Binance’s Proof of Reserves gets a security boost thanks to Hacken’s discovery
Hacken researchers identified and helped fix a bug in Binance’s zkSNARK-based Proof of Reserves system related to BasePrice overflow.
🇺🇦 Hacken stands with Ukraine!Learn more
According to the Crystal blockchain report, $400M were stolen from centralized exchanges and $1,8B from DeFi services in 2021.
The largest hack in 2021 was the Bitmart incident when attackers stole $200M in various cryptocurrencies. The stolen virtual assets were withdrawn from the exchange’s hot wallet. The hack became possible due to the private key leakage.
At the end of 2021, CER included ISO 27001 and Exchange Funds Insurance in our methodology. Without these metrics, an exchange cannot get the maximum score.
ISO 27001 is a fundamental standard for crypto exchanges to follow. It covers important dimensions of securing information including confidentiality, integrity, and availability. ISO 27001 key areas are the development and maintenance of an ISMS (information security management system), which constitutes an overarching method of managing data protection practices.
To become compliant a project needs to perform a risk assessment, determine and implement security controls, and conduct their review regularly. The accredited bodies perform the audit of crypto exchanges to determine whether they are ISO 27001 compliant. For example, in 2019, one of the biggest crypto exchanges Binance was examined on 114 criteria across 14 categories. ISO compliant exchanges apply a structured approach to managing sensitive data and assets. ISO 27001 also covers internal control over private keys. Thus, if Bitmart had followed ISO 27001, very likely, it would not have suffered from the private key leakage.
The CER team also recommends crypto exchanges to become SOC 2 compliant. SOC 2 is a voluntary security standard developed by the American Institute of CPAs. The key characteristic of SOC 2 is flexibility. It covers 5 Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality and Privacy, but only the first principle is mandatory. Both ISO 27001 and SOC 2 are globally recognized, but if you operate in North America, it is strongly recommended to be SOC 2 compliant. SOC 2 attestation is conducted by a licensed certified public accountant. SOC 2 compliance proves that an exchange has an effective process in place to monitor unusual system activity, authorized and unauthorized changes in system configurations, and access control. SOC 2 also focuses on whether an exchange has security alerting practices in place to immediately react to a security incident. SOC 2 compliance ensures the long-term efficiency of the exchange’s internal security practices.
In the current analysis, CER has reviewed 301 crypto exchanges.
The primary goal of this report is to provide an expert view of the state of cybersecurity in the crypto exchanges industry.
In November 2021, we updated the score: now there are letters instead of figures, it resembles traditional ratings such as S&P.
|Rating||Number of Exchanges|
Table 1. Scoring stats
The New CSS results show that 32 crypto exchanges (10.66%) out of 301 have received a “good” cybersecurity score (BBB and higher, see Table 1). X2 increase vs. 2021!
Fig. 1. Distribution of CSS results by rating
During 2021, we received >100 certification requests. Ratings have changed significantly based on the revelations of our latest research.
Compared to the previous top 100 research, the number of exchanges running bug bounty programs has increased from 77 to 98 (+27%). Under the Cer.live methodology, the weight of self-hosted bug bounty programs is two times smaller than those managed by independent third-party platforms with large communities of ethical hackers. Only independent platforms can ensure the fairness of the program and guarantee that the hacker will be rewarded for every identified vulnerability.
Fig. 2. Bug Bounty Programs
The share of bug bounty programs managed by third-party platforms has increased by 50% since the beginning of 2021. The majority of bug bounty programs are hosted on the following platforms:
According to our data, 51 (17% from all) exchanges regularly apply for pentests conducted by different cybersecurity firms.
Thus, the crypto exchanges market becomes more mature year by year.
6 crypto exchanges have the highest rating AAA. They have almost all required cyber security components in place according to Cer.live methodology.
Below is the table with the cybersecurity rating (both in letters and figures) of each exchange calculated by CER according to the updated methodology.
|#||Exchange||Cybersecurity rating||Rating in figures|
Research results show that crypto exchanges are paying greater attention to security since their security level increases every year.
More than 10% of all reviewed exchanges have a good security level. However, there are still issues mostly related to private keys management. At least 3 exchanges were hacked due to private key leakage. Exchanges have to perform ISO 27001 and SOC 2 audits to prevent hacks.
We are going to release a big crypto tokens rating in February 2022. Stay updated!
CER.live is a cybersecurity ranking and certification platform that performs security assessments of digital asset platforms based on 18+ indicators. The platform has already evaluated the security of 300+ leading crypto exchanges. Since 2020, the platform has been a trusted partner of CoinGecko and the data provided by CER.live is a part of CoinGecko’s trust score given to exchanges.