Security Threats to Digital Currency Trading Platforms
I. Recent security incidents relating to digital currency trading platforms
Recently, digital currency exchanges have been frequently affected by security incidents. In January 2018, the Japanese Coincheck Exchange was hacked and lost about $534 million XEM coins. In February 2018, the trading price of ETH-based XMRG tokens quickly plunged to zero after rising by 787%, resulting in huge financial losses for a large number of users. This can be attributed to the integer overflow vulnerability in its smart contract code, which caused hyperinflation after dumping of excessive coinage. In March 2018, the Binance Exchange was hacked and user information was stolen by hackers to conduct large transactions and manipulate the market for a profit of over $100 million. In April 2018, the ETH-based BEC tokens and SMT tokens suffered from token transfer-out successively due to overflow vulnerabilities in smart contracts, triggering panic dumping in the market that led to market value plummeting close to zero. Such cases have become all too common.
Two observations can be made from these phenomena. Firstly, the incidents occur very frequently. It should be noted that the events mentioned are only a fraction of the more significant of late. If we extend the timeframe or take into account all minor and undisclosed events, the figures will be even more surprising. Secondly, the losses suffered by platform or users have been significant, ranging from tens of millions to hundreds of millions of dollars.
In fact, we can get more information from these events with an in-depth analysis.
In early March 2018, the well-known digital money trading platform, Binance, saw a large number of abnormal account transactions that affected trading on the digital currency market. The modus operandi is rather interesting, which shall be elaborated further. What is of note is that an article was published after the incident, accusing Binance of orchestrating the entire incident, to which Binance co-founder, He Yi, responded by refuting the accusation. The truth of the matter is not for me to speculate here, but I would like to quote from He Yi's response: “Security issues such as this are almost inevitable, and all types of exchanges are threatened by attacks every day. For one, current policies are so limited that the token industry is not unlikely to operate like traditional exchange systems. Also, the virtual currency exchange is newly established and requires time to reach to reach maturity, whether in terms of risk control or technology accumulation.”
Whether you agree with her depends on your perspective, but my point is the line of thought espoused in this statement. Comparing the digital currency trading platform to traditional financial transaction platforms is what this article seeks to discuss.
II.Why do hackers attack digital currency exchanges?
Logically, any subjective act has a purpose. The purposes of hacking are varied, ranging from showing off technical competence to making political appeals. In most cases though, the objective is to obtain financial rewards.
In real life, traditional financial institutions such as banks or stock exchanges are likely to be the targets of hackers. Yet, the track record is comparatively less compared to digital currency exchanges. Let's analyze further.
I believe there are two possible reasons. Firstly, the assets held by traditional financial institutions, whether digitized legal tender (relative to substantiated banknotes and coins) or security vouchers, are generally registered, their circulation process can be tracked, and they are under supervision. It is difficult and costly to make transfers undetected. Also, the traditional financial industry has had a long history of digitization. The talent reserve, technology accumulation, institutions and norms are mature, and the level of information security is comparatively much higher. It is very difficult for hackers to break into the system, steal away the assets and get away scot-free.
For digital currency exchange however, the story is rather different. On one hand, the anonymous, irreversible and unsupervised nature of digital currency allows for easy transfer of assets and compounds the difficulty of tracing assets back to source. On the other hand, digital currency trading is novel and rapidly developing, with high profits and yet lacking technology grounding. With scant attention paid to information security and hidden security vulnerabilities in abundance, the industry remains vulnerable to hacking.
III. Security threats faced by digital currency exchanges in terms of technology
As far as the author is concerned, digital currency exchanges are facing two security threats in terms of technology.
1.Security vulnerabilities of the traditional information system
In this aspect, the digital currency exchanges are not too different from the traditional financial institutions in that their entire information system comprises Web server, back-end database and other elements. Users access the server through the browser, mobile App, and APIs provided by exchanges at the client side.
Combined with the event logs in the first part hereof, it can be seen that the security threats in this aspect are mainly server software vulnerabilities, improper configuration, DDoS attacks, server-side Web program vulnerabilities (including technical vulnerabilities and business logic defects), security issues with office computers and internal personnel attacks.
