A Deep Dive into Exchange Security Measures

The world of crypto is a bit chaotic right now.  On one hand, the industry as a whole is showing strong growth, with prices rising, ecosystems building, and platforms innovating.  At the same time, however, we continue to see hacks, scandals, and bad news from many different platforms and especially exchanges.  The SEC battle around XRP and its status as a security is heating up, with potential positive news combined with signs that the token’s price will be hit with a “correction” in the months ahead to correct market leanings.  Even if all the news is good for XRP, the uncertainty around it has wreaked havoc around its volatility and stability.  For Ripple, volatility is the last thing a platform wants to see.  Investors love their safe, secure, and predictable markets, and anything else can make them very risk-averse, very quickly.

In even stranger news, word of a major data leak from Binance hit the news, alleging that sensitive code, along with KYC data and internal passwords were among the data dumped onto GitHub.  It’s important to note that Binance has denied all claims that data and code were stolen and leaked, though it did submit the request to take down the data.  Other sources suggested that this data was real and being sold on the dark web.  The uncertainty of the situation isn’t great, with Binance users wanting to believe their personal data wasn’t stolen and the security of the exchange is still solid.  This may very well be true.  However, with Binance chief executive Changpeng Zhao pleading guilty to money laundering violations, it’s difficult to put full faith into the platform.

What are crypto users to do in a storm of fear, risk, controversy, and insecurity?  This question has been addressed for a number of years now, with mixed results.  Standards for security have arguably risen, but so has the sophistication of hackers.  Centralized exchanges have worked to become more transparent, and yet scandals like FTX show that internal corruption is still a very real risk.  Are there sure ways for platforms, especially exchanges, to be more secure?  Are there other solutions to protecting their users?  Or should risk of attack always be a real possibility, with exchanges needing other ways to protect customers, such as Bitget’s Protection Fund acting as an insurance policy?   Let’s dive in and see what can be done to promote crypto industry growth while protecting the many users depending on its security.

Security Measures Should Focus On High Risk Areas

In order to understand where exchanges should dedicate their security measures, it’s important to know where they’ve been hit the hardest up to this point.  Bridge attacks, wallet hacks, and exchange hacks have cost the industry billions in the last five years, and sadly we continue to see these platforms get hit.  Where large amounts of money are involved, especially in global, not always regulated environments, there are bound to be predators trying to steal it.  Bridges have seen some of the worst attacks, with hackers finding a number of different weaknesses and exploiting them.  In a way, bridges are the armored cash trucks transporting money from one place to another, and hackers find vulnerabilities in the smart contracts that operate them, or might utilize social engineering to exploit them.  Hundreds of millions have been lost in several attacks, with billions lost in total.  

Wallet hacks can happen to individuals or en masse, but involve gaining access to a user’s wallet and emptying it into a different account.  Because crypto doesn’t have an “undo” button, if your wallet is compromised, that money is very likely lost forever except for the rare cases where law enforcement had the skill and jurisdiction required to recover funds.  There has been an entire industry developed to combat this, using cold wallets, hardware wallets, or hot wallets with specialized security.  

Exchange hacks represent a wide range of attacks that target exchanges, both CEX and DEX models.  Centralized exchanges often have safer infrastructure since they control more in house and have to rely less on their systems necessarily being out in the open.  However, one of the biggest risks that users have seen are the teams behind central exchanges, with a disturbing number of teams abusing or outright stealing funds from their users.  It is becoming less of a surprise when an executive at a CEX is arrested for money laundering or other financial crimes.  For decentralized exchanges, they remove a key risk but still have plenty of risk depending on the strength of their code and security.  Measures such as audits, red teams, penetration tests, and friendly phishing attacks can help find and fix weaknesses, but Web3 security will always be an arms race.  That said, the best exchanges are those that are extremely proactive, never satisfied with their security, and are transparent with their community. 

Taking Ownership

The above strategies for proactive security management are both encouraged and urgently needed, by all exchanges.  However, there will always be a risk of data breaches, theft of funds, or hackers who just want to create chaos.  To this end, it seems clear that exchanges must fight to protect their exchanges, but also be realistic in how best to prepare for disaster.  Bitget has the most direct manifestation of this “rainy day fund”, which is officially called the Bitget Protection Fund.  It is operated independently with a self-funded model that reached a peak of $442 million in January, though its average amount is a respective $415 million.  According to the platform, the goal is to use these funds to make their customers whole if and when security incidents or market volatility unfairly affect balances.  While steadfast security is a recommended strategy, the crypto community may always need this extra insurance model supplied by exchanges to best care for their communities.  Combined with verifiable Proof of Reserves data, this strategy could go a long way to rebuilding and keeping trust in crypto.  Here’s hoping more and more exchanges will adopt the model and prevent these continued security breaches from destroying trust in the industry.