KyberSwap’s $47M Reentrancy Attack: A Deep Dive into the Exploit
Let’s take a closer look inside a $47M reentrancy attack on KyberSwap.
🇺🇦 Hacken stands with Ukraine!Learn more
We frequently notice some exchanges coming from nowhere and reaching the top of the CMC rating almost immediately after their appearance. A striking illustration of such a situation is the Bitinka ‘success’ case (see Fig. 1)
By reporting huge daily trading volumes, these exchanges easily and rapidly become first in line ahead of well-known crypto exchange giants, such as Binance and Okex.
Lately, an exchange called BitMax has grabbed our attention due to its soaring CMC rating; it recently appeared in the TOP-10 list according to reported daily trade volume and has been holding the highest positions for several weeks already.
While currently sitting at the 4th place in CMC ranking by 24-h reported volume with $560mln, as of January 25th, 2019, BitMax has, in recent weeks, reached as high as 2nd place with $976mln, leaving behind BitMEX with $717mln and Binance with $420mln reported volume (see Fig. 2)
We found this a bit suspicious and decided to check whether BitMax exchange really possesses its reported daily trading volumes.
In our research, we investigate this exchange through various aspects such as Liquidity and Cyber Security indexes based on the CER unique scoring models. And finally, we will provide a complete Marketing analysis along with traffic sources investigation, media activity examination and much more.
BitMax is a Singapore based crypto exchange launched in July 2018. The bitmax.io domain name was created on the 23rd of February 2018.
The exchange offers crypto-to-crypto trading of 36 coins in 72 pairs with three markets (BTC, USDT, and ETH). Following the latest trend, BitMax employs a transaction mining model providing 100% of trading fee reimbursement in BTMX (BitMax native token).
For some reason, it was quite complicated to find information about the founders of BitMax exchange, its background and creation history. Still, we have managed to find out that the CEO and founder of BitMax exchange is George Cao. We checked all the information we could find on the Internet about this exchange, and found an extremely interesting interview with BitMax CEO, according to which BitMax exchange claims to positions itself as “the next third-generation digital asset trading platform”.
As far as we understood from the interview, the exchange is mainly focused on a reverse-mining model (we will carefully analyze it in the next section) and believes that this model will provide added liquidity to BitMax platform along with the enhancement of cryptocurrency market structure in general.
We will use publicly available information to investigate whether BitMax exchange is really outstanding and prosperous or if this is just another exchange which manipulates its trading volume to obtain larger referral traffic from such trustworthy sources as CMC.
As we have already mentioned above, besides a ‘traditional’ transaction mining model, the exchange offers so-called Reverse Mining for makers (traders submitting limited orders that do not get filled immediately.) This models gives trade fee rebates in exchange for the equivalent of BTMX deducted from user’s accounts and subsequently locked up permanently (merely “burned”). The new feature is aimed to serve as a deflationary mechanism for BTMX token and as an additional incentive for traders to advance in the maker side, thereby increasing liquidity. Reverse Mining is applicable for almost all pairs (except those involving BTMX, LAMB, COVA, and CVNT), and only two pairs are eligible for Trans-Fee mining: USDC/USDT and XRP/BTC. Reverse Mining has yet to prove its efficiency, so, in practice, we can see that over 98% of total trade volume on BitMax is comprised of Transaction Mining pairs (seeFig. 3).
Besides, 93-98% of the total exchange volume is usually delivered by the single pair of USDC/USDT. Moreover, starting late December 2018 through January 2019 the daily turnover of USDC coin on BitMax persistently exceeded its total number of coins in circulation (min $230mln – max $385mln) (see Fig. 4).
For instance, on January 25th, USDC/USDT 24h volume exceeded USDC coin market capitalization by 2.9 times (see Fig. 5).That means that if all USDC coins in circulation were deposited on Bitmax exchange, they all would have been bought and sold almost 3 times. In addition, our analysis of Bitmax wallets showed that the exchange’s USDC balance never exceeded $800K and on January 25th it was $350K, meaning that in order to create the USDC trade volume of $941mln claimed by BitMax the amount actually deposited was flipped more than 2600 (!!!) times.
It’s worth noting that both tokens in USDC/USDT pair are USD pegged stablecoins. Therefore it has much lower volatility compared to other pairs, making it the perfect instrument for multiple turnovers of any amount of funds with low risk of loss.
Another trans-fee mining pair XRP/BTC also shows inorganic trading activity. Its hourly chart (Fig. 6) displays trade volumes rising during lower volatility period and tiny volumes through periods when prices were riding the roller coaster.
Besides, the pair trade history shows most of the transactions are priced with the precision of 9 digits after decimal point, but a vast number of orders in the orderbook are priced only to 8 digits after the decimal point (see Fig. 7).
