Author: Kostiantyn Oleshko
With the growing popularity of decentralized exchanges in recent months, it became necessary to clarify the factors that form their popularity and the methodology for compiling their rating. In the second half of October, CER will publish the rating of DEXs on the cer.live website, hence the analysts present an overview ranking methodology.
A decentralized exchange (DEX) is a cryptocurrency exchange that operates without a central authority.
The main difference between CEX’s (centralized exchanges) and DEX’s is that users do not need to transfer their cryptocurrencies to the exchange wallets. Unlike centralized exchanges, the user always controls his funds. Hackers cannot withdraw user funds from the wallets of the exchange, unlike the recent Kucoin hack, because only the end-user has access to his private keys.
The other important attribute of a decentralized exchange is the absence of KYC requirements. A user does not leave any personal data about himself while trading on the decentralized exchange. To start trading, a user only needs to connect his wallet with the DEX service.
“Security rankings is crucial for DEXs evaluation. We do not recommend to deposit and trade crypto at DEXs with low CER.live score,” says Dyma Budorin, CEO at the Hacken Group.
The presence of a vulnerability in the exchange’s smart contracts can lead to a halt in the operation of the platform or the loss of locked user funds. To ensure security, decentralized exchanges need to undergo security audits after each software update, and also have a bug bounty program.
A recent example of such an attack is the incident with the Balancer platform when a hacker stole tokens equivalent to $500,000 by exploiting a vulnerability in a smart contract. The Balancer case became possible because the technical team did not fix a bug found by third-party cybersecurity researchers 2 months prior.
Many decentralized exchanges do not undergo regular audits and do not run bug bounty programs, which can potentially lead to new successful attacks, and as a result, decrease community confidence in DeFi projects.
CER analysts have created a methodology for the assessment of decentralized exchanges in order to protect traders from trading on exchanges who do not worry about their security and the safety of their users’ funds.
While conducting a significant number of researches, the CER team of qualified specialists developed a comprehensive assessment model for decentralized exchanges, which consists of several essential components.
A smart contract security audit is a thorough analysis of smart contracts in order to correct design issues, errors in the code, or security vulnerabilities. An audit is one of the most important indicators of DEX security. Nevertheless, the presence of audits does not mean that the platform is 100% secure.
We check the security audit report as well as its relevance. Security audits tests should be held after adding new features to exchange or after existing features have been updated. In this regard, penetration tests made on previous software versions are no longer relevant.
SSL/TLS certificate has to be present for the DEX, it should follow all security best practice. We use the grading system from Qualys SSL Labs which grade websites’ SSL certificates.
A bug bounty program is a deal offered by services and platforms by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities. This is a way to detect software and configuration errors that can slip past developers and security teams and later lead to big problems.
Bug bounties should preferably be placed on one of the well-known bug bounty platforms so that the maximum number of ethical hackers pay attention to it. If the exchange itself serves a bug bounty program, then it limits the number of potential hackers to its client base.
One of the most secure ways to store cryptocurrencies is a cold wallet. A cold wallet is the hardware device to store Bitcoin, Ethereum, and other cryptocurrencies offline.
In general, working directly with a hardware wallet is a safer way to interact with the platform. A hardware wallet can be connected via Metamask, but not all browsers support Metamask.
One of the main indicators of any exchange is liquidity locked on exchange pairs. The ability to sell or buy cryptocurrency quickly and with minimal losses on the spread is one of the most important requirements of any trader.
Our liquidity score is based on the average liquidity values across the entire DEX market.
Service users must be able to find statistics on the liquidity locked in the pair, as well as the history of transactions performed. Nevertheless, the presence of such a service is not mandatory for exchanges with the visible order book, and where the trade history is displayed in the trading interface.
The exchange must have tools to protect the user from fake cryptocurrencies with the same ticker symbols as the original project.
Users must be able to set the transaction deadline. In the event of this deadline, the trade should not be executed.
The presence of this feature is very important because transactions might be confirmed in a few hours when market conditions have already been changed.
The user should know with what deviation from the current price he will buy the token. Slippage tolerance helps users to prevent trades, in which the price deviation exceeds the value specified by the user.
We encourage all DEX platforms to comply with best practices and perform security audits after each significant software update and also maintain a bug bounty program to get reports from third-party security researchers.
Contact cer.live with up-to-date information to submit relevant data before the rating is released.
The DeFi industry is just starting on a long path toward maturity. In these early days, projects safety and protection are paramount and will only grow in importance going forward.
Subscribe to our newsletter
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.