KyberSwap’s $47M Reentrancy Attack: A Deep Dive into the Exploit
Let’s take a closer look inside a $47M reentrancy attack on KyberSwap.
🇺🇦 Hacken stands with Ukraine!Learn more
It isn’t surprising that today, apart from the widely applied trade volume manipulations and an absence of transparency in crypto exchange operations, the cybersecurity is also the issue of the paramount importance (Learn more here). In March 2014, Poloniex lost $64,000; in August 2016, $77 million was stolen from Bitfinex; in half a year, Bithumb suffered a theft of $1 million, and eventually, the industry experienced the Coincheck hack with losses of $500 million. In sum, during 2018, hackers stole more than $1.3 billion from crypto exchanges.
Obviously, cybersecurity is the most fundamental thing that must be addressed to the full extent by any exchange before commencing its operations: exchanges must take responsibility for users’ money and personal data.
Considering the immature nature of the crypto industry, the CER and Hacken professionals evaluated the current cybersecurity conditions of the TOP 100 crypto exchanges. In doing so, we seek to show the community which exchanges are sustainable and safe for using, and which are not.
Cybersecurity comprises technologies, processes, and controls designed to protect systems, networks, and data from cyber-attacks. An effective cybersecurity system of exchange reduces the risk of cyber-attacks and protects its customers (traders) from theft. Cyber Security Score (CSS) is one of the main metrics provided by Crypto Exchange Ranks (CER) to calculate the complex rating of crypto exchanges.
While conducting a significant number of researches, the CER team of qualified specialists developed a comprehensive assessment model for security audits, which consists of several essential components:
Let’s take a closer look at the CSS components:
This component includes the thorough analysis of the following elements: SSL/TLS certificate, WAF&CDN, SPF, DNSSEC, Open Ports, Hidden dirs and dirs access, Secure Headers, Secure cookies, Existence in Spam DB.
If the intruders discover vulnerabilities in the server system, all the server components will be compromised. Subsequently, it may lead to irreversible consequences and enormous monetary losses. Thus, we believe that it is extremely important to check the state of an exchange’s web server and its security system.
The SSL/TLS certificate is an important security measure which protects the sensitive data (e.g. personal information, payment details, addresses, private and public keys, etc.) transmitted to and from the website. The CER team carefully examines the SSL/TLS certificate availability and quality.
CER also checks for the existence of a web application firewall (WAF) and a content delivery network (CDN). WAF represents one of the most crucial security measures, as it was developed to detect and block modern attacks, including utilizing zero-day vulnerabilities. On the other hand, CDN is a geographically distributed network of proxy servers.
We carefully examine SPF records, as they help ensure that only authorized hosts can send emails on behalf of a company.
DNSSEC protocol uses public key encryption to authenticate DNS servers. It is the protection measure which prevents the usage of forged or manipulated DNS data.
The technical term open port means the type of traffic in a TCP/IP network (identified as a port number) that is configured to accept the packets. Every open port is monitored by specific software to provide communication. Properly configured software must not allow its version to be discovered and should not have any extra or redundant open ports.
Hidden dirs and dirs access – We scan exchange websites for open directories and check the level of data safety.
It is critical to examine the security-related fields in the header section of HTTP request and response messages. If Secure Headers are configured correctly, they can protect against malicious actions, such as man-in-the-middle and cross-site scripting attacks.
Secure cookies are a type of HTTP cookie and are also known as httpOnly cookies. This type of cookies always has a secure attribute activated, thus it is mostly used via HTTPS only for secure data transmission. The secure attribute and httpOnly flag work together to ensure that the browser is able to restrict access to the secure cookie data from malicious scripts.
Existence in Spam DB — We check if any of exchange domain IPs are compromised and exist in spam DBs.
This component includes a careful verification of the following elements: Captcha, 2FA, Strict Password Requirements).
In the absence of Captcha, a hacker can use the selection method for finding out the user’s password. The CER team checks the captcha presence as this is one of the crucial protection methods.
