Cryptocurrency stories are full of cases of hacking or theft on exchanges.
You can easily remember some recent cases, such as Coincheck, Bitgrail and Bithumb.
More generally, if we look at the last few years, we find sensational cases that have made the economic history of the sector, such as MtGox and Bitstamp.
Exchanges, especially centralized ones, remain a weak point in the virtual currency system, with skilled computer thieves able to exploit some fragilities, as if they were banks with defective or open safes.
This is very serious in a system that now counts more than 1600 listed cryptocurrencies for a value of hundreds of billions of dollars.
But what are the weak points of the exchanges? A research by Spirent Communication indicates the main ones:
- Compromised security credentials: any system has human operators, such as administrators, customer service employees, technicians, etc.. All these people access through their personal credentials. So the easiest way for a hacker is to have these electronic keys that allow easy access to customer funds.
- Vulnerability of the cryptocurrency codes: a code can have encoding errors that can be used by hackers to empty funds deposited on exchanges. This type of trick was used in the case of Ethereum’s DAO in 2016 or more recently Bitgrail accused Nano of coding problems without being able to prove it.
- Test account: when programming an exchange, it is normal for the developer to create test profiles to evaluate the behaviour of the computer system as a whole. When the test period ends, these accounts remain unattended and can easily be hacked. Professional practice requires that these accounts be deleted at the end of the beta testing period.
- Lack of internal hierarchy: a good practice that is not always followed would require a hierarchy of access credentials that takes into account the activities of individual operators. Credentials that are too general can be exploited by hackers.
- Good security practice, such as regular maintenance of accounts and their accessibility allows maintaining a protected environment.
- Transaction malleability: the security point of the blockchain is the fact that transactions, once recorded, are immutable. If I can infiltrate the registration process, I can corrupt the transactions and make them “malleable”. This is the case with MtGox, where hackers discovered they could change their User ID before a transaction was closed.
- Wallets: exchanges use hot wallets, where users deposit their tokens before transactions. If the necessary security measures, such as multisig systems, that require several keys are not used, these can be weak points. The most striking case was that of Coincheck, who had not activated a multisig wallet for Nem.
In short, we need to be careful. Hybrid or decentralised exchanges could solve the hacking problem.