Exchange security compromises more than just securing the tokens that are being traded. Exchanges have two main things to worry about: user funds and user data. However, both have many ways to be compromised, such as hacking the exchanges’ wallets, the absence of fallback mechanisms or thorough security measures, phishing or, as the following case study shows, through APIs.
Case Study: Binance 3rd Party API Hack
“On Mar 7, UTC 14:58–14:59, within this 2 minute period, the VIA/BTC market experienced abnormal trading activity. Our automatic risk management system was triggered, and all withdrawals were halted immediately.”
This message was sent out due to a large scale phishing and stealing attempt. The Binance API itself was not compromised, but a 3rd party trading bot was. This trading bot holds the API keys from Binance to allow it to make buy and sell offers on the user its behalf. However, due to a security issue with this 3rd party bot, hackers were able to get access to multiple accounts.
The reason I’ve picked this use case is to show that an exchange has to think also outside of internal systems.
In this case, the hackers knew in advance they cannot withdraw through the trading bot, so before the hack, they bought tons of VIA coin and used the trading bot hack to pump it and sell on a higher price.
Luckily, Binance has detection algorithms in place that were able to detect this suspicious behavior change for VIA coin and halted trading for the coin.
Besides the detection algorithms, they have a fallback mechanism in place to renew all API keys so further damage could be prevented.
Binance API hack is not the only recent example… In January this year, Cryptopia exchange got hacked for $16 million worth of Ether and ERC-20 tokens. Cryptopia lost access over its wallets and only after two weeks following the initial breach, the exchange regained control. Cryptopia had no fallback mechanisms in place to assure continued access to their wallets.
Whereas Bitstamp got hacked for over $15 million worth of coins for the 3rd time in two years, and I’m quite sure most of you heard about the Canadian QuadrigaCX scandal in which the founder lost the private keys holding over $130 million.
As we can see, some exchanges perform well, but many don’t. There is definitely a need for improved crypto exchange security with better fallback mechanisms and faster response/detection systems to protect investors but also exchanges.
Best Practices: CODEX Exchange Demonstrates How It’s Done
CODEX takes security very seriously as they use EdDSA cryptography and do not store any API secrets to absolutely minimize the risk of getting comprised via their API. Like Binance, they hold an internal anti-fraud system that detects unusual behavior like sudden large sums withdrawals.
Furthermore, CODEX conducted an interesting multi-stage security audit. While the first stage is an internal security audit and the third stage is a bug bounty program which is standard, it is the 2nd stage, an external audit performed by Hacken, that interests me most.
Hacken Security Audit
Hacken tackles the process of performing a security audit for an exchange by taking 3 steps:
The first step consists of testing the overall security of the systems by using the best practices presented in the Open Web Application Security Project (OWASP).
The second step consists of gathering intelligence about the target, trying to detect and identify possible threats that can be exploited.
The last step is to test possible exploits and to convert the findings into recommendations to address weak security measures.
Hacken was only able to find a couple of medium-to-low risk issues in CODEX’s website and web application. No major design flaws. This amazing result made Hacken award a 10/10 rating to CODEX Exchange.
How Else Can You Protect Your Exchange?
While CODEX’s security practices are to be learned from, other exchanges in the cryptocurrency space are demonstrating important security practices, such as the following:
Two Factor Authentication with Cookies
Of course, it makes sense to implement Two Factor Authentication. However, this can be leveraged by using cookies. Cookies are used to track IP addresses which are whitelisted for logging in. The cookies can also be used to track whenever a new device or IP is used to log in via Two Factor Authentication.
Whenever a new device is detected, this device needs to be whitelisted via email or SMS verification that this is actually your device. If you are not able to prove you own this device, it needs to be blocked.
Implemented by: Many exchanges like Binance, Bitstamp.
The most secure exchanges combat the threat of hacks by storing the vast majority of their digital assets in secure, offline storage. To set an example, Coinbase stores 98 percent of its customers’ holdings in offline storage using FIPS-140 drives and paper backups.
Also, a new trend tries to introduce the trading directly from hardware wallets as it’s supposed to be much safer. Trezor wallet supports this functionality since September 2018, but also new protocols are being developed to use this on a wider scale like exchange level.
Implemented by: Coinbase, …
Crypto Address Whitelisting
An alternative method to creating an address book is creating a list of whitelisted crypto addresses you trust and only allow transactions back-and-forth these addresses. Currently, Coinbase offers this as a Pro feature which you can enable. However, I believe this should be a security measure every exchange offers by default.
Implemented by: Coinbase Pro
Keeping an exchange secure requires much more than just verifying the internal systems’ security. If we consider what happened via the Binance API, an exchange should be aware of the potential risks of every service it offers or exposes.
Exchange security is a rigorous process that concludes code assessments, integration testing, penetration testing, but also UI testing. CODEX Exchange perfectly understood this need for exchange security and implemented this successfully.
It’s great to see that some exchanges do invest time into exchange security like CODEX Exchange that got a 10/10 rating on hacken.io.