How to keep Crypto Exchange secure? Part 1/2

Why consider security in crypto exchanges?

As the pool of funds increases, so does the interest of cybercriminals. There constantly appear new hacks of cryptocurrency exchanges from all over the world:

• EXMO appears to have lost $10.5 million worth of funds. – December 2020
• Over $280M Drained in KuCoin Crypto Exchange Hack. – September 2020
• Cryptocurrency exchange UPbit announced today that it lost almost US$50 million worth of ether (ETH) in an apparent security breach. – November 2019
• South Korean cryptocurrency exchange was the victim of a suspected insider job – April 2019

Key steps to secure crypto exchange.

Hundreds of projects and many years of cooperation with the financial sector allow us to perceive and deeply understand threats while cooperating with cryptocurrency exchanges. 

We mustn’t forget that cryptocurrency exchange is also a web application, in some ways similar to those that have been around for years. We should draw conclusions from this. That’s why we have prepared a list of areas that, in our opinion, require particular focus to increase security. Some categories include areas that are not unique and can be applied to many kinds of web applications, but they pose a threat to exchanges as well therefore cannot be ignored

1. KYC Security
2. Authentication
3. Session handling
4. Wallet security
5. Access control
6. TLS Security
7. Deposits & withdrawals
8. FIAT payment integration
9. Currency operations & transfers
10. Sensitive operation limitation & authorization
11. Exchange availability
12. Cryptocurrency listing research
13. Security education
14. Mobile security
15. Continuous security
16. Insurance Protection
17. Transparency
18. Incident history
19. Regulation

Let’s start with the first 10 in this part.

1. KYC Security

Financial institutions, including crypto exchanges, are strictly regulated and must implement Anti-Money Laundering (AML) policies. One of the processes is called Know Your Customer (KYC). It’s goal is to focus on verifying the identity, suitability, and risks coming from exchange customers. 

Exchanges provide services all over the world, but you will not find their locations everywhere. Many of them willingly use fully automated solutions that allow verification using just a laptop or phone camera. Some of the face biometric solutions are still quite new and security is not always their key priority. 

Such solutions can help, but should not be fully trusted until they have been thoroughly tested (check how we deal with face recognition authentication).

It is worth remembering that:

• You should use an employee as a second verifier, do not fully rely on automatic face recognition authentication until you verify that it’s 100% secure.
• All checks should be performed on the server-side.
• It is a good idea to apply more checks for face recognition authentication.

Possible consequences of neglecting this category:

• Creating accounts with fake data.
• Impersonating clients.
• Exchange used for money laundering. 

2. Authentication

Incorrect user authentication is the first step to risk account takeover. Common methods of compromising accounts and user identity theft include brute-force attacks such as password guessing and spraying, phishing attacks, and unsafe integrations with external services. Even if the solution is well known and proven – there are still many places where something may go wrong (OAuth example).

Pay close attention to authentication mechanisms and make sure they are properly implemented.

• Introduce multi-factor authentication, it is much harder to compromise all necessary pieces of evidence than just login and password.
• Make sure integrations with external services are securely implemented.
• Demand strong passwords from the users, encourage them to use password managers or at least do not implement mechanisms which hinder use of password managers.
• Introduce temporary and permanent user locks in case of exceeding a certain number of failed login attempts.
• Use Captcha to differentiate humans from malicious scripts.

Possible consequences of neglecting this category:

• Client account take over.
• Instant cryptocurrency theft of compromised accounts.
• Large number of fake accounts.

3. Session handling

After successful authentication, a user gets a unique identifier which is as valuable and as sensitive as their credentials. The following issues may be a security risk here: badly implemented session generation mechanism, bad randomness, lack of security flags on cookies, insecure storage of a session identifier and long-lived sessions.

To properly handle users’ sessions:

• Session tokens must be unique and random.
• Do not treat Web Storages APIs (localStorage, sessionStorage) as secure storage by default.
• Include Secure, HttpOnly and SameSite flags to protect your cookies.
• Add HTTP Secure headers (i.e. HTTP Strict Transport Security).
• Prevent session token from leakage to third parties.
• Make sessions expire after 2-5 minutes of inactivity or after a logout. It must be revoked, not “cleared”.

Possible consequences of neglecting this category:

• The attacker will take over the user’s session token and will be able to perform an action without knowing the credentials.
• The attacker will be able to predict valid session tokens and take over the victim’s account.

4. Access control

Access control mechanism is protecting both users’ privacy and their funds in the field of cryptocurrency exchanges. In over 16 years of experience we’ve encountered many bugs resulting from improper authorization. Sometimes even one unprotected directory or function leads to full compromise of the application.

An access control mechanism on your cryptocurrency exchange must:

• Enforce server-side verification whether the current user is able to perform given action (Removing or hiding features and resources just in the user interface does not guarantee security.)
• Implement additional authorization (2FA) for sensitive operations (e.g. password change, transfer or withdrawal).

Possible consequences of neglecting this category:

• Access to the exchange clients’ personal data (e.g. balance, PII).
• Performing operations on behalf of other user’s (including sensitive operations such as cryptocurrency withdrawal).
• Privilege escalation.

5. Wallet security

If we were to indicate one key asset of cryptocurrency exchange, it would certainly be users’ funds. Storing them in an inappropriate way can not only affect the liquidity of the exchange, but also its reputation or worse – loss of funds. To prevent this, cryptocurrency exchanges must use cold wallets to safely isolate excess funds that are not needed to provide liquidity. 

