Over recent weeks, cryptocurrency exchange security has once again become a headline news event. In late September, KuCoin broke the news that it had suffered a major security incident.
The initial disclosure by KuCoin only stated that its hot wallets had been breached, and various tokens had been taken, including BTC and ERC-20 tokens. It later emerged that the total value of hacked funds was likely to be around $280 million, making it the third-biggest hack in crypto history.
In mid-October, OKEx made its own announcement that it was halting all withdrawals from the exchange due to the fact that one of its private key holders is cooperating with a public security bureau investigation.
The statement also confirmed that the exchange was “out of touch” with the individual concerned. Later reports seemed to confirm that the missing party was OKEx founder, Mingxing “Star” Xu, who was in Chinese police custody.
Weeks later, and OKEx withdrawals remain suspended. Speculation is now rife that Mingxing is the sole owner of the private keys, while users have started to sell off their assets at a loss via the OKEx P2P platform.
Most recently, users have been spooked by some strange movements of funds into Huobi. The Whale Alert Twitter account flagged an inflow of $204 million in a single transaction. Around the same time, there were also rumors that Huobi founders were in the same situation as Star Xu, causing concerns that the exchange would also halt withdrawals.
Huobi later tweeted that it operated a multi-signature security system over its wallets, providing some reassurance to worried users.
Multisig - The Bare Minimum
While some may take comfort from Huobi’s assurances that multi-signature wallets remove the “single point of failure” risk, that’s far from the case. Multisignature wallets, which require more than one signature for any given transaction, are one security measure that exchanges can take to increase security.
However, there are many ways to set up a multisig wallet.
For example, Huobi explained that it has 15 key holders, ensuring no single point of failure can occur. But let’s say all 15 key holders need to sign a transaction. The absence of any one of them would mean the exchange’s wallets are blocked. Therefore, the configuration is more important than the fact of merely having a multisig wallet.
Multisig notwithstanding, there are plenty of other attack vectors for exchanges. In fact, Bybit founder Ben Zhou recently went on the record to explain that, as a centralized web application, any centralized exchange represents a single point of failure, meaning that they’re vulnerable by design.
Perhaps the biggest challenge for an exchange to overcome is the balance of keeping funds in a hot versus cold wallet. Hot or online wallets allow exchanges to respond rapidly to customer requests for withdrawals, which is an essential part of good customer service in a competitive market. However, because they’re online, hot wallets are more vulnerable to hackers, as demonstrated by the recent KuCoin incident.
Zhou believes that security is the more significant consideration and cold wallets are the answer to providing a better assurance of security
Exchange Security Should Be a Holistic Effort
According to Zhou, his exchange takes a more holistic approach to security, protecting information across every point of interaction. This involves taking a zero-trust approach to all elements of the exchange architecture. Bybit works with external reputable security firms to conduct regular penetration testing, which searches for weak points in the exchange’s internal and external system boundaries. For example, a robust penetration testing procedure may involve security consultants simulating phishing attacks on employees' emails, along with trying to brute-force account logins.
Bybit also runs bounty programs that aim to attract white-hat hackers to attempt to breach exchange security in exchange for rewards.
Outpacing the Market
Bybit is a relatively new entrant to the cryptocurrency futures market, having launched its platform in early 2018. However, the exchange has grown significantly to become a major competitor in the growing crypto derivatives space over that time. It’s now trading around $2 billion per day in volume on its BTCUSD market, easily competing with more established rivals such as BitMEX and Huobi.
Although it would be hard to attribute this growth to Bybit’s security-conscious practices alone, the company’s approach to protecting funds and data underscores its motto, which is “listen, care, improve.” Security aside, Bybit has invested significantly in its exchange technology, which it claims can match 100,000 transactions per second, putting it ahead of competitors such as BitMEX, which has ongoing woes with server uptime during times of heavy traffic.
Due to the cat-and-mouse nature of cybersecurity, it would be unrealistic to expect that any exchange comes up with a magical silver bullet that “solves” the security challenge once and for all. But based on recent events, it’s clear that some exchanges are doing better than others. When security issues start to rear their head at one exchange, those who have a solid reputation stand to benefit when users start voting with their feet.