Cybersecurity of cryptocurrency exchanges is paramount in today’s increasingly digital world. These platforms are responsible for large amounts of tokens often worth tens of millions of dollars, belonging to thousands of unique users. Cryptocurrency exchanges are also susceptible to multiple major threats – they risk attack from traditional banking cybersecurity vectors as well as weaknesses posed by inadequate blockchain implementation. Cryptocurrency exchanges, as a result, are one of the most profitable targets for black hat hackers.
For this reason, raising awareness about the levels of cybersecurity deployed by exchanges is extremely important for helping users make better decisions about where to trade and store their tokens.
As the established cybersecurity leader in the cryptocurrency industry, we have the responsibility to the entire blockchain community to ensure that the blockchain industry remains safe and secure for all users.
In order to provide better means of communication in regards to the security of a cryptocurrency exchange to end-users, we felt the need for a recognized certification system for the industry. This certification can mirror other mainstream industries, such as how assurance companies like DNV-GL issue ISO certifications for companies that adhere to proper operating procedures.
Since 2017, we have performed dozens security assessments of well-reputed exchanges, including Gate.io, FTX, Binance, and much more. We know good and bad practices and we understand why hacking accidents happen.
CER is already recognized and in use by top cryptocurrency exchanges in the industry.
In December 2019, we released the industry’s first cryptocurrency exchange cybersecurity assessment methodology and we encourage external audit firms to use our practices in their independent cryptocurrency exchange cybersecurity review.
What is CER.live?
To date, more than 50 industry-related research reports were performed and produced by independent CER researchers.
We are proud that our consistent approach to educating the crypto community had its impact on our industry maturity.
CERtified – Cryptocurrency Exchange Cybersecurity and Solvency External Verification
The main objective of CERtified initiative is to educate and prevent users from trading at cryptocurrency exchanges who do not invest enough into their traders’ funds security.
Certification is the formal attestation of certain cybersecurity and solvency characteristics of a cryptocurrency exchange.
We actively perform security reviews according to our internal methodology for 250+ crypto-exchanges. The main components of CERtification are third party reports on crypto-exchanges’ external cybersecurity assessment procedures and validation of the exchange crypto balances.
Today not all exchanges are publicly disclosing the existence of external cybersecurity assessments which leads to certain limitations of gathered data by CER experts. We encourage crypto-exchanges to publicly report all security improvements that they perform. This has to become an industry-standard just like annual financial audits for public companies.
CERtification Qualification – Our Methodology
Our certification has 4 separate levels, ranging from an uncertified exchange to a 3 star certified exchange meeting our most strict cybersecurity criteria.
|Level||Certification||Cybersecurity score (CSS )||Penetration test (<1 year)||Proof of funds||Bug Bounty|
|2||CSS > 5||v(x)||v(x)||x|
|3||CSS > 6||v||v||x|
|4||CSS > 7||v||v||v|
Note: in order to get 1-star CERtificate exchange has to have either proof of reserves or penetration test for live exchange version
Criteria 1: CyberSecurity Score (CSS)
The CyberSecurity Score is a combination of server security, user security, crowdsourced security, and the number of historical cybersecurity incidents.
Key attributes we investigate include:
- SSL. SSL/TLS certificate should be present for the exchange, it should follow all security best practice.
- Security headers. All authorized requests should include the following headers:
- Cookie security. HttpOnly, Secure and SameSite flags should be set for session cookies.
- DNSSEC. DNS record must be published.
- SPF. SPF record should be published and follow security best practices.
- WAF. Exchange should use WAF and CDN as a layer of security defense.
- SpamDB. Domain IP mustn’t be presented in spam DBs.
- Open Ports. Only application ports should be open to the public.
- 2FA. 2-factor authentication should be available for end-users.
- Strong Password Policy. Users should be forced to follow best practice password requirements.
- Captcha. CAPTCHA must be present on the “Sign in” and “Sign up” forms.
- Anti-phishing Protection. Exchange should have Anti-phishing code(message) feature to protect users from phishing attacks
- Withdrawal whitelist / password. If an attacker somehow gets access to the user session, he must not be able to withdraw funds to his wallet
- Device management. Users should be able to see the list of his sessions and close any of them.
- Bug Bounty. Exchange should have an ongoing bug bounty program.
- Previous Hack Cases. Historical hack cases demonstrate a higher risk of the next incident.
Criteria 2: Penetration Test
Penetration testing is a emulated cyber attack aimed at identifying any possible flaws and vulnerabilities that can be exploited by cybercriminals. A cryptocurrency exchange must pass penetration test procedures to ensure security of user funds and sensitive data.
Penetration tests should be passed at a certain interval and/or after adding new features to an exchange. In this regard, penetration tests passed more than a year ago are no longer viable or relevant.
In order for a cryptocurrency exchange to be eligible for penetration test CERtified criteria it is required to either publicly or privately announce/submit to the CER team the results of the external penetration testing report.
Criteria 3: Proof of Funds
Another important criterion to be certified is the proof of funds as claimed by cryptocurrency exchanges. Insolvent exchanges can lead to massive damages to users, especially when withdrawals exceed the available funds on the exchange. To combat this, CER requires exchanges to:
- Identifiable Wallets: All wallet addresses owned by the cryptocurrency exchange must be publicly disclosed and provable on blockchain explorers.
- Minimum Funding Limit: Certification of cryptocurrency exchanges will only be conducted for exchanges with a wallet balance of more than $1 million USD (in ETH and BTC terms).
CER team in close cooperation with Crystal Blockchain and Etherscan has performed initial research on identifying BTC and ETH wallets related to cryptocurrency exchanges. Crypto exchanges are encouraged to contact the CER team and to submit all owned crypto wallets for our independent review through our contact form.
Criteria 4: Bug Bounty
The fourth criterion in our certification process is to require cryptocurrency exchanges to have a Bug Bounty program run by an external crowdsource security provider. A bug bounty is a way to detect software and configuration errors that can slip past developers and security teams and later lead to big problems.
Bug bounty should preferably be placed on one of the well-known bug bounty platforms so that the maximum number of white hat hackers pay attention to it. If the exchange itself serves a bug bounty program, then it limits the number of potential hackers to its client base.
What Does This Mean For The Blockchain and Crypto Community?
As part of Hacken’s responsibilities to the cryptocurrency community, the CER initiative publically releases the outcomes of its analyses, providing data on exchanges that do not comply with the above criteria. CER.live’s mission is to make information about the cybersecurity status of cryptocurrency exchanges publicly available.
This means that users can easily choose a reputable and highly rated cryptocurrency exchange and have the ease of mind to trade their digital assets. For example, a 3-star CERtified exchange would indicate that the exchange meets the highest standards of cybersecurity in comparison with all other lower-level CERtified and non-CERtified exchanges.
Moving Forward To a CERtified Future
We encourage all exchanges to comply with best practices and report all new updates in relation to any cybersecurity upgrades performed.
Please contact us via this form with up-to-date information and to request a cybersecurity score breakdown.
The cryptocurrency industry is just starting out on a long path toward maturity. In these early days, user safety and protection are paramount and will only grow in importance in the years ahead. Our next major milestone will be digital asset financial audits and internal controls reviews in order to prevent exit scams such as QuadrigaCX preventing fraudulent order-book submissions to cryptocurrency aggregators.
Dyma Budorin, CEO of Hacken Group:
”Hacken and our CER.live initiatives are here to help educate and protect the community against malicious actors and hackers. We are strictly impartial and independent in our assessments, and we are confident that CER will be more and more important moving forward.”
Please stay tuned for more industry-wide news regarding our CER initiative!