Analysis

Security Analysis of the Most Popular Cryptocurrency Exchanges

After the biggest hack in the history of cryptocurrencies to Coincheck, a japanese trading platform, many investors started to pay more attention at security, and which exchange they trust. It is very important to be aware of the security measures taken by the trading platforms, because in addition to managing user’s money, the also store all their personal informations.

Sqreen, a leading company in securing web application with customers like Bla Bla Car, analyzed the most famous cryptocurrencies exchanges, and what they found is not so conforting. Below it is reported the full post, enjoy the read.

 

So you’ve finally decided to buy some Bitcoin, Ethereum or any other coin that’s all the rage these days?

At Sqreen, we’re not so much interested in the cryptocurrency craze, but of course more interested in the security aspect of it. After digging into the security of past ICOs (and discovering some disturbing security issues), we’ve now decided to look deeper into cryptocurrency exchanges.

Cryptocurrency exchanges are platforms that allow users to trade coins. Until very recently, and the development of pure decentralized exchanges, all cryptocurrency exchanges were acting as the middleman between the token buyer and seller.

Making sure these platforms are secure are essential to provide data and asset security to users. Let’s see why.

Why is security important to digital currency exchanges?

Well, it really depends on the level of honesty of the exchange. If you’re just here to do an exit scamlike Coingather you probably don’t need any.

But let’s just think about a couple of critical points for exchanges:

  • Exchanges store a massive amount of valuable Personally identifiable information (PII). From names to addresses, to government identification details, taxpayer identification number and a lot more.
  • Exchanges handle of course a lot of cash or coin deposits and withdrawals.

 

Examples of successful hacks are countless. The most famous is probably the Mt.Gox hack that left thousands of users without a penny (worth $450 million at that time and x times more today). But others faced similar outcomes: Bitfinex got breached for over 120K BTC, or Youbit and their $70Mio bankruptcy, or Nicehash and their $68Mio breach.

At Sqreen, we monitor and protect several crypto exchanges, ICOs, and companies involved in the crypto/blockchain space more generally. What we see is that the percentage of malicious requests that these applications have to handle is higher by 2-3 orders of magnitude.

Security status in Cryptocurrency exchanges

So knowing that risk, you would think that all exchanges would take every single action possible to protect their users?

Well, that’s not exactly the case…

We’ve taken a list of 140 cryptocurrency exchanges and checked for basic security issues that applications should implement.

Here is an overview of what we found:

Security Best Practice%
DDoS Protection80.58%
X-Frame-Options65.47%
Strict-Transport-Security39.57%
X-Content-Type-Options35.25%
X-XSS-Protection29.50%
Using Vulnerable libraries25.90%
Don’t Expose Server Information20.14%
Application Security Protection15.11%
Content-Security-Policy2.16%
Public-Key-Pins0.72%

 

This table shows that out of the 140 exchanges we analyzed less than 40% of them are using headers like the Strict-Transport-Security header or the X-XSS-Protection header. 20% expose server information which isn’t a security vulnerability in itself but that clearly shows the low level of security best practices implemented. And 26% of them use frontend libraries with known vulnerabilities. Only 2% implemented a Content-Security-Policy that, if done well, can offer powerful protection against clickjacking or XSS….

We can do better.

Our analysis isn’t saying that these exchanges have blatant vulnerabilities. But I’m questioning whether they implemented deeper security controls and protections if they didn’t implement basic security best practices that only take a few minutes (or seconds with Sqreen) to implement.

After taking the volume that these platforms handled in the last 24h, I wanted to see if there was a correlation between volume traded and security.

The answer is clearly no. There’s no correlation between transaction volume and security maturity.

The 10 biggest crypto exchanges have an average grade of 3.8 out of a maximum of 10 and a median of 4.5.

We can do better.

BTW the platform with the largest daily $ volume (on the day we did our analysis) only scored a 2/10.

Where should I buy my cryptocurrencies?

We’re not here to do any aggressive public shaming. But if pointing the finger at a couple of better-performing platforms can help cryptocurrency traders to choose a safer trading platform, that’s what we will do.

DISCLAIMER: we’re not recommending any of those platforms.

So here are the 5 best cryptocurrency exchanges:

ExchangeCountry24h VolumeSecurity Score (out of 10)
bitflyer.jpJapan$252,479,7067
coinbase.comUS$216,382,6407
bitfinex.comHong Kong$1,489,668,2916
kraken.comUS$481,817,8586
itbit.comUS$42,310,3236

Conclusion

In this article, we analyzed the security of 140 cryptocurrency exchanges and discovered some worrying security issues in most of them.

Security shouldn’t be taken lightly (especially if you’re handling >$20billion a day…).

To Top