With the amount of money and attention entering the burgeoning cryptocurrency market, it’s no surprise that crypto wallets and exchanges run the risk of being hacked. Theoretically, the problem could be resolved by identifying vulnerabilities and bugs in the application’s logic; however, I still have yet to find a specific methodology that details exactly what factors one must be paying attention to during testing. Having already tested a dozen exchanges and wallets, I decided to create just such a strategic workflow.
While testing exchanges and wallets, I paid particular attention to the way they function and ultimately compiled a standardized workflow that testers can utilize to remain accurate and efficient in their analyses.
First of all, it is important to understand the necessity of security and thorough code review for exchange operators and cryptocurrency developers. It is paramount that systems remain uncompromised. Since, in fact, most exchanges and wallets are browser-based, an exchange operator may want to simulate a hacking attempt, i.e. Black Box test (see Table 1), but for a more comprehensible result, many choose to conduct a Gray Box test (see Table 1).
To test the logic at work, you need a sample cryptocurrency. Since each exchange has its own restrictions and policies on the input/output of funds, the amount of the cryptocurrency used in the test must be at least the minimum withdrawal allowance, and it would be sufficient to conduct at least 5 transactions of purchase-sale and/or input-output.
At Hacken, we perform pentests in the following order:
This section examines the testing of file downloads (photos or screenshots of documents that confirm the identity of a person).
While testing, it is necessary to determine the technologies and techniques (frameworks) on which the exchanges were developed. Thus, understanding the technology by which a wallet or an exchange was developed, it is far more likely to find potential exploits and vulnerabilities. It is also necessary to verify that no third-party libraries, frameworks, and software have publicly available vulnerabilities at the time of release, and are fully protected with properly configured security systems (for example, CloudFlare).
The OWASP (Open Web Application Security Project) methodology consists of a checklist that distinctly addresses all known security risks for a conventional website. While such a workflow exists, successfully securing potential high-value targets against would-be hackers largely depends on the experience, skills, and thoroughness of a pentester. The following are some very important extra steps a tester ought to include in their checklist:
This article is written by one of the Hacken’s pentest experts. He attempted to formalize and structure a comprehensive workflow for testing exchanges, which we applied in more than 10 cases. With the rapid development of decentralized computing, the FAQs and methodologies become obsolete even faster than is typical under Moore’s Law; therefore, the article does not pretend to be an exclusive manual for testing crypto exchanges; it only expresses the experience gained in the course of repeated application of this procedure.
At Hacken, we have integrated this methodology as our primary method of testing crypto exchanges and wallets.
Contact a Specialist
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.