Is Your DEX Vulnerable to a Cyber Attack?

Cryptocurrency exchanges are a central part of the cryptocurrency ecosystem.  Because there are a number of different cryptocurrencies, crypto users need the ability to both purchase/sell crypto for fiat and to trade between different types of currencies.

Cryptocurrency exchanges provide this ability to trade one type of currency for another.  These exchanges come in two types:

• Centralized: A centralized cryptocurrency exchange operates like a traditional currency exchange.  An organization manages the exchange, setting the exchange rates and controlling the user assets entrusted to the exchange.  Due to their centralized nature, these exchanges are often more subject to regulations and have Know Your Customer (KYC) requirements.

• Decentralized: A decentralized exchange lacks a centralized authority that manages the exchange.  These exchanges are typically implemented as smart contracts and provide traders with a higher degree of control over their digital assets than a centralized exchange.

The decentralization of DEXs can be a major advantage.  However, it also creates potential security concerns.  With a centralized exchange, there is an organization responsible for the exchange’s operation and that may provide restitution in the event of a breach or other incident.  With a fully decentralized exchange, such mechanisms may not be in place, making security more vital.

CER is a new platform designed to rank the security of DEXs.  Their rankings are based upon a number of different factors.  However, the most important considerations for DEX cybersecurity are whether or not the platform has undergone a security audit, whether an effective bug bounty program is in place, and if the DEX website is properly configured to use SSL/TLS.

Let’s take a closer look at these three factors:

At their core, DEXs are computer programs running on a decentralized smart contract platform.  The use of a smart contract platform has its advantages but also raises the stakes for security.  Due to the immutability of the blockchain’s distributed ledger, it is largely impossible to reverse the effects of a successful smaart contract hack.  For this reason, it is essential to ensure that a smart contract is as secure as possible before deploying it.  

A crucial part of this process is subjecting the smart contract to a comprehensive penetration test or security audit.  This involves having an experienced cybersecurity team thoroughly investigate the smart contract, web frontend, and other infrastructure for potential exploitable vulnerabilities.  While this does not guarantee that all potential security holes will be identified and remediated, a good security audit and penetration test can make a DEX much less vulnerable to attack.

In addition to checking if an audit has been performed at all, some important criteria to look for when evaluating a DEX’s security audit include:

• Audit Scope: Often, blockchain security audits focus on the smart contract code to the exclusion of everything else.  A smart contract-focused security audit can miss a wide range of potential vulnerabilities.

• Audit Regularity: The attack surface of most smart contracts is constantly changing, and DEXs are no different.  Code changes may introduce new vulnerabilities, and newly discovered vulnerabilities could impact existing code.  Security audits should be performed regularly (i.e. at least yearly) and after any major code changes.

• Audit-Driven Changes: A security audit is only useful if it improves the security of the platform under test.  For any issues outlined in the audit report, verify that they were corrected and that the DEX’s company didn’t just push back claiming that they were “out of scope”, “not exploitable”, “not a real issue”, etc.

A successful security audit doesn’t guarantee that a DEX is free of exploitable vulnerabilities.  However, it is a crucial first step to securing a DEX.

Not every vulnerability in a DEX will be discovered by a security audit.  For this reason, it is vital to have a mechanism in place for independent security researchers to look for and report security flaws and be rewarded for their efforts.

All DEXs should have a bug bounty program registered on a major bug bounty platform (eg. HackerOne, BugCrowd).  This helps build visibility and increases the probability that ethical hackers will look for and identify vulnerabilities in the platform, enabling them to be corrected before they are exploited by a malicious hacker.

DEXs have web-based frontends, and these frontends should follow security best practices.  Among these is the use of SSL/TLS.  SSL/TLS provides authentication, confidentiality, and integrity protections.  This helps users to ensure that they are on the right site and that their data is not being eavesdropped upon or modified as it flows over the internet.

Qualsys scores websites based upon how they implement the SSL/TLS protocols.  All DEX sites should have a high score from Qualsys SSL Labs.

DEX owners and users alike have an incentive to ensure that these platforms are secure against cyber threats.  A cyberattack against one of these platforms can ruin its reputation and cause the loss of its customers’ digital assets. 

To find out how you can protect your DEX from cyber attacks, contact Halborn today at halborn@protonmail.com.