For big exchanges with a large number of users, there is also the issue of users' authentication information being swindled by counterfeit phishing websites. The Binance Exchange mentioned above is just an example. According to the official statement, the attackers swindled the authentication credentials of some users through phishing, and then initiated a large number of transactions on the API to exchange other currencies in the users' accounts into bitcoin. Binance detected the abnormality in time and froze the withdrawal function. Interestingly, even though the attackers could not withdraw the coins, they turned to another cunning approach, that is, to manipulate the market and influence the price of other currencies using the huge amount of bitcoin under its control, and then short-sell in other digital currency futures exchanges. Eventually, they gained a profit of more than $100 million without any coin withdrawal. In this incident, the attackers took advantage of the huge impact that Binance had on the market. In theory, they did not steal the digital currency, but "exchanged" the currency. As the large number of short-selling orders were scattered across hundreds of other exchanges, the source could not be traced.
The figure below shows the vulnerability statistics of the Decentralized Vulnerability Platform (DVP).
The platform recorded the first vulnerability information on July 12, 2018. As the time of writing, more than 1,800 vulnerabilities have been recorded in less than two months, and the number is still growing by more than ten per day.
Last month, a security team claimed to capture a 0day vulnerability, which is a logical loophole in the entire station program of a digital currency exchange. This program is used by hundreds of small and medium-sized exchanges. While it is widely believed that the large exchanges at home and abroad will not buy or use this kind of one-stop station program developed by a third party, there may subsequently be those who are lured by high profit margins and rapid pace of development to quickly enter the digital currency exchange industry. A keyword search of terms such as "digital currency", "exchange", "platform" or "development" will reveal a high level of demand in this regard.
In fact, it is acceptable to use a third-party system developed at the initial stage. Take traditional banking for example, the information systems of a large number of small and medium-sized banks are customized from third-party products, while strict supervision at the government level and the long-term technical accumulation of the development companies ensured their security to a certain extent. The digital currency industry is different in this aspect, however, as the individuals and teams engaged in this development are limited in their capabilities to guarantee product quality, and it is no wonder that security vulnerabilities continue to exist.
To resolve this security issue, we should mine for and repair systemic vulnerabilities through penetration testing, code audit and other security services, and build a better security system with reference to security norms and best practices of the traditional financial industry.
2.Security vulnerabilities of the smart contracts
ETH is known as the representative of the "blockchain 2.0" technology because it supports the operation of smart contracts. In other words, the Bitcoin system consists of the underlying blockchain technology and a "contract" that defines the rules for reward distribution. ETH provides a ready-made underlying blockchain network from which developers can develop and deploy their own smart contracts in programming languages such as Solidity, including simulating a Bitcoin-like product. Solidity is a comprehensive program development language of Turing, so theoretically, it can be used to implement various distributed applications.
The developer writes the smart contract code and deploy it to the blockchain, and the program will be executed on the EVM virtual machine at the ETH node. After the code is on the blockchain, each node performs the same operation and synchronizes the data state.
As with traditional programs, smart contracts inevitably suffer from security vulnerabilities. The difference is that the blockchain is irreversible in nature, so it is difficult to fix the problems once the contract is deployed. After token distribution contracts with vulnerabilities such as integer overflow are deployed and tokens are traded at the exchange, the vulnerabilities are triggered and utilized to release a large amount of tokens in a short period of time, which will affect their market value and cause huge economic losses for both the exchange and the users.
The security threats in this aspect are quite different from the traditional information security loopholes. Similar attacks have occurred in the traditional financial markets, such as George Soros's operation of Hong Kong dollar during the Asian financial crisis in the late 20th century. The difference is that in the traditional financial market, a huge amount of fund is required to launch such an attack. In the field of digital currency, however, those who know how to exploit vulnerabilities in contracts are theoretically able to launch such an attack.
The figure below is part of the vulnerability information of token contracts developed based on the ETH ERC-20 smart contract standard:
The actual threat may be much more serious. The smart contracts are called "smart" in that once deployed on the blockchain, its execution process is transparent and irreversible, and does not need manual intervention, which naturally resolves the issue of trust in the execution process. Herein lies the fundamental problem that blockchain technology is designed to solve in the first place. A contract code with loopholes can still be exploited after execution, which departs from the original intention of design, and the advantages of the blockchain technology become obstacles to loss recovery instead.
In response to the security threats in this aspect, the exchanges should first audit the security of the contract code prior to launch of tokens, so as to minimize any chance of hacking and nip them in the bud whenever possible.