Loopholes in Exchanges
The following are some of the security loopholes that make it easy for hackers to break into crypto exchanges.
The primary cause of most crypto exchange hacks is “compromised credentials.” Crypto exchange administrators are often prime targets of hackers since they have authorized access to the private keys of all users on the platform. In 2017, reports emerged that hackers had gained access to the PC of a Bithumb exchange employee, which contained personal information of thousands of exchange users that hackers used to steal users’ crypto.
Similarly, in December 2017, BTCManager reported that hackers had stolen about $64 million worth of bitcoin from the NiceHash crypto mining platform, also due to compromised credentials.
In 2016, cyber thieves were able to exploit a loophole in the code for a decentralized autonomous organization (DAO), stealing vast amounts of cryptocurrency. The DAO was designed as a decentralized investment fund that delegated powers to contributors regarding how the funds were applied. The idea was that managing transactions through code solved the problem of human deceit and that shared powers would prevent stealing. Unfortunately, though the system was invulnerable enough to withstand intrusion to some extent, criminals eventually identified a bug in the code that helped them attack the platform.
Test accounts are another avenue through which cryptocurrency hunters access a network since such accounts are typically neither effectively managed nor well monitored. Developers use accounts with different permissions and access privileges to test code and verify that everything works the way it should.
Under normal circumstances, test accounts should only exist in a test or staging environment and are not to be used in a production environment. If test accounts are absolutely necessary, the accounts should have just the minimum level of privileges and access required for basic performance and functionality testing. Dixit recommends that periodic audits of the production environment should identify and remove any rogue test accounts.
Lack of Roles Separation
Dixit also discussed a need to limit who has access to what information and to set clear rules for when access is given. He explains that “Another best practice is to ensure separation of duties and implement the practice of ‘least privileged access’ for accounts.” He recommends strict regulation of developers’ access to production systems to include emergency situations only.
Some of the most massive cryptocurrency exchange hacks in history were a result of transaction malleability. While data stored on the blockchain is immutable, most exchanges still use centralized databases, making them susceptible to transaction malleability attacks. In 2014, hackers took advantage of this flaw to divert $500 million in bitcoin from the Mt. Gox crypto exchange.
Inadequacies in Hot Wallets
Storing cryptos in cold storage remains the surest way of keeping digital assets safe. Exchanges find it a Herculean task to use this method because clients send in withdrawal requests on a 24/7 basis. It is essential for hot wallets to be secured with multi-signature private keys, so as to make it impossible for hackers to compromise the system with just one private key, as in the case of the Coincheck exchange hack of January 2018.
Read our guide on: Protect Your Coins From Crypto Exchange Hacks