The presence of 2FA significantly increases the security of a user’s account, funds and personal data. If a hacker managed to receive the correct login information, it will still be required to use a particular phone or another device to access the account. That is why our specialists always make sure that exchanges comply with this security measure.
We also check the strictness of password requirements. Simple passwords can be easily cracked by sheer brute force, leading to the account theft. Exchanges have to establish strict password requirements to protect user accounts.
A Bug Bounty is a reward offered to individuals for finding errors, vulnerabilities or bugs in the security system. These programs provide the developers with the opportunities to discover bugs, resolve them and prevent incidents of widespread abuse. We are assured that a public, self-hosted Bug Bounty program is a must for every exchange. In an ideal scenario, the Bug Bounty program should be conducted on a special platform (Hackerproof, Hackerone, Bugcrowd, etc.)
For the current report, we analyzed Top-100 exchanges by 30-day reported trade volume according to the CMC. The data was taken on January 1st, 2019.
Fig 1 displays the distribution of the TOP 100 crypto exchanges by Cyber Security Score.
As we can see, only 9 exchanges scored over 8 points (out of 10).
The Top-3 positions in the CSS leaderboard are taken by the following exchanges: #1 – Kraken (9.06 points), #2 – Coinbase Pro (8.74 points), #3 – Binance (8.50 points) and BitMex (8.50).
The worst CSS performers are the exchanges that experienced losses of funds as a result of hacks in 2018: Bithumb (4.67 points), Coincheck (4.48 points) and Zaif (4.31 points).
According to the new analysis model results, the most problematic three factors for crypto exchanges are the following: the existence of Bug Bounty programs, DNSSEC records, and HTTP Headers (the latter two are both the aspects of Server Security.)
The factor with the worst results for selected exchanges is Bug Bounty program existence. Only 13% of the trading platforms have ongoing bug bounty programs, while 6% host them on their own, 7% use specialized platforms, such as HackenProof or Bugcrowd, for that purpose (see fig 2).
Disclaimer: We carried out calculations only if an exchange has a bug bounty program. If an exchange has one and it’s not included our rating, its administration should contact us via firstname.lastname@example.org and provide us with information on the program. If everything is alright, we will fix the rating results to increase the exchange’s scores.
Read also our recent research solely on Bug Bounty for Crypto Exchanges.
DNSSEC is the second most dissatisfied factor by the exchanges: 60% of the checked platforms don’t have appropriate records for their domains (see fig 3).
Another weak point for the TOP 100 crypto exchanges is their HTTP Security Headers. The corresponding check for 7 headers showed that 59% of exchanges miss 6-7 of them, 17% – miss 4-5 headers, 13% – miss 2-3 headers, and only 11% miss no more than 1 header (see fig 4).
You can find the table with the aggregated results of TOP 100 Crypto Exchanges According to The CER Cyber Security Score (CSS) below.
Today, cybersecurity is crucial for the development of the crypto industry. Computer networks have been susceptible to attacks since they were first created, and it seems that the threat of cyber-attacks will continue to grow along with technology. Cyber Security Score by CER gives you an idea of the possible risks associated with trading on certain crypto exchanges from the TOP 100 list. As we can see, the majority of exchanges from the TOP list based on trade volume are at the bottom of the CER CSS rating. For example, DOBI (TOP 25 on CMC) is 93th, ZBG (TOP 15 on CMC) is 96th, and Bithumb (TOP 1 on CMC) is 98th in the CER TOP 100 CSS. Despite these exchanges are lagging behind on their security systems, perhaps they are quite popular among users as indicated by their trade volume. Their high position on other ranking lists indicates the necessity for the improvement of rating approaches to more carefully consider security.
That’s why almost every month, we see the announcements of new multi-million hacks of crypto exchanges. CER encourages all crypto exchanges to go through Security CERtification to reduce the number of hacking cases and damage to the reputation of the crypto industry. Only in this way, the market will become mature and begins to prosper.
Download the Full Report to get more details on our conclusions!