Bug Bounty for Crypto Exchanges

Table of Contents

1. The merger of crypto and crypto hacks: A Short History
2. Crypto exchange hacks
3. Statistics
4. Advantages of BB
5. Can a researcher blackmail me?
6. Afterword

The merger of crypto and crypto hacks: A Short History

2009 — the bitcoin network was born when Satoshi Nakamoto mined the first block of the chain, known as the genesis block.
2010 — BTC is hacked exposing a major vulnerability in the system.
2013 — a sharp rise in the number of crypto exchanges.
2014 — cryptocurrency trading exchange Mt. Gox, which was based in Japan, is hacked leaving investors out of pocket.
2015 — Ethereum comes online, giving birth to Smart Contracts.
2016 — The DAO (decentralized autonomous organization) is founded in May – a stateless venture capital fund on the Ethereum blockchain and the largest crowdfunded project to date.
2016 — The DAO is hacked a month after its launch. As a result, a “fork” takes place in Ethereum, which splits into Ethereum and Ethereum Classic.

So what?

Today we have 35 active coins, more than 2000 tokens, and as many as 229 crypto exchanges verified by Coin Market Cap. And the trend continues.

Exchanges are the “cornerstone” of the development of crypto and we will definitely see more exchanges as people want to trade and exchange an ever-growing number of cryptocurrencies and tokens. Moreover, considering the lack of regulations and restrictions, it’d be appropriate to conclude that running an exchange is one of the most profitable business directions in the blockchain industry.

However, the industry is still in its infancy, which manifests in poor security standards. Owners of the exchanges are frequently motivated by “quick money,” prompting them to overlook security problems, and in some cases simply ignore the need for security measures altogether.

Blockchain and cryptocurrency are genius inventions, yet they continue to be vulnerable to hacks. To implement the technology into our daily life, we need to make it more secure.

Crypto exchange hacks

Let’s be frank! When you buy a car, you care more for its tech specs than for its safety rating. How much emphasis do you put on the alarm system? Do you even consider it when choosing? (Spoiler: Honda is the most stolen vehicle in the US)

Comfort, design, and special features are the main parameters to count on. It’s the same with crypto exchanges.

So it’s not surprising that hackers recognized the lucrative opportunity to earn money by exploiting the vulnerabilities of crypto exchanges again and again and again.

When combining these two factors, keep in mind that around $1 billion worth of cryptocurrency was stolen in the first half of 2018 alone! Thus, we may conclude that crypto exchanges are an easy target for cybercriminals.

Let’s take a brief tour of the largest exchanges hacks in recent years.

• Mt. Gox

In 2013, Japanese based Mt. Gox was the largest crypto exchange in the world. In spring 2013, the exchange was handling close to 70% of the world’s Bitcoin trades with daily trade volume sometimes reaching up to 150,000 bitcoins/day.

Interestingly, an investigation has shown that the exchange was hacked as early as September 2011. Most of the crypto was stolen from Mt. Gox’s online wallets. Hackers gradually transferred bitcoins to other wallets without being detected. Mt. Gox thought that their clients were simply transferring their deposits to other locations.

By autumn 2013, the exchange had practically lost all of its Bitcoins, eventually leading to the company filing for bankruptcy on 28 February, 2014.

• Coincheck

Coincheck is a Japanese crypto exchange that was keeping their customer’s funds in a hot wallet (a wallet that is connected to the internet and therefore is vulnerable to hacks).

The details of the hack is unknown because Coincheck refuses to disclose details of the hack, but in January 2018 more than $530 million of NEM coins had been stolen by hackers.

• Bitfinex

Remember how BTC dropped 10% in value in August 2016?

It happened because hackers performed a DDoS attack on Bitfinex and stole $66 million worth of bitcoins.

What do these 3 hacks have in common? They all lacked relevant security measures and had never been tested by security specialists that would have made them much harder for hackers to crack. In addition, there was no simple and effective mechanism of how hackers could report the bugs to the technical team of the exchanges in return for material rewards.

Statistics

According to the research of HackenProof specialists, only 44 crypto exchanges have bug bounty program on one or another platform. Of these 44, half, or  22 of them are self-hosted (not the best option but whatever).

This means that 185 verified exchanges are not protected, not monitored 24/7 by white hat hackers, but can be blackmailed by grey hackers. This means that the owners of 185 crypto exchanges take care of today but not the future.
What exchange will be the next victims of hackers? HitBTC? OKEx? Or maybe Bithumb? You got that right — these top 10 crypto exchanges don’t have a bug bounty program. So stay alert!

You might wake up tomorrow morning and see that all your funds have been stolen and transferred to someone’s wallet. As a user, you are advised to have a cold wallet. As an exchange owner, you must run a bug bounty program.

Advantages of BB

Although a team of experts has made every effort to squash all the bugs in the systems, there’s still a chance that the team might have missed some vulnerabilities that pose a significant threat. From the point of view of cybersecurity, bug bounty is the best solution for a crypto exchange.

Let’s take a look how a Bug Bounty Platform (BBP) works:

1. The Security team helps create a Bug Bounty Program Policy – a document that describes in detail what resources are within scope/out of scope, what is the reporting procedure, what are the rewards for various vulnerabilities and other rules.
2. Once that’s done – BBP will make an announcement to hundreds of its researchers (ethical hackers) that a Bug Bounty Program for their company is live.
3. Hundreds of security researchers (white hat hackers) will start testing their digital assets for months (or even years).
4. All vulnerabilities are reported via the platform and the Triage team validates every report.
5. The company monitors the program activity 24/7, receiving live updates on the discovered vulnerabilities and money spent.
6. Blackhat hackers see that an exchange is protected by their ethical colleagues, constituting a significant reason to find another target for penetration — “there will be neither minor nor critical vulnerabilities.”

In such a way, a public program works. There is also an opportunity to run a private program where only chosen researchers test the systems.

Mind that security researchers don’t perform:

• testing on the accounts other than those that they have created.
• excessive request attempts.
• destruction of the data.

As you can see, lots and lots of researchers with various backgrounds will test the digital assets for a prolonged period of time, greatly reducing the chance that a bug will “slip by”. Traditional security consulting companies simply can’t compete with the talent-base available to Bug Bounty Platforms.

Can a researcher blackmail me?

Two words: Responsible Disclosure.

• White hat hackers guarantee providing a reasonable amount of time to fix the issue before publishing it elsewhere.
• Make a good faith effort not to leak or destroy any exchange user data.
• Agree not defraud exchange users or an exchange itself in the process of testing.

In turn, an exchange promises not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.

Afterword

Cars are always tested before they’re approved for mass production. Why? Because security matters. No manufacturer can afford creating a car that will explode or break while driving it. One defective car will spoil the reputation of even the most well-known and respected company.

Crypto exchange owners should inherit the same tactics. Security is the cornerstone of the development of the crypto industry and crypto exchanges in particular. So every crypto exchange should start bug bounty to mitigate the risk of being hacked.