And through the periods of high trading activity trade history of the pair looks even more exciting (see Figs. 7 and 8).
When trading activity rises, transactions occur more frequently, as orders of 10000 XRP or 5000 XRP appear just in the middle of the spread and get immediately filled. That is how wash trading is usually carried out.
Cybersecurity comprises technologies, processes, and controls designed to protect systems, networks, and data from cyber-attacks. Effective cybersecurity for exchanges reduces the risk of cyber-attacks and protects the exchange’s customers (traders) from money thefts. For the cybersecurity assessment, we used the CER Cyber Security Score (CSS) calculation model, which is comprised of four high-level factors that consist of a number of sub-factors: server security (9 sub-factors), user security (3 sub-factors), crowdsourced security, and historical security (2 sub-factors).
Applying CSS model, CER measures the security level of BitMax exchange (see Table 1).
BitMax gained CSS of 7.29 points (out of 10), allowing it to take the 21st position in the Top-100 crypto exchanges according to the CER Cyber Security Score. The exchange lost points due to the detection of the following issues: an absence of appropriate DNSSEC records, weak HTTP Headers report (missing 5 out of 7 headers), low password requirements, and the absence of bug bounty programs.
Description of the CSS Results
DNSSEC is a set of protocols that add a layer of security to the domain name system (DNS) lookup and exchange processes, which have become integral in accessing websites through the Internet. While DNSSEC cannot protect how data is distributed or who can access it, the extensions can authenticate the origin of data sent from a DNS server, verify the integrity of data and authenticate nonexistent DNS data.
HTTP Security Headers are a fundamental part of website security. Upon implementation, they protect a user against the types of attacks that a site is most likely to come across. We checked BitMax for the following headers:
BitMax has only two out of seven of the checked HTTP headers: Strict-Transport-Security and X-Content-Type-Options
Strong user password is one of the basic account security measures. Strong passwords should contain upper and lower letters, numbers, and special characters. BitMax has low password requirements: just 8+ symbols length, that practically can be “12345678” or “11111111”.
Bug bounty program (or vulnerability rewards program (VRP)), is a crowdsourcing initiative that rewards individuals (ethical hackers) for discovering and reporting software bugs. Bug bounty programs are often initiated to supplement internal code audits and penetration tests as part of an organization’s vulnerability management strategy. Currently, BitMax doesn’t conduct any bug bounty programs neither self-hosted nor via specialized third-party resources like HackenProof.
As we have mentioned above, on the 25th of January BitMax was ranked 2nd, according to Coin Market Cap, for reported daily trading volume (DTV) having conducted $976M in 24h trade volume.
As in previous researches, we decided to start our Marketing Analysis with a comparison of the daily trading volume (DTV) and traffic analysis of the BitMax exchange with well-established market players such as Huobi Global (#19), Kraken (#47) and Bittrex (#64) in order to receive more objective data. Today (on the 6th of February 2019) BitMax is ranked 8th, according to Coin Market Cap and its reported DTV is $307M while the DTV of Huobi Global is $256M; that of Kraken is $54M; and Bittrex posted $22M in DTV. Based on this information, the DTV of BitMax is almost 6 times larger than that of Kraken, ~14 times higher than that of Bittrex, and still $51M more than the DTV reported by Huobi Global.
As usual, for this part of our research we used the advanced version of Similar Web. This website provides analytical services according to various parameters, such as website traffic volume; referral sources, including keyword analysis; and website “stickiness”, among other features.
As we can see (from the Fig. 12) the number of Unique Visitors to BitMax for the last 6 months is 160,782K with a bounce rate of 33.67%.
Let’s compare BitMax Traffic Overview to that of Kraken, Bittrex and Huobi Global.
As we can see, according to Similar Web the UV of BitMax totals 37K; whereas Bittrex has 1.5M (40 times more than the BitMax index); Kraken captures 887K UV (almost 24 times more than BitMax), while Huobi Global has 415K (11 times more). Isn’t that odd?
The number of monthly visits on BitMax website is ~161K, 60(!) times less than on Bittrex (9.7M), almost 27 times less than on Kraken (4.3M) and 11 times less than on Huobi Global (1.8M).
In general, the analysis of BitMax exchange according to Similar Web looks like a stalemate: it seems that the only indicator according to which BitMax can be considered a winner is Bounce Rate:
We decided to use our unique formula, previously used in the past researches to calculate the Unique Users of the mentioned exchanges: UU = UV * (1 – Bounce Rate). Let’s calculate the number of Unique Users for each of the mentioned exchanges.
According to our calculations, an approximate UU number for BitMax is 25K, while for Huobi Global it is 250K, for Kraken it is 571K and for Bittrex it is 851K. Thus, the number of Unique Users for BitMax exchange is 10 times less than that of Huobi Global, 23 times less than that of Kraken and 34 times less than the same index for Bittrex exchange.
