Nowadays hundreds of crypto exchanges are offering their services to users worldwide but very few assure smooth, fair and safe trading experiences. The struggle to acquire new users in the extremely competitive industry during the current bear market induces many exchanges to sugarcoat their liquidity with fake trading activity. Furthermore, in the rush for profit, or in current market conditions where exchanges fight for survival, many of them donβt exercise due diligence to ensure proper cybersecurity measures to protect usersβ funds as well as their own. Instead, most of the exchanges, especially those launched last year, are making every effort just to stay afloat. There are numerous exchanges in such dire conditions, but one of them, Bgogo, specifically caught our attention by breaking onto the Coinmarketcap (CMC) leaderboard and soaring straight to 2nd place (see Fig. 1).
Fig. 1 (CMC Top-5 exchanges by reported volume on February 24th)
So, we performed our custom analysis of the exchangeβs liquidity and cybersecurity by reviewing its charts, orderbooks and trade histories and by calculating its Cyber Security Score via our proprietary model.
Liquidity Analysis
Prior to soaring to $1.5bln in February, the average daily trade volume on the exchange was about $56mln. On March 13th Bgogo sit on 14th place of CMC rank with $537 mln (see Fig. 2).
Fig. 2 (Bgogo CMC profile on March 13th)
From the exchangeβs top 10 markets list, it is apparent that over 99% of the 24-hour reported volume is comprised of six pairs: BTC/USDT, BGG/USDT, ETH/USDT, BGG/ETH, ETH/BTC, and BGG/BTC. Three of them have the exchangeβs native token BGG as a base currency. Multiple signs of unnatural trading activity have been detected in all of the exchangeβs most active pairs during the current analysis.
The most apparent sign of swindling trade volume is its unjustified stability and inconsistency with price moves, which is the case for most of the exchangeβs pairs. For illustrative purposes, there is an example of fairly natural volume performance where trade volume aligns with price changes and thus rises when price moves sharply and maintains higher level along with higher price volatility (see Fig. 3).
Fig. 3 (Binance BTC/USDT hourly chart)
BTC/USDT
The first, most active pair on Bgogo exchange is BTC/USDT, with $136mln (25.15% of the total) 24 hours volume, but there were repetitive periods of trading activity at a reduced level of hundreds of times (max $430k daily).
Fig. 4 (Bgogo BTC/USDT hourly chart)
Fig. 4 features a BTC/USDT hourly chart during a two week period (Feb 22 β Mar 8) with a number of stable volumes pumps and dumps. Through February 23-24th, trading equaled about 4,000 BTC hourly, while hours earlier the trading activity was less than 1 BTC per hour. Then on February 25th, the volume dropped to about 1,500 BTC per hour, lasted for one day and slumped further to just a few BTC per hour. After that, the high trading activity of 1,500 BTC per hour emerged twice: on March 1st (during which it lasted for 26 hours) and on March 8th (which continued for six days).
Fig. 5 (Bgogo BTC/USDT 5-minute chart on February 23rd)
The 5-minute BTC/USDT chart on Fig. 5 displays the period of feeble trading and the consequent volume pump period with a fairly stable volume of about 350 BTC per 5 minutes. Notably, trade volume performance didnβt change even when price experienced a 4.5% rise from 3,960 to 4,140 USDT.
Fig. 6 (Bgogo BTC/USDT 5-minute chart on February 26th)
Another 5-minute BTC/USDT chart (see Fig. 6) shows trade volume drop back to less than 1 BTC from about 120 BTC per 5 minutes. Such abrupt ups and downs in volume look as if someone is turning it on and off, that indicates synthetic trading activity.
Looking closer into the orderbook and trade history reveals some more interesting facts.
