Back to Resources

Security Issues in Digital Asset Exchanges

Mar 05, 2021
Exchange security

Introduction

In the digital asset space, many risks are inherently present. We can think of it as a trade-off between security and usability as a common way of understanding the laws of the jungle. Regulatory uncertainty, volatility and liquidity, as well as business and reputational risks are some of them. On this occasion, we would like to discuss custody and cyber-security, two risks we consider to be top priority for any digital asset exchange.

“Hacks” have been around for a long time, though not always regarded under the same name. In many industries, the very existence of value promotes incentives to extract that value (independently of the legality of the ways used). Think back to the first banks; having vaults and cashiers provided an incentive for thieves to try and steal funds. How many stories have we heard about Bonnie & Clyde, Dillinger, and countless others making their way into history through infamous theft? 

Main security risks for digital asset exchanges

Why do we consider security risks as a priority? As digital assets still navigate a sea of unregulated waters, many of these exchanges aren’t required -nor incentivized- to have systems in place to prepare for bad times. There are no specific legal requirements that protect users from losses born out of security breaches (hacks).

Usually, security teams within digital asset exchange platforms tend to fix issues as they arise, and have strong expertise in some security aspects. Because exchanges built in-house oftentimes also have limited resources, they can experience several cognitive-behavioural biases that can endanger the trading activity. Confirmation bias (the interpretation of recall of information in a way that affirms prior beliefs or hypotheses) is a classic example of a case where the team working on a feature is the same one in charge of testing it. Getting an external pair of eyes or third-party security audits are some great mechanisms to avoid missing critical errors in security development or testing processes.

Hackers have always managed to leverage bleeding edge technologies and algorithms to crack security protocols. Because of their daily volumes and total custodial funds, exchanges are the (cash filled) sweet forbidden fruit, making them constant targets for hackers. In fact, according to data gatherer Chainalysis, the number of theft incidents have been increasing more than linearly, though with lower average for total amounts. US$ 1.3B, US$343M and US$ 523M of users’ funds have been stolen through 2018, 2019 and 2020 respectively; a number that is multiplied when accounting for scams, ransomware, and malicious activity [1].

Cases

  • Mt Gox is an iconic case in the digital asset world, where the exchange was repeatedly hacked from late 2011 through 2014. The exchange declared that approximately 850,000 bitcoins belonging to customers and the company were missing and likely stolen, an amount valued at more than $450 million at the time. But the PR and reputational nightmare didn’t end there; because of this, the exchange had to suspend trading and file for bankruptcy protection from creditors [2]. 
  • A more recent case involves Coincheck; an exchange that was hacked and didn’t suffer the loss of cryptocurrency, but had a data breach where over 200 users’ personal identifying information data was obtained illegally. The exchange, which previously suffered the “largest digital currency exchange theft in history” (over US$ 533 million) in 2018, continues to lose its credibility because of its repeated errors and negative impact it has on its users [3]. 

SCALABLE and security risk mitigation

With SCALABLE you can find a balanced mix between in-house and outsourced teams that can control and respond to cyber threats in advance, preventing any loss to the user data or information that could lead to a major hack. We manage this through strong monitoring and state-of-the-art machine learning analytics, as well as by carrying out thorough (robustly compliant) KYC/AML verifications. Furthermore, we can establish a series of controls for insiders, software security controls (like 2FA) and wallets buckets (cold-warm-hot wallets) in order to mitigate to a minimum the risk of compromising users’ funds. Our battle-tested security engine has not lost a cent of user funds and provides a standard rarely seen in the industry. 

With Scalable, you can avoid any damage to your digital asset exchange brand or users through leading technology, whether it be our white label exchange software, or blockchain security audits

Contact us today to increase the security of your digital asset exchange or broker.

 

 

 

 

 

References

[1] Grauer, Kim, and Henry Updegrave. “The 2021 Crypto Crime Report.” Blog.chainalysis.com, Chainalysis, 16 Feb. 2021, go.chainalysis.com/2021-Crypto-Crime-Report.html.  

[2] “Mt. Gox.” Wikipedia, Wikimedia Foundation, 17 Feb. 2021, en.wikipedia.org/wiki/Mt._Gox

[3] Thompson, Patrick. “Coincheck Exchange Pauses Remittances Following Data Breach.” CoinGeek, 4 June 2020, coingeek.com/coincheck-exchange-pauses-remittances-following-data-breach/

Sources

A Comprehensive List of Cryptocurrency Exchange Hacks. SelfKey, 13 Feb. 2020, selfkey.org/list-of-cryptocurrency-exchange-hacks/

Xia, P., Wang, H., Zhang, B., Ji, R., Gao, B., Wu, L., … & Xu, G. (2020). Characterizing cryptocurrency exchange scams. Computers & Security, 98, 101993.

More Articles