It’s high time we investigate all the traffic sources of BitMax in the most minute detail. Let’s start!
At this point in our investigation, we may conclude that the main source of traffic for BitMax comes from the direct visits, organic search and traffic referrals. As for the latter aspect (traffic referrals — the most quality traffic source), the major part of the referral traffic comes from CoinMarketCap, which is unsurprising considering that BitMax ranked 2nd in CMC rating on the 25th of January 2019, and thereafter remained in the TOP-10 positions approximately for several weeks. Therefore, we assume that the main attention this exchange attracted stems from its high position on the CMC list. It has then converted in a new visitors coming from Referral traffic and Organic Traffic.
Everyone who has heard at least something about the crypto industry knows that, traditionally, the community has played a huge role for every crypto institution. This is especially true regarding exchanges.
That is why a thorough Community Analysis of an exchange’s Social Media Channels has always been a kind of “CER regular column” in every research.
Let’s compare the BitMax Twitter to the accounts of the following exchanges: Kraken, Bittrex and Huobi Global.
BitMax – 1.8K
Kraken – 347K
Bittrex – 748K
Huobi Global – 77K
This time to compare the Twitter accounts we decided to use the tool called Socialblade (this is a website that allows you to track the statistics and measure growth across multiple social media platforms including Twitter, YouTube, Twitch, and Instagram).
Per our research, BitMax has ~ 1.9K of followers on Twitter. The total grade for BitMax Twitter account is quite low, which is why it is not possible for SocialBlade to calculate the average number of retweets and likes. In that vein, we had do calculate this number manually. To do it, we analyzed the 20 latest posts of BitMax and then calculated the average number. We got approximately 22 retweets and 20 likes.
The number of followers for Kraken’s Twitter account is 347K, with the average number of retweets equaling 96, while the average number of likes amounts to 284.
Bittrex’ Twitter account comprises 748K followers. The average number of retweets totals 147, while the average number of likes is 438.
And the final exchange we analyzed in comparison to BitMax was Huobi Global. Per our check, Huobi Global’s Twitter Account has 77K Followers. The average number of retweets is 23, while the average number of likes amounted to 68.
An important point here is that, for some unknown reason, Huobi Global is not very active on Twitter. The last post was made on the 12th of January (almost one month ago). For this reason, it is difficult to take into account Huobi Global’s Twitter in this investigation.
As far as we can see from the analysis of Twitter accounts, many of the exchanges which are not even on TOP 50 positions in CMC rating have stronger Twitter activity than BitMax (which is in the TOP10).
The main question that arose at this stage of our research is how BitMax (the exchange that took the second place in CMC rating less than 2 weeks ago and held this position for several weeks) can have such a small number of subscribers and in general such low activity on one of the main Social Media Channels of crypto market? Where is the BitMax community?
Despite the fact that BitMax doesn’t have a huge number of subscribers in Twitter, they have quite a wide community in Telegram. Neither Bittrex nor Kraken exchanges cannot boast having active and wide Telegram Communities. However, Huobi Global has an active Telegram Group with 25К subscribers. We also decided to add Hacken and CER Telegram Groups to our analysis, as we know for a fact that the growth of these two groups is 100% organic and credible.
To analyze the Telegram activity we used Combot, the most popular bot for managing group analytics and statistics.
Per our check, BitMax has ~11K members in their TG Group, while Huobi Global has ~25K subscribers, Hacken’s Group numbers ~4K, and the CER Group totals ~300 members. According to the data gathered by Combot, BitMax’s total message number in TG Group is ~19.6K, for Huobi Global this number is ~90K, for Hacken it’s ~19K, while finally the CER Group totals ~2.6K.
The most suspicious fact about TG Group analysis is that BitMax’s total subscribers number is 2.7 times more than the one of Hacken’s Group. However, the number of total messages of BitMax’s Group is almost the same! The difference is only 701 messages! Weird, isn’t it?
We have also found something strange in the TG Group activity of Huobi Global, however, this is a completely separate story and deserves a distinct study.
As for Facebook, the most active account belongs to Kraken, which has 15K subscribers. Bittrex comprises 567 subscribers, BitMax totals 32 subscribers, while Huobi Global has only 14 subscribers. As the activity on Facebook is negligible for most of these exchanges, we don’t see much sense in analyzing this SM channel more precisely.
We have also checked Reddit accounts of the exchanges in question. BitMax has 1.2K subscribers. However, the largest account belongs to Kraken, which seems to be an unofficial social media channel even though it boasts 8.1K subscribers. A similar situation concerns Bittrex’s Reddit account, which is unofficial and comprises 4.9K subscribers. As for Huobi Global, it seems they do not pay much attention to Reddit and have only 113 subscribers.