Fig. 7 (Bgogo BTC/USDT orderbook and trade history (February 25th))
Fig. 7 features orderbook and trade history (in particular, the 20 most recent trades) compiled from a screenshot of Bgogo web platform taken on February 25th. It represents a snapshot of trading activity during the period of 1,500 BTC hourly trade volume. While observing the orderbook and trade history we noticed that sizes of trades and orders donβt commensurate with each other. Almost all transactions appeared to be way larger than their orders in the orderbook. The orderbook is filled with orders of less than $100 equivalent except for one to three best bids or offers that are worth above $200, but the trades were larger, as an average value of them equalled about 0.75 BTC (~2,850 USD). In fact, most of them could have wiped out all the bids or offers from the orderbook if they were sent as market orders, assuming fair order matching by the exchange.
Fig. 8 (Bgogo BTC/USDT orderbook and trade history (February 28th))
A few days after (on February 28th), when trade volume disappeared from the pair, the trading activity looked very much different (see Fig. 8). The orderbook was similarly stuffed with small orders but the trades occurred less frequently (20 trades per 40 minutes versus 20 trades per 30 seconds on February 25th), and 11 out of 20 most recent trades were of the same size, 0.04 BTC, suggesting that all of them were made by one player.
ETH/USDT
Another of Bgogoβs active pairs is ETH/USDT, whose trade volume jumped from a few ETH to around 90k ETH per hour (see Fig. 9) simultaneously with the BTC/USDT pump on February 23rd.
Fig. 9 (Bgogo ETH/USDT hourly chart)
The trade volume of ETH/USDT performed similarly to that of BTC/USDT as it lowered significantly on February 25th to about 33,000 ETH per hour and had the same inconsistency in price performance. But unlike BTC/USDT the trading activity wasnβt switched off on February 26th but continued at the same pace. It still maintains a fairly stable level of 33k+ ETH (4.5+ million USD) per hour or 800k+ ETH (108+ million USD) daily.
Examination of ETH/USDT orderbook and trade history revealed conditions similar to the inconsistency between sizes of trades and orders of BTC/USDT (see Fig. 10).
Fig. 10 (Bgogo ETH/USDT orderbook and trade history)
The ETH/BTC orderbook is filled with small orders not exceeding 2 ETH ($276) while the average size of the most recent 20 trades is about 17 ETH (~$2,300); thus most of the recent transactions could fill all bids or offers in the orderbook if they were sent as market orders. Furthermore, we noticed that all the trades failed to hit the best bid or offer, but were rather priced somewhere in the middle β a clear sign of volume manipulation.
ETH/BTC
There are no gaps in the trade volume of ETH/BTC pair, but its performance looks synthetic as well (see Fig. 11).
Fig. 11 (Bgogo ETH/BTC hourly chart)
There are multiple periods of different yet stable volume levels in the pair. On February 19th the volume rose from 10,000 ETH to about 38,000 ETH per hour, held steady there for over 5 days and then dropped to about 13,500 ETH per hour, where it still holds today. It is worth noting that in addition to similar inconsistencies between volume and price performance and between orders and transaction sizes, ETH/BTC suffered its most recent drop on February 25th, the same day as previous pairs, suggesting a coordinated action.
Moreover, no matter how large the spread was, 200k satoshi (see Fig. 12) or 11k satoshi (see Fig. 13), virtually all trades occurred somewhere between the best bid and best ask.
Fig. 12 (Bgogo ETH/USDT orderbook and trade history #1)
Fig. 13 (Bgogo ETH/USDT orderbook and trade history #2)
The next three pairs contain the exchangeβs own token, BGG, as the base currency and feature lots of evidence of artificial liquidity.
BGG/USDT
The most active BGG pair is traded against USDT and apparently is pumped by the same means as ETH/USDT. The BGG/USDT trade volume performed quite similarly as the other pairs, skyrocketing from 10k BGG to 20bln BGG (~17 mln USD) per hour on February 23rd, holding stable for a couple of days, then dropping to 7.5bln BGG per hour on February 25th and still holding fairly stable at that level as of today (see Fig. 14).
Fig. 14 (Bgogo BGG/USDT hourly chart)
Moreover, BGG/USDT price performance looks extraneous and unnatural. It has steady periods alongside choppy action of up to 15% price change (between high and low) in 5 minutes (see Fig. 15). And the trade volume doesnβt align with those moves.
