact you
    departure icon

    Thank you for your request

    Get security score on

    • certified logo
    • coingeco logo
    • coin market cap logo