Audit for Crypto Exchange

Bringing Security to Crypto Trading.

Summary

The client developed a cryptocurrency exchange platform, with high liquidity as well as plenty of functional features. The Exchange supported both spot and leverage exchange, with a leverage ratio up to 200 times that of Bitmex. Specifically, its Circuit mode was also encrypted in the exchange, together with 2-layer and 3-layer security, hot wallet and cold wallet were made available to serve users’ diverse needs.

Tokyo Tech Lab conducted a comprehensive penetration testing and code review of the client’s system (cloud infrastructure, web, mobile, and blockchain wallet system respectively) in just 14 days and identified all the possible holes that could make the system vulnerable to cyber attacks.

Performing an Audit
on a Crypto Exchange

White-box Penetration Testing

The Case

Cryptocurrency is rapidly growing in value. With that comes greater risk.

Cryptocurrency exchanges are becoming extremely prone to hacks and cyberattacks. In 2021 alone, there have been more than four major heists of some of the largest cryptocurrency exchanges around the world. More than $7.6 billion in Crypto assets have been stolen since 2011 (CoinDesk, 2020) and with hackers finding new ways to tackle the security system, the situation only seems to be getting worse.

The client, a cryptocurrency exchange, was aware of the risks associated with the cryptocurrency industry and wanted to have an external penetration test and an in-depth code review of their newly-developed cryptocurrency exchange platform to discover possible vulnerabilities within only three weeks (they come to us three weeks before) before the release date of their platform.

As part of a white-box test, the team was given all necessary permissions to perform a penetration test on the system within only 14 working days. The focus of this test is to perform multiple investigation activities and attacks to discover and confirm existing vulnerabilities in the system. The team’s overall objective was to review the system architecture, evaluate the network, identify subsystems, and exploit flaws while reporting the findings back to the company.

Given a very tight schedule, The Team applied following simplified audit workflow

Understand the situation

Define audit scope

Audit

Report issue

Verify Fixes

With such a short timeline, the team's proposed approach is to rapidly analyze the current system to identify potential risks, prioritize the most critical items, execute penetration tests, report security issues, suggest solutions, and verify hotfixes as soon as possible. During the initial planning phase, cross-border collaboration was done between two teams in Japan and Vietnam.

After the platform's release, Tokyo Tech Lab will also ensure the system's security level, thoroughly analyze all risks in the design and propose plans for further improvements. Regular audits before any major releases will also be done.

The Results

In the comprehensive audit and code review of the client’s cloud architecture, web app, mobile app, and blockchain wallet, Tokyo Tech Lab’ found over 30 security issues with the system. Around ten of them were critical and major vulnerabilities which will need to be fixed immediately before the platform’s release.

Very Weak Admin

Missing Access Restriction in many API functions

Out-dated software

Mobile compatibility - Two factor authentication

Inadequate Rate Limiting

One of the major issues was that restrictions on many API functions were missing. This could potentially allow users to access and change information on another user’s data, which poses a serious security risk. Tokyo Tech Lab suggested relevant fixes and made sure that they were implemented properly.

Another issue was that the platform was using outdated software. It was using outdated versions of Apache, OpenSSL, jQuery Bootstrap, Bootstrap-Vue, Laravel, and PHP, which presents a substantial risk of security breaches and compliance violations allowing hackers to target known vulnerabilities to gain unauthorized access.

Especially in this case, the company is promoting this platform as a modern, very secure platform, and so the use of outdated software shouldn’t be adopted in the first place.