Fig. 15 (Bgogo BGG/USDT 5-minute chart)
BGG/USDT orderbook and trade history show transactions persistently avoiding bids and offers and being priced inside the spread regardless of its width.
Fig. 16 (Bgogo BGG/USDT orderbook and trade history #1)
It didnβt matter if the spread was 7.5% (62 x 10-6USD) (see Fig. 16) or 1.6% (13 x 10-6USD) (see Fig. 17) because all trades occurred between bids and asks.
Fig. 17 (Bgogo BGG/USDT orderbook and trade history #2)
Even more fascinating was the fact that the trades worth millions of BBG were priced just inside the spread made of orders less than 1 BGG. That suggests those trades were simply forged.
BGG/BTC
BGG/BTC volume performance is similar to that of ETH/BTC with different but stable levels of trading activity (see Fig. 18).
Fig. 18 (Bgogo BGG/BTC hourly chart)
The BGG/BTC 5-minute chart demonstrates volatile price performance, including periods of steady price adjacent to wild swings of up to 20% within 5 minutes compared to unnaturally stable trade volume (see Fig. 19).
Fig. 19 (Bgogo BGG/BTC 5-minute chart)
The next three consecutive screenshots will show how βprice volatilityβ appears as a result of synthetic liquidity. On Fig. 20 the pair has a super tiny spread of only 3 satoshis but a number of recent trades are priced just between the best bid and best ask.
Fig. 20 (Bgogo BGG/BTC orderbook and trade history #1)
The next screenshot (Fig. 21) taken 2 minutes later shows the spread of 258 satoshis which is 86 times larger than 2 minutes earlier and is 12% of the price. Again the most recent trades are priced inside the spread.
Fig. 21 (Bgogo BGG/BTC orderbook and trade history #2)
30 seconds later the spread narrowed to 14 satoshis (see Fig. 22) but stepped up 12% higher than it was 2 minutes before. And the most recent trades began to print inside the new spread.
Fig. 22 (Bgogo BGG/BTC orderbook and trade history #3)
Thus, the BGG/BTC spread managed to widen from 0.15% near the price of 2020 satoshis to 12% and narrow back to 0.62% near the price of 2264 satoshis, which is 12% higher, in a matter of minutes. These facts show that the price volatility is not the result of high trading activity but of strange shifts in the spread suggesting the inadequate performance of market making algorithms.
BGG/ETH
BGG/ETH, the last of the six most active pairs, has the same irregularities described in the previous pairs. They include periods of stable volume inconsistent with price moves (Fig. 23), extraneous price performance ranging from incredible stability with literally no volatility up to 16% price swings within 5 minutes (Fig. 24), and tiny spreads of 15 satoshis made by miniscule orders as well as large size trades that are inconsistent with size of orders standing in the orderbook (Fig. 25).
Fig. 23 (Bgogo BGG/ETH hourly chart)
Fig. 24 (Bgogo BGG/ETH 5-minute chart)
Fig. 25 (Bgogo BGG/ETH orderbook and trade history)
Cyber Security Score Review
Cybersecurity comprises technologies, processes, and controls designed to protect systems, networks, and data from cyber-attacks. Effective cybersecurity for exchanges reduces the risk of cyber-attacks and protects the exchangeβs customers (traders) from money thefts. For the cybersecurity assessment, we used the CER Cyber Security Score (CSS) calculation model and generated a result of 7.10 out of 10.00 (see Fig. 26).
