Cryptocurrency exchanges handle huge volumes of money. The problem with all of that volume is, it’s attractive to all the wrong sorts of people. Nefarious people. People who want to take that money for themselves.
Crypto exchanges are up against the worst, and there’s a lot of interest in hacking and stealing cryptocurrency. Unfortunately, crypto exchanges have vulnerabilities that can be exploited. Here are a few reasons why crypto exchanges remain vulnerable to scams, fraud, hacks, and attacks.
Reason 1: Huge Cryptocurrency Holdings
The main and most obvious reason is the aforementioned volume. It is a little bit of a cop-out to use this is as a point because it covers all other reasons. Thieves want the tokens, and they want them now.
But take a moment to think about the scale of what an attacker is trying to get their hands on.
Each exchange has a hot wallet. The hot wallet (or online wallet) processes transactions on the exchange, without having to move the currencies back and forth between offline cold wallets. However, the hot wallet is one of the primary attractions for an attack. At any one time, an exchange can have hundreds of millions of dollars in cryptocurrencies sitting in a hot wallet. Back in December 2017, Bittrex had over $4 billion sitting in a single wallet. Let that sink in for a moment.
Bittrex is not alone. All exchanges have hot wallets. And December 2017 was a particularly intensive trading period. But four billion dollars’ worth of tokens protected with a single private key? It is incredibly risky.
There are prominent examples, too:
- Bithumb. The South Korean exchange lost 35 billion Korean won (around $31.5 million) in tokens in June 2018.
- Coinrail. Another South Korean exchange, Coinrail lost around 40 billion Korean won (around $35 million) in tokens, also in June 2018.
- Coincheck. Japanese exchange Coincheck lost 523 million NEM coins, at the time worth around $534 million, in January 2018.
- Zaif. Another Japanese exchange, Zaif, lost around $60 million in bitcoin, bitcoin cash, and MonaCoin, in September 2018.
- Bitstamp. Luxembourg-based Bitstamp lost 18,866 BTC in January 2015, at the time worth around $5.1 million.
These are just five examples of a hot wallet hack. There are countless other instances of crypto exchange hacks.
Reason 2: Human Errors
Crypto exchanges aren’t autonomous. Behind the scenes, and like every major website, there is a dedicated team working to keep things ticking over. For the most part that works well. However, humans are fallible. Sadly, in the crypto world, errors are heavily punished. Furthermore, it is easy for an attacker to send out spam or phishing emails in the hope of getting a hit.
Take the Bitstamp hack from the last section. Bitstamp initially kept very quiet regarding the hack, but a leaked document shed light on events. Hackers sent a series of spear-phishing emails to six Bitstamp employees over the course of several weeks. The attackers completed background checks on the employees, solicited them over Skype, and eventually managed to convince a Bitstamp system administrator to download a Word document.
The Word document contained an obscured Visual Basic for Applications (VBA) script that downloaded a malicious file and compromised the sys-admins machine. Once compromised, the attacker had access to the main Bitstamp hot wallet servers, including passphrases.
“On 4 January, the attacker drained the Bitstamp wallet, as evidenced on the blockchain. Although the maximum content of this wallet was 5000 bitcoins at any one time, the attacker was able to steal over 18,000 bitcoins throughout the day as further deposits were made by customers.”
It comes as no surprise that around 31 crypto exchanges have been hacked in the past eight years, at a loss of over $1.3 billion.
Reason 3: Flaws in Infrastructure
Human errors can cause other vulnerabilities, too. If the attacker isn’t targeting employees, you can bet they’re targeting vulnerabilities in the website infrastructure instead.
The ICO Rating Exchange Security Report identifies four areas where cryptocurrency exchanges are vulnerable:
- Console errors
- User Account Security
- Registrar and Domain Security
- Web Protocols Security
Errors in the underlying exchange code are not automatically critical, but it does depend on the severity of the error. For instance, the massive DAO hack was almost entirely down to a code vulnerability. Hackers stole over $50 million worth of Ethereum.
The ICO Rating report estimates that 68% of the exchanges investigated have no errors at all. So, what about the other 32%? Well, that depends on the type of code vulnerability. Moreover, whether any malicious parties know about the vulnerability and it is profitable to exploit.
User Account Security
You’re probably thinking “individual end-user account security isn’t a huge issue.” To a point, you’re right. End-user account security is important but not critical to exchange security.
Exchange employee accounts are a different matter. User account security for crypto exchange employees must be strong as well as a consistent. I want to think that all crypto exchanges mentor employees on account security (strong single-use password, more than eight characters, a combination of characters and symbols, and so on).
Registrar and Domain Security
The study examined exchange vulnerabilities connected with the site registrar and domain. It identified five different potential vulnerabilities:
- Registry Lock. Registry lock is a special flag in the registry that stops anyone making changes to your domain.
- Registrar Lock. Different to “registry lock,” registrar lock prevents domain hijacking by bulking security and authentication before allowing changes to the registry.
- Role accounts. A role account prevents the leak of private information found through a registry. Theoretically, it makes finding individuals linked to the domain registry difficult to find and thus harder for attackers to target.
- Expiration. Domain expiration is surprisingly common (remember when Google accidentally let their domain expire, and someone pounced on it?).
- DNSSEC. DNSSEC (Domain Name System Security Extensions) is a suite of tools to protect against DNS attacks. DNSSEC authenticates all DNS queries with a cryptographic signature, rejecting unauthorized DNS entries and responses.
Web Protocols Security
The final attack vector is web protocol security. Attackers are adept at exploiting web-based vulnerabilities. Indeed, some of the largest attacks stem from the most common vulnerabilities. The report tested exchange protocol security using https://www.htbridge.com/websec/, assessing whether the following five security headers are present:
- Strict-Transport-Security. The HTTP-Strict-Transport-Security (HSTS) header forces browser sessions to use HTTPS.
- X-XSS-Protection. The X-XSS-Protection header defines how the site protects against cross-site scripting and the vulnerabilities that come with it.
- Content-Security-Policy. The Content-Security-Policy (CSP) header enables the definition of permitted sources of specific types of content, helping to defend against XSS and other code injection attacks. Furthermore, CSP defines some browser security behaviors, such as the use of a sandbox environment for the session.
- X-Frame-Options. The X-Frame-Options header defines whether the site allows itself to be framed. Blocking framing stops attacks such as clickjacking and malicious advertising.
- X-Content-Type-Options. The X-Content-Type-Options header also protects against XSS and code injection attacks by disabling content sniffing while ensuring content is defined and controlled by the header.
The ICO Rating report indicates that 29 percent of the crypto exchanges examined had none of the above security headers.
Cryptocurrency Exchange Security Challenges
It is clear that cryptocurrency exchanges have numerous flaws. Also, you see the scale of the problems facing the exchanges. A Growing user base increases the exchange holdings, in turn making the exchange a more appealing target. Considerations must also go out to sites experiencing rapid growth and scaling up security practices accordingly.
Crypto exchanges aren’t special. They’re not unique websites with specialized protocols. A crypto exchange uses the same security protocols as the rest of the internet. And like the rest of the internet, the exchange is only as a strong as the security implementation. If the site designer isn’t up to scratch, the exchange and its users are guaranteed to have a bad time.
The best practice is removing your cryptocurrency from a potentially vulnerable exchange and storing it in a secure offline cold wallet.