BitMax provides 24/7 Support via Telegram, Chat and Ticket System (https://bitmaxhelp.zendesk.com). The Support Agents reply almost instantly via Telegram or via Chat system, thus, there should be no issues if BitMax customers require some help. At the end of the chat conversation, you may assess the provided service, meaning that BitMax cares about the quality of the provided Support Service.
Kraken also provides 24/7 Support Service in a chat format, thus, their Support Specialists are available all the time and are ready to assist their customers.
Bittrex uses FAQ and Ticket System for their Support System. Here is what we have found in their guide:
We submitted a test ticket to Bittrex with some general questions to check their ticket response time, and got the reply from them in 7 minutes(!). Checking the Bittrex guides, we also found out that Bittrex aims to create 24/7 Live Chat Support for their Customers in the near future.
Huobi Global claims that their support agents are available 24/7 and can be reached via email, support tickets, and Telegram:
We sent a test ticket to Huobi Global team and got a response 4 hours later. We have also contacted them in their Telegram Group and got an answer within several minutes:
It was a huge pleasure for us to find out that all the exchanges checked seem to care about the Support Service. We consider Customer Support Service to be one of the most crucial parts for every self-respecting company.
All 4 exchanges provide almost instant Support Service, which means that they care about their customers and are ready to help them!
Based on the information gathered from CMC, BitMax’s daily trading volume is almost 6 times higher than that of Kraken, ~14 times higher than that of Bittrex, and still $51M more than that reported by Huobi Global. However, the number of Unique Users for BitMax exchange is 25K, which is 10 times less than the one for Huobi Global (250K), 23 times less than for Kraken (571K) and 34 times less than the same index for Bittrex (851K) exchange.
On analyzing BitMax’s Traffic Analysis, we can conclude that the main source of traffic (96.55%) comes from the direct visits, organic search and traffic referrals (from CoinMarketCap and Icodrops mainly). Email delivery, social traffic, Paid Advertising and display ads from Google collective equal only 3.48%. This means that the exchange does not want to grow the community in an organic way, by attracting people to their SM channels via Paid Marketing and Social Media Marketing. This is not surprising at all, as it is easier to chase quick results and easy money, than it is to invest time, funds and energy into building a credible and trustworthy brand and loyal community.
The SM Channels of BitMax also look very suspicious and not popular: They have only 1.9K subscribers on Twitter, while TOP 70 exchanges such as Bittrex, Kraken and Huobi Global have 748K, 347K and 77K, which are respectively 197, 374 and 38.5 times more than the subscriber base of BitMax. The TG Group of the exchange is no exception, despite the fact that there are ~11K of members there, the number of message is pretty low (the same as in the Hacken Group where the number of members is 3 times less).
BitMax liquidity analysis from Section #2 dedicated to Liquidity analysis revealed that 93-98% of total reported trade volume is made by a single pair of USDC/USDT eligible for transaction mining. The turnover of the pair consistently exceeded the total number of USDC in circulation starting late December 2018, and on January 25th it was 2.9 times higher. Thus, considering the USDC balance on the exchange’s wallets through the period, those funds were flipped hundreds and even thousands of times. Moreover, the exchange’s most active pair consist of two USD pegged stablecoins, hence it has much lower volatility compared to other pairs, making it the perfect instrument for multiple turnovers of any amount of funds with low risk of loss. Another trans-fee mining pair XRP/BTC also showed pieces of evidence of unnatural trading activity. Considering all these facts we can conclude that most part of BitMax trade volume is manipulated.
As for the Cyber Security overview, BitMax achieved pretty good results and gained CSS score of 7.29 points (out of 10), thus taking 21st place in our TOP-100 Exchanges according to the CER Cyber Security Score. Still, the exchange has several weak points which still require improvements such as an absence of appropriate DNSSEC records, weak HTTP Headers report (missing 5 out of 7 headers), low password requirements, and the absence of bug bounty programs.
One of the weakest spots of BitMax exchange was revealed during our Marketing Analysis: low amount of traffic and weak activity in Social Media Networks. This exchange does not have a wide or active enough community to ensure such high trading volumes.
From the perspective of Liquidity, Cyber Security and Marketing analysis, we can conclude that BitMax cannot be considered a trustworthy exchange. As such we can hardly call it a stable and liquid place for trading. However, it relatively safe in terms of Cybersecurity, thus, the final choice depends on your personal decision only.
It will hardly be possible to achieve the maturity of the crypto market if exchanges do not stop conducting trade manipulations and continue use unethical marketing techniques.
Keep your eyes on public opinion, make the right decision and choose a risk-free exchange!