Unfortunately, not all exchanges take into account the risks of transfers between a cold and hot wallet and who has access to it. What if something happens to the one and only person authorized to make such a transfer? Or if an attacker is someone inside the company? For example, a person with cold wallet transfer rights?

To safely store exchange funds and keep transparency:

• Use cold and hot wallets to keep balance between liquidity and security.
• Introduce multisig to crucial operations such as transfer from cold wallet.
• Publish the address of a cold wallet to be credible in the eyes of users.

Possible consequences of neglecting this category:

• Theft of all cryptocurrency exchange funds.
• Locked exchange funds.
• Unapproved transfer from the cold wallet by insider threat actor.
• High risk of phishing campaigns and losing all funds due to security bugs.

6. TLS Security

The cryptocurrency exchange, like any other web application, must take into account basic security mechanisms. Unencrypted communication or the use of weak ciphers can lead to interception of sensitive data during a man in the middle attack.

To protect the transport layer:

• Use TLS, do not allow clear text communication (preferably in version TLS 1.3).
• Take care of correct TLS configuration and check it (i.e. are there any encryption algorithms considered to be cryptographically weak in my configuration?).
• Automatically update your certificates, don’t let them expire.

Possible consequences of neglecting this category:

• Leak of sensitive user data through unencrypted communication.

7. Deposits & withdrawals

The cryptocurrency exchange, just like other exchanges, must properly handle deposits and withdrawals. Some of the risks remain the same, but some can be trickier because of cryptocurrencies’ special properties. There are different timeframes that prove a given cryptocurrency can be considered as owned. When it comes to withdrawals, we cannot forget about short address attacks that can lead to theft of funds.

Pay proper attention to deposits & withdrawals:

• Validate received addresses to prevent short address attacks.
• System should book user’s crypto assets after payout cancellation only after making sure that the funds are still in the possession of the exchange.
• Crypto deposits should be booked after obtaining appropriate confirmation dependent on the cryptocurrency (sometimes the specific number of blocks is not enough).

Possible consequences of neglecting this category:

• Approving withdrawals of more funds than the clients have on their account.
• The cryptocurrency exchange liquidity is inconsistent with the assumptions
• Unconfirmed deposits.

8. FIAT payment integration

Cryptocurrency exchanges, beside traditional transfers, introduce other ways for handling deposits to make it more comfortable for their users. In case of unsecured integration with payment providers, the exchange makes an endpoint that is used to confirm the payments public. This endpoint is used by a payment provider to confirm payment after it is accepted and booked. Public endpoint would allow potential attackers to call it directly and confirm the payments that were not handled by a payment provider. Another potential attack on insecure integration is modification of payment data that is sent to the provider. If the data does not have an unambiguous format the attacker could change its parameters and for example pay less FIAT for more cryptocurrency. The integrity check would still succeed for different data.

During FIAT integration remember to:

• Make sure you verify the integrity of data sent by a payment operator e.g. by HMAC.
• Make sure that the payment operator uses unambiguous data format.
• Properly configure callback function (make it available only for the payment operator’s IP).

Possible consequences of neglecting this category:

• Deficient balance of the exchange due to incorrect booking of payments.
• Accepting unconfirmed FIAT deposits.

9. Currency operations & transfers

Transfers in case of cryptocurrency exchanges, in addition to being secure, should also be relatively quick to perform due to large fluctuations in cryptocurrency prices over time. We understand the importance of transaction speed and convenience. However, security must not suffer from this. Internal race conditions or incorrect rounding of the decimal places may lead to loss of funds.

The internal transfers (e.g. between wallets belonging to the same account) must also be checked for rounding bugs and race conditions.

These rules will help secure transactions and currency exchange:

• Define and follow guidelines for the exact number of supported decimals for a given cryptocurrency (e.g. 18 by default for ERC20 tokens).
• If you have the functionality of adding trusted recipients, make sure to check the integrity of their data.
• Validation, balance check, all things from FIAT world need to be checked here as well.
• Apply these rules not only to operations between different users (transfers, buys, sells) but also to operations on the same account (e.g. transfers between wallets belonging to the same user).

Possible consequences of neglecting this category:

• Incorrect booking of transfers leading to loss of funds.

10. Sensitive operation limitation & authorization

Adding some extra security features can not only limit the attack surface, but also prevent it completely. Users’ funds need to be cared for, even when their accounts are compromised.

To protect your users you need to:

• Introduce limits for operations related to crypto assets (e.g. withdrawal), propose safe default settings and allow users to adjust them to their needs.
• By default require Multi-Factor Authorization (MFA) for sensitive operation authorization. Require MFA to change the limits.
• Allow several different authorization methods for users to choose. PUSH notifications from the mobile app are a good choice as a default configuration.
• Authorization code should be unique and random.
• Let users define trusted recipients. Verify their data integrity.

Possible consequences of neglecting this category:

• Stealing all funds from the client’s compromised account.
• Using a compromised account for money laundering and other illegal purposes.

To be continued…

I hope that you are familiar with the vast majority of these categories and pay attention to the elements listed above, and if not, that you will take action and take care of the security of both the exchange and its users. 

The remaining points will be presented in the second part of this article which will be available soon. If you want to be the first one informed about the post, subscribe to our newsletter below, or just follow us on social media.

Meanwhile, if you would like to consult or check the security of your cryptocurrency exchange, don’t hesitate to use the contact form. 

*Note: This series is written in collaboration with Damian Rusinek and Marcin Kolago from Coinerro.

Paweł Kuryłowicz Principal IT Security Consultant
Hackflix Product Lead