Fig. 26 (Bgogo Cybersecurity Score with factors)
Description of the CSS results
Below we will review the issues detected by cybersecurity check of Bgogo exchange and explain their importance. The website of Bgogo exchange doesnβt have the appropriate DNSSEC records.DNSSEC is a set of protocols that add a layer of security to the domain name system (DNS) lookup and exchange processes, which are integral in accessing websites through the Internet. While DNSSEC cannot protect how data is distributed or who can access it, the extensions can authenticate the origin of data sent from a DNS server, verify the integrity of data and authenticate nonexistent DNS data. Bgogo has not implemented the Captcha input during the sign-up and sign-in procedures. A Captcha is a short online typing test that is easy for humans to pass but difficult for robotic software programs to completeβhence the testβs actual name, Completely Automated Public Turing test to tell Computers and Humans Apart. The purpose of a Captcha is to discourage hackers and spammers from using auto-filling software programs on websites. Bgogo has not implemented the Captcha input during the sign-up and sign-in procedures.
Strong user password is one basic account security measures. Strong passwords should contain upper and lower letters, numbers, and special characters. Bgogo has low password requirements: just 8+ symbols length, that practically can be β12345678β or β11111111β.
Bug bounty programs (or vulnerability rewards programs), are crowdsourcing initiatives that reward ethical hackers for discovering and reporting software bugs. Bug bounty programs are often initiated to supplement internal code audits and penetration tests as an important part of an organizationβs vulnerability management strategy. Currently, Bgogo does not conduct any bug bounty programs neither self-hosted nor via specialized third-party resources like HackenProof.
Summary
Liquidity analysis of Bgogo exchange revealed numerous irregularities in its trading activity. First of all, over 99% of the exchangeβs total volume is made in the six most active pairs three of which have BGG as a base currency. In all of them, there are periods of unnaturally stable volume inconsistent with price moves and lasting for days.
The pairs traded against USDT (BTC/USDT, ETH/USDT, BGG/USDT) experienced synchronous skyrocketing trade volume boosts on February 23rd from literally idle trading activity to millions of USD equivalent per hour and simultaneous 2.5 times volume drop two days later. Moreover, , BTC/USDT pair liquidity was lately on-and-off from less than 1 BTC to 1.5k BTC per hour while ETH/USDT and BGG/USDT maintained stable trade volume for over two weeks. In addition, a vast part of trades in most active pairs are way larger than all bids or asks combined, meaning that standalone trades could consume all orders from either side of the orderbook in all pairs. Furthermore, most trades are priced in the middle of the spread regardless of its width. And that is the case for all pairs as well. All the facts mentioned above suggest a very high possibility of volume manipulations carried out on Bgogo exchange.
Besides, the performance of the price in all three BBG pairs was very strange. There were alternations of steady price periods with wild price swings up to 20% per 5 minutes, which can be explained by strange spread shifts described in the BGG/BTC pair case. Such a weird spread performance combined with tiny orders filling the orderbook suggest of inadequate market making.
Cybersecurity analysis resulted in the Cyber Security Score of 7.1 points (out of 10) and revealed the following issues: weak password requirements and an absence of DNSSEC records, captcha tests, and bug bounty programs. Those issues are essential for strong cybersecurity for any crypto exchange responsible for client funds.
Considering all our findings we can conclude that Bgogo is an unreliable and unsafe crypto exchange to trade on.
The blockchain industry has been grappling with scalability issues, which have hindered widespread adoption due to its technical constraints. As the demand for blockchain, decentralized applications (dApps), and transactions increases, the limitations of existing networks become increasingly apparent. High transaction fees and network congestion have plagued platforms like Ethereum, hampering their ability to support large-scale
The experimental semi-fungible token standard, ERC-404, combines elements from ERC-20 and ERC-721 tokens. Despite rising popularity, it has yet to secure an official Ethereum Improvement Proposal (EIP) designation. However, its unique attributes, such as enabling fractional ownership of NFTs and enhancing liquidity, coupled with the potential for automated NFT minting and burning processes, suggest a
Decentralized applications (dApps) are software that run on a decentralized network, often using blockchain technology. These applications can serve various purposes for end users, such as brokers, art collectors, traders, investors, and documents of public trust. However, their functionality and value attract malicious groups aiming to exploit vulnerabilities for financial gain. This article explores real-world examples of dApp security breaches, their attack vectors, and the lessons learned.