Last year, at least five major crypto exchanges were hacked. Here are the details:
• December 2017: Hackers steal $63 million in cryptocurrency from NiceHash.
• January 2018: Hackers steal more than $500 million in cryptocurrency from Coincheck.
• February 2018: Hackers steal approximately $195 million in cryptocurrency from BitGrail.
• June 2018: Hackers steal roughly $40 million in cryptocurrency from Coinrail.
• June 2018: Hackers steal $30 million in cryptocurrency from Bithumb.
And that's not all -- there were other hacks that happened as well. In this article, I’ll explain why so many exchanges are being hacked.
As I explained in my last Forbes article, crypto security is hierarchical: Protocol, exchange and personal wallet security are the three layers. This hierarchy means that if you have an issue at the coin protocol layer, you will be compromised, regardless of how secure your second and third layers are. At the same time, the complexity of the protocol level means it’s harder to find an issue like a DAO hack than finding a vulnerability at the lower layers like exchanges and wallets. That is why hackers target exchanges -- it’s the most efficient way for them to steal your money. Protocols are hard to hack, and wallets are too distributed. Exchanges are a good fit for them.
Now that we've described why exchanges are the most attractive targets for hackers in the crypto world, it’s a good time to understand why they're hackable.
The reason is simple. Any crypto exchange is a centralized single point of failure, vulnerable by design. As a centralized web application with functions to execute transactions and one or a few big crypto wallets inside, exchanges are prone to the same security problems as all other websites. All the usual application aspects such as frontend JS, mobile app, terminals and other clients on the client side and APIs and data repositories on the back end need to be protected. In my experience, the most critical security problems for crypto exchanges are split into the following buckets:
The Client Side
• XSS: Cross Site Scripting (aka XSS), which is the most popular client-side vulnerability, allows attackers to use your browsers as their own. The reason for this is an ability to inject malicious JS/HTML code to the web page generated by vulnerable servers. There is a myth that two-factor authentication (2FA), such as Google Authenticator or SMS code, saves from such vulnerabilities, but in fact, it does not. A malicious Javascript that gets to the page due to this vulnerability simply substitutes the withdrawal wallet address right before you withdraw funds. You do not see anything and can not prevent it in any way.
• Open redirects that help hackers perform phishing-like attacks: This is an ability to redirect you in an arbitrary way from the link to your crypto exchange. It sometimes looks like it wouldn't be an issue, but technically, it allows attackers to do two things: 1) list exchange in search engines like Google as a malicious website, and 2) increase the success rate of malware installation attack because of the trust to the exchange domain. The typical attack looks like a link to the original domain of your exchange (not a phishing one, a real one) that downloads some sort of “new version of trading desktop client,” which technically is a malicious software that steals your wallet.
• SSL issues related to mobile apps (like certificate pinning): This is a minor issue. However, it’s become critical when users travel to countries like China, Iran or Russia where governments could intercept internet connections by their own certificates.
Common CSRF attacks are not in the list because two-factor authentication is widely implemented in the exchanges.
The Server Side
• NoSQL/key-value injections: These injections are mainly in the popular storage modules like Redis, Memcached and MongoDB. Similar to the older, more well-known SQL attacks that were mainly fixed at the frameworks and ORM level, there are similar attacks targeting new technologies like NoSQL and in-memory databases. These are newer and are rarely discovered by developers and frameworks.
• Logic issues, mainly race conditions: These issues are critical and hard to discover by automation tools like source code analyzers. An example of this is simultaneously processing more than one withdrawal transaction, which could result in a negative account balance.
• Authentication issues (e.g., bypasses): Sometimes passwords and even 2FA don't work just because of authentication bypass issues. These are logical or input validation problems, allowing access to the user session without proper credentials being checked.
There are also other types of security breaches in which hackers steal GAS, not coins themselves. In this instance, it’s a proof-of-stake (PoS) cryptocurrency in which all the coins in your wallet generates GAS, an alternative currency used to sign other transactions. Again, the GAS itself is an alternative coin in any PoS-based cryptocurrency, and a lot of them belong to crypto exchanges because they hold users PoS coins like ETH and NEO. That’s why if somebody steals GAS, you will never know about this as a client of crypto exchange.
Who is the victim in the case of GAS stealing? Technically, it would be an exchange, but at the same time, would you know if your transaction fees were higher because of the GAS? GAS is one of the good reasons why it’s so important to understand security basics while dealing with crypto.
Let’s summarize all the things explained above:
All the crypto exchanges have weaknesses in the architecture because they were never designed in cryptocurrency protocols. Any crypto exchange is an ordinary centralized web application with all the same issues that plague any other web application. Web application vulnerabilities resulted in many crypto exchanges being compromised recently. Some exchanges never announced hacks because attackers stole only GAS, not coins themselves and users never knew about these incidents.
