Cryptocurrency exchanges are becoming an increasingly attractive business for investors. However, as the ICO Rating report shows, only 46% of cryptocurrency exchanges meet the required security parameters. This is a threat to users’ funds as well as to the creators of the exchanges, who bear the most responsibility. In this article we will look at the main security issues of crypto exchanges and identify the best crypto exchange security features.
Table of contents:
- Crypto exchanges market overview
- The main security issues in crypto exchanges
- What makes a crypto exchange secure
- IdeaSoft experience
Crypto exchanges market overview
The large sum of trading money on cryptocurrency exchanges has made cryptocurrency exchange platforms prime targets for attackers. According to statistics, nearly 54% of cryptocurrency exchanges have security holes and more than $1.7 billion dollars’ worth of cryptocurrencies have been stolen by hackers.
Any hack of a cryptocurrency exchange negatively affects the value of cryptocurrencies and the reputation of the crypto exchange. Hackers don’t just conduct attacks to steal money. Many hacks are performed to lower the value of a cryptocurrency. However, a Wired study found that 45%of crypto exchanges eventually shut down. The most famous thefts of crypto happened with:
- MtGox – 850,000 BTC – the biggest hack in the history of cryptocurrencies happened to Bitcoin when it was gaining popularity. MtGox employees failed to protect the secret keys of their wallets, where they stored all customer deposits.
- Cryptsy – 13,000 BTC and 300,000 LTC – Lucky7Coin cybercriminal injected Trojan malware into the Cryptsy code, then accessed and transferred money from the exchange wallet.
- Coincheck – 523,000,000 NEM – The exchange used cold wallets to trade Bitcoins, but neglected them with altcoins. All NEM deposits on the exchange were held in one wallet.
- Zaif – 5,966 BTC – access to one of their hot wallets was compromised. This led to $60 million being withdrawn in BTC, BCH, and MonaCoin. The exact number of cryptocurrencies stolen is unknown.
- Bitstamp – 19,000 BTC – hackers sent a malicious file to employees. One of the system administrators disregarded security rules and opened the file on a computer that had access to the exchange’s wallet.
To avoid thefts, you need to take care of safety at the earliest stages of the cryptocurrency exchange development. The skills and knowledge of criminals are improving, and the methods of committing theft are becoming even more sophisticated. Below you will find the most important security features for crypto exchanges.
The main security issues in crypto exchanges
Many centralized cryptocurrency exchanges work in the same way. They run a hot wallet that is connected to the Internet. Cryptocurrency is stored in such a wallet to quickly execute customer transactions. Most customer funds are in the “cold” wallet. It is disconnected from the Internet and inaccessible to customers and hackers.
Such precautions do not guarantee the protection of the users’ money though. Even the most secure crypto exchange Coinbase constantly improves its security and conducts smart contract audits. Let’s figure out the main security issues of crypto exchanges.
XSS
Cross-Site Scripting (XSS) is the most popular vulnerability that allows attackers to use other users’ browsers as their own. Virtually all merchant terminals are vulnerable to Cross-Site Scripting attacks. Cybercriminals use the vulnerabilities they find to implant malicious JS/HTML code into a web resource page, redirecting traders to third-party web resources and/or infecting users’ devices with malicious software. Such software includes viruses that steal wallet passwords or replace the address on the clipboard.
Two-factor authentication or an SMS code can’t save either. Javascript simply replaces the wallet address at the moment of withdrawal, so the user doesn’t even have time to check it.
Configuration vulnerabilities
Web terminals may be missing HTTP headers. This increases vulnerability to certain types of hacker attacks. For example, the ContentSecurity-Policy header protects against attacks involving malicious content, including XSS; X-Frame-Options protect against Clickjacking attacks; Strict-Transport-Security forcibly sets up a secure connection via HyperText Transfer Protocol Secure (HTTPS).
Code vulnerabilities
Researches show that there are 0.52 mistakes for every 1000 lines of code in open-source products and 0.72 in proprietary products (the quality standard is less than 1 mistake per 1000 lines of code). Potentially, these errors can negatively affect the security of the platform.
