According to the portal HedgewithCrypto, over the past 10 years, hackers have hacked 49 crypto exchanges and stole $ 2.7 billion. Nevertheless, the sites are constantly improving protection – there are fewer major thefts. There were nine hacks in 2020, four last year, and only one this year.
Together with Gate.io we tell you what attack vectors are most often used by hackers, how the platform protects customer funds, and what the largest crypto exchanges are afraid of.
What is the security of the exchange
The most common reason for hacking exchanges is the vulnerabilities of the private key store to hot wallets. According to HedgewithCrypto, the hackers also used:
- trading platform bugs;
- phishing;
- gaps in server protection;
- distribution of malicious programs;
- bribing employees.
To protect customers, sites must close these vulnerabilities and develop scenarios for responding to various threats. Some exchanges use unique measures:
- Gate.io has developed a program for on-chain auditing of reserves and the first of the mainstream crypto exchanges provided proof of 100% provision of user balances;
- BitMEX implemented in the trading engine, reconciliation of user balances after each transaction and a stop crane to stop operations if the account of at least one trader does not match the history of his transactions;
- Coinbase launched Coinbase Tracer – own service for checking the purity of transactions;
- Kraken established in server video surveillance systems and put armed guards on them.
Comprehensive site protection is expensive: Gate.io spends millions of dollars a year on it. The exact amount is under wraps.
Hot and cold wallet protection
Exchanges use two types of wallets: hot wallets for daily transactions for accepting deposits and withdrawals, and cold wallets for securely storing assets.
Hot wallet keys are usually stored in a computer with an internet connection so that the site can quickly sign transactions. This is dangerous – hackers can gain access to the machine, steal the private key or redirect transactions to their addresses.
Gate.io uses multi-signature to manage hot and cold wallets, which means that the theft of one key will not lead to loss of control over assets.
In addition, Gate.io keeps keys and backups in hardware security modules (Hardware Security Module) – analogues of Trezor and Ledger for business tasks. All cold wallets are offline.
Site and server security
In 2020, hackers gained access to the servers of the Livecoin exchange, raised Bitcoin and Ethereum quotes to $220,000 and $65,000, respectively, and then stole more than $2 million. Since 2014, eight exchanges have suffered from such hacks.
To counter such attacks, Gate.io uses:
- HTTPS protocol for secure data transfer between users and servers;
- own anti-DDoS and the CloudFlare firewall to protect against traffic that can slow down or paralyze the platform;
- Web Application Firewall (WAF) to combat network attacks – SQL– injections, substitution of access tokens, execution of malicious code in the browser and attempts to brute force passwords;
- protected DNSto prevent hackers from redirecting users to a phishing site.
Gate.io trading core consists of separate modules. This approach does not allow hackers to implement a scenario with the substitution of cryptocurrency quotes, profitability of instruments, or any other platform parameters.
To ensure internal security, the exchange has implemented corporate firewalls and an access control system to corporate resources. If one working computer is infected, the system will detect the virus during the first attempts to read the data.
Account security
If an attacker gains access to a user’s account, they will be able to steal their funds despite the protection measures of wallets and the platform. Therefore, Gate.io requires users to set up two-factor authentication in one of the following ways:
- code in SMS or email;
- Google Authenticator
- login confirmation via hardware security key YubiKeyGate.io hardware wallet Wallet S1 with a fingerprint scanner or other device that supports the FIDO2 standard.
The user also sets a trading password. The platform requests it before any operation with assets: opening or closing a position, transferring funds or withdrawing cryptocurrency to an external wallet. In addition, he can set up a white list of output addresses.
Even if there is a login and password from the account, the hacker will not be able to withdraw or otherwise use the funds in the account. At the same time, Gate.io will send a notification to the account owner about the login from the new IP address and write it to the login log.
For unforeseen circumstances, Gate.io has an account inheritance service. The user specifies the contact details of relatives or friends. If he does not enter the platform for a long time, the exchange will contact the indicated people and, after verifying their identity, will give them access to the account.
Platform transparency
In 2022, crypto enthusiasts faced a new problem: exchanges used their deposits for their own operations. Due to the fall in the rates of bitcoin and Ethereum, the positions of the sites became unprofitable. Companies suspended withdrawals or even declared bankruptcy.
Two years prior, Gate.io developed an on-chain solution proof-of-reserves for an independent audit of reserves. In it, you can find out your real balance on a cold exchange wallet by hash UID.
In July 2022, the audit company Armanino LLP confirmedthat Proof-of-Reserves is working properly and Gate.io is keeping 100% of deposited funds.
Ecosystem security
Crypto exchanges launch blockchains and tokens, but cannot guarantee the security of decentralized applications. So, in March 2021, hackers took over the DNS Pancake Swap on BNB Chain, and intercepted the private keys of some traders.
To fix this Gate.io vulnerability added GateChain has a mechanism for canceling transactions and backing out. Users create special storage addresses and set the number of blocks within which they can cancel sent transactions.
In addition, the vault owner can bind a backup address to it for withdrawal of funds in case the private key is lost. To do this, you need to contact Gate.io technical support.
conclusions
After rebranding on the “About Gate.io” page appeared slogan “Our highest priority is the security of users’ data and assets.” And it’s true: the security system of the exchange closes the known vulnerabilities of trading platforms.
But Gate.io does not stop there: the exchange launched bounty program for white hat hackers and developed a hardware wallet with a fingerprint scanner Wallet S1.
Read Cryplogger bitcoin news in our Telegram – Cryptocurrency news, courses and analytics.
