According to the Ciphertrace report, a whopping $516 mln in crypto was stolen from centralized exchanges and DeFi services in 2020 alone. Although most of these hacks were focused on DeFi services, the total value of stolen funds from centralized exchanges was much higher.
The largest hack in 2020 was the Kucoin hack when attackers stole more than a quarter-billion dollars in various cryptocurrencies. The cryptocurrencies were withdrawn from the exchange’s hot wallet. It is important to note that more than 25% of all Kucoin’s crypto was stored on the exchange’s hot wallet, which is considered a bad practice.
This hack, namely the causes behind it, inspired us to improve our methodology. We have included ISO 27001 and exchange Funds Insurance into our methodology. In the current analysis, CER has reviewed the list of 289 crypto exchanges. Compared to the previous reviews, we have listed derivatives exchanges on the top.
The primary goal of this report is not to promote or degrade any exchanges, but rather to provide an expert view of the state of cybersecurity in the crypto exchange industry.
For a more multifaceted and balanced evaluation, we have decided to add ISO 27001 compliance and funds insurance to our metrics. These features indicate that the clients’ funds are insured and demonstrate that their security meets international standards.
We have to clarify that the insurance fund must cover potential losses in case of hacks. Also, an exchange will be eligible for getting points for ISO 27001 only if the audit has been performed by a certified company authorized to perform such audits.
The New CSS results show that only 14 crypto exchanges (4,8%) out of 289 have gained a “good” cybersecurity score of over 8 points (see fig 1).
Fig. 1. Distribution of CSS results by total score
Compared to the previous top 100 research, the number of exchanges performing bug bounty programs to improve their security has increased from 48 to 77 (+60%!). Under the cer.live methodology, we rate self-hosted bug bounty programs two times less than those managed by third-parties. The reason for this is that only neutral third-party platforms can ensure the fair performance of the bug bounty program and there is a guarantee that the hacker will be rewarded for every identified vulnerability. Also, third-party platforms engage more hackers in the bug bounty program that leads to superior cybersecurity outcomes.
Fig. 2. Bug Bounty
The share of bug bounty programs managed by third-party platforms has increased significantly since the beginning of 2020. Most of the bug bounty programs are hosted on the following platforms:
According to our data, 42 (14,5% out of total) exchanges perform regular pentests with different cybersecurity firms. By the end of 2020, the number of received pentest reports increased significantly.
This shows us that not only have crypto exchanges have become more concerned and vocal about security they are beginning to finally put their money where their mouth is.
According to the gathered data, 8 crypto exchanges have been certified as those that meet the ISO 27001 standards, and just 6 exchanges have an insurance fund for the hack cases. And only the following 5 exchanges have both:
We have to notice that the ETH and BTC balances of each of these exchanges are more than $1 billion.
Below is a table with the final results. It contains the current score positions, position change, and the exchange’s cybersecurity score (CSS) calculated by CER according to the updated methodology.
|#||Exchange||Cybersecurity score||Position change|
|1||Binance US||9,75||+ 5|
|7||Bithumb Global||8,36||+ 5|
|73||Huobi Korea||3,86||+ 1|
|100||FTX US||2,98||+ 5|
Research results have shown that security becomes an increasing trend among cryptocurrency exchanges. Nevertheless, the overall safety assessment remains low. Less than 10% of the exchanges investigated have a good (8 or higher) level of security.
After the methodology update, except for 6 platforms, the score of most exchanges has decreased. Thus, a very small number of exchanges with large client bases got points for the features added to cer.live methodology. Ethereum and Bitcoin balances of these exchanges are well over $1 billion.
CER ranking will be updated in a week after the article publication. Exchange representatives can contact us through cer.live contact form to get a cybersecurity score review and submit certification data.
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.