Even if exchange developers write code without a single error, there is always a risk of vulnerability in third-party software. For example, issues in the operating system, payment gateway, or messenger can be used for phishing or installing malicious software on the devices of cryptocurrency exchange employees.
Vulnerabilities in smart contracts
Hackers can discover a vulnerability in a wallet’s smart contract code that allows them to take control of the victim’s funds. This can be a targeted attack on a specific wallet or a mass attack if many wallets have the same vulnerability. That’s why smart contract audit is one of the ways to ensure the security of cryptocurrency exchanges.
Infrastructure vulnerabilities
An exchange can be vulnerable in design. Exchanges are subject to the same security problems as other websites, so front-end, mobile app, clients, APIs, and data repositories must be protected. Here are some issues related to crypto exchange infrastructure development:
- NoSQL injections are used in popular solutions like Redis, Memcached, and MongoDB. Similar to the older SQL attacks that are mostly fixed at the framework and ORM level, these attacks target newer technologies and are rarely detected by developers and frameworks.
- Logical problems. These problems are critical and difficult to detect with automation tools such as source code analyzers. For example, simultaneous processing of several output transactions, which can lead to a negative account balance.
- Authentication problems. Sometimes passwords and even two-factor authentication can’t protect exchanges due to authentication bypassing issues. Bypassing allows access to the user’s session without verifying the relevant credentials.
These were the main vulnerabilities of crypto exchanges. The full list is much longer, that’s why when developing a crypto exchange you should enlist the support of an experienced development team that knows how to implement the main crypto exchange security features in the best way.
What makes a crypto exchange secure
Most cryptocurrency exchanges use at least one, and more often, several anti-hacking systems. The simplest and most common is two-factor authentication: a person needs to enter a one-time password for each transaction, which is sent to their phone or email.
That being said, two-factor authentication is not the most secure method of protection. A more advanced version of two-factor authentication exists in special applications like Authy and Authenticator. They block access to the system if the username and password have been compromised by asking for an additional code.
The second most popular method of protection is multi-signature. In this case, several keys to a Bitcoin wallet have different owners, and it is possible to get access to the funds only by collecting all of the electronic signatures. However, this system can also fail. Experts note that multi-signature only works when all the signers are independent of each other.
One of the most reliable methods of protection against hacker attacks remains the distribution of funds between hot and cold wallets. In addition to physical protection (video cameras, armed guards, etc.), a cold wallet can be equipped with a multi-signature system. The larger the stake in a cold wallet, the safer it is.
Another way of exchange protection is so-called Bitcoin locks, special Bitcoin addresses where coins are locked by a two-step security mechanism with two different keys. A regular digital key is needed to unlock the funds, but full access to the money is only available after 24 hours. During those 24 hours, any transaction can be reversed by entering a second key. There is another level of protection: if a hacker gets both keys, the exchange can burn the funds stored in the wallet.
Among other crypto exchange security features are:
- Anti-DDoS security protocol
- Domain name system security extension
- Registry lock
- Web protocol security
It has become a good manner among crypto exchanges to conduct regular audits by independent experts and hacking tests. The latter is done by so-called white hackers. Their goal is to hack security systems to find potential vulnerabilities that can be exploited by attackers.
Regarding the issue of cryptocurrency exchange security, a comprehensive approach is important. Now you know what makes crypto exchange secure. Cryptocurrency exchanges should maintain the security of their own code along with the security of the development environment and third-party libraries that are used in the development of the product.
IdeaSoft experience
IdeaSoft has been providing blockchain-based product development services for more than 5 years. Our portfolio consists of more than 250 successfully implemented projects, including DeFi wallets, NFT marketplaces, DeFi aggregators, lending/borrowing platforms, identity management solutions, and crypto exchanges. The IdeaSoft in-house blockchain development team knows how to create a functional product that meets the highest security standards. Our company provides full-cycle software development services, from business analysis and design to programming, testing, and support.
If you need help creating a high-performance crypto exchange with the best crypto exchange security features, feel free to visit our blockchain development services page or contact us directly.