Found a mistake in the text? Select it and press CTRL+ENTER
According to the portal HedgewithCrypto, over the past 10 years, hackers have hacked 49 crypto exchanges and stole $ 2.7 billion. Nevertheless, the sites are constantly improving protection – there are fewer major thefts. There were nine hacks in 2020, four last year, and only one this year.
Together with Gate.io we tell you what attack vectors are most often used by hackers, how the platform protects customer funds, and what the largest crypto exchanges are afraid of.
What is the security of the exchange
The most common reason for hacking exchanges is the vulnerabilities of the private key store to hot wallets. According to HedgewithCrypto, the hackers also used:
- trading platform bugs;
- phishing;
- gaps in server protection;
- distribution of malicious programs;
- bribing employees.
To protect customers, sites must close these vulnerabilities and develop scenarios for responding to various threats. Some exchanges use unique measures:
- Gate.io has developed a program for on-chain auditing of reserves and the first of the mainstream crypto exchanges provided proof of 100% provision of user balances;
- BitMEX implemented in the trading engine, reconciliation of user balances after each transaction and a stop crane to stop operations if the account of at least one trader does not match the history of his transactions;
- Coinbase launched Coinbase Tracer – own service for checking the purity of transactions;
- Kraken established in server video surveillance systems and put armed guards on them.
Comprehensive site protection is expensive: Gate.io spends millions of dollars a year on it. The exact amount is under wraps.
Hot and cold wallet protection
Exchanges use two types of wallets: hot wallets for daily transactions for accepting deposits and withdrawals, and cold wallets for securely storing assets.
Hot wallet keys are usually stored in a computer with an internet connection so that the site can quickly sign transactions. This is dangerous – hackers can gain access to the machine, steal the private key or redirect transactions to their addresses.
Gate.io uses multi-signature to manage hot and cold wallets, which means that the theft of one key will not lead to loss of control over assets.
In addition, Gate.io keeps keys and backups in hardware security modules (Hardware Security Module) – analogues of Trezor and Ledger for business tasks. All cold wallets are offline.
Site and server security
In 2020, hackers gained access to the servers of the Livecoin exchange, raised Bitcoin and Ethereum quotes to $220,000 and $65,000, respectively, and then stole more than $2 million. Since 2014, eight exchanges have suffered from such hacks.
To counter such attacks, Gate.io uses:
- HTTPS protocol for secure data transfer between users and servers;
- own anti-DDoS and the CloudFlare firewall to protect against traffic that can slow down or paralyze the platform;
- Web Application Firewall (WAF) to combat network attacks – SQL– injections, substitution of access tokens, execution of malicious code in the browser and attempts to brute force passwords;
- protected DNSto prevent hackers from redirecting users to a phishing site.
Gate.io trading core consists of separate modules. This approach does not allow hackers to implement a scenario with the substitution of cryptocurrency quotes, profitability of instruments, or any other platform parameters.
To ensure internal security, the exchange has implemented corporate firewalls and an access control system to corporate resources. If one working computer is infected, the system will detect the virus during the first attempts to read the data.
Account security
If an attacker gains access to a user’s account, they will be able to steal their funds despite the protection measures of wallets and the platform. Therefore, Gate.io requires users to set up two-factor authentication in one of the following ways:
- code in SMS or email;
- Google Authenticator
- login confirmation via hardware security key YubiKeyGate.io hardware wallet Wallet S1 with a fingerprint scanner or other device that supports the FIDO2 standard.
The user also sets a trading password. The platform requests it before any operation with assets: opening or closing a position, transferring funds or withdrawing cryptocurrency to an external wallet. In addition, he can set up a white list of output addresses.
Even if there is a login and password from the account, the hacker will not be able to withdraw or otherwise use the funds in the account. At the same time, Gate.io will send a notification to the account owner about the login from the new IP address and write it to the login log.
For unforeseen circumstances, Gate.io has an account inheritance service. The user specifies the contact details of relatives or friends. If he does not enter the platform for a long time, the exchange will contact the indicated people and, after verifying their identity, will give them access to the account.
Platform transparency
In 2022, crypto enthusiasts faced a new problem: exchanges used their deposits for their own operations. Due to the fall in the rates of bitcoin and Ethereum, the positions of the sites became unprofitable. Companies suspended withdrawals or even declared bankruptcy.
Two years prior, Gate.io developed an on-chain solution proof-of-reserves for an independent audit of reserves. In it, you can find out your real balance on a cold exchange wallet by hash UID.
In July 2022, the audit company Armanino LLP confirmedthat Proof-of-Reserves is working properly and Gate.io is keeping 100% of deposited funds.
Ecosystem security
Crypto exchanges launch blockchains and tokens, but cannot guarantee the security of decentralized applications. So, in March 2021, hackers took over the DNS Pancake Swap on BNB Chain, and intercepted the private keys of some traders.
To fix this Gate.io vulnerability added GateChain has a mechanism for canceling transactions and backing out. Users create special storage addresses and set the number of blocks within which they can cancel sent transactions.
In addition, the vault owner can bind a backup address to it for withdrawal of funds in case the private key is lost. To do this, you need to contact Gate.io technical support.
conclusions
After rebranding on the “About Gate.io” page appeared slogan “Our highest priority is the security of users’ data and assets.” And it’s true: the security system of the exchange closes the known vulnerabilities of trading platforms.
But Gate.io does not stop there: the exchange launched bounty program for white hat hackers and developed a hardware wallet with a fingerprint scanner Wallet S1.
Read Cryplogger bitcoin news in our Telegram – Cryptocurrency news, courses and analytics.
Found a mistake in the text? Select it and press CTRL+ENTER
