It’s natural for cryptocurrency traders to be concerned about the cybersecurity of their favorite crypto exchanges. The crypto scene’s track record of hacks is particularly alarming, considering the enormous $850 million stolen from exchanges in 2018 and already $219 million hacked in 2019 so far. Recent cybertheft victims include DragonEx ($7 million), CoinBene ($105 million), Bithumb ($19 million), and Binance ($41 million). All crypto exchanges and their users should remember Cryptopia, YouBit, Coinbin and other platforms that could not recover from heists by cybercriminals. And new names might join the list if crypto exchanges neglect necessary cybersecurity measures for their platforms and user funds. The primary goal of this report is not to promote or demote any exchanges, in particular, but to display a full view, the good, the bad, and the ugly of the state of cybersecurity in the crypto exchange industry.
The primary methodology behind this assessment was described in detail in our previous report published in January 2019. For a more multifaceted and balanced evaluation, we have substantially improved our research methods by adding ‘additional feature factors’ to better assess each exchange’s user security parameter options. These include a trading pin, withdrawal pin, IP whitelist, withdrawal wallets whitelist, anti-phishing code, etc. Additionally, for a more equitable assessment, we rebalanced the weight coefficients and grades of various parameters of the Cybersecurity Score (CSS) calculation model. We believe the updated methodology delivers greater defined assessment results.
According to our methodology, the maximum value of CSS is 10 points but the assessment results showed that all exchanges scored in the range between 4 and 9 points. The distribution of results is displayed on fig. 1.
Fig 1. Distribution of Top-100 exchanges by CSS
As is apparent from the chart, only 5 exchanges have the CSS value over 8 points. These are Bibox (8.43), Gate.io (8.33), Binance (8.26), Kraken (8.18) and HitBTC (8.15). The worst cybersecurity score came to be CatEx (4.00), Bithumb (4.14), and CoinEgg (4.43). Along with Hubi (4.59), CoinBene (4.63), DOBI Exchange (4.72), and Bitinka (4.87) these exchanges scored under 5 points out of 10, hence they are the least secure to trade and store funds according to our research. The vast majority of explored exchanges (56 out of 100) have average scores varying from 6 to 7 points.
After reviewing our results we can distinguish the three weakest points in cybersecurity of the 100 crypto exchanges we accessed. Bug bounty program availability is the worst performance factor, as 82% of trading platforms do not have active bug bounties (see fig 1). Despite that, the result is much better compared to our January report (87% exchanges without bug bounties).
Fig 2. Bug Bounty availability
Another notable weakness is related to user security parameters – the password. 68% of exchanges have fair and low password requirements (see fig 3).
Fig 3. Password requirements
For evaluating the strength of requirements we accounted for a required password length and a variety of required symbols such as numbers, letters, upper case, special characters, etc. Moreover, we have checked to see if any exchange allows users to create weak password despite their declared “tough” requirements and based on the results we have defined four password strength grades:
- low – require minimum password length only, usually 6+ and letters or less often 8+ characters
- fair – require only two types of symbols, usually numbers and more rarely numbers and upper case letters
- medium – require 3 mandatory types of symbols: numbers, letters, and upper case or special symbol
- high – require 4 types of symbols and often 10+ or even 12+ symbols length
DNSSEC is the third cybersecurity weakness factor: 60% of the assessed platforms do not have appropriate records for their domains hence are vulnerable to DNS cache poisoning attack (see fig 4).
Fig 4. Top-100 exchanges DNSSEC records
Below is a table with the final results. It contains the scores for Server Security, User Security, Crowdsourced Security, Historical Cases, and Total Cyber Security Score (CSS) calculated by CER according to the updated methodology.
Table 1. Top-100 Exchanges by CSS
As can be observed from the assessment results, only 14% of exchanges have a relatively good total score (above 7 points). That means that for the vast majority of trading platforms there is much to be improved in terms of cybersecurity, especially in user security (average value 5.17 points) and crowdsourced security (82% without bug bounties).
It is our hope that this report will help users to make a reasonable choice of the platform to trade on and crypto exchanges to consider their weak points in cybersecurity.
For the current report, CER analyzed Top-100 exchanges by 30-day volume according to CMC as for June 20th, 2019.
Etherflyer appeared in the initial top 100 list but was excluded because it is a DEX. It was replaced by the exchange who was next in line (101st by 30-day volume) Mercatox.
The assessed cybersecurity parameters are subject to change due to periodical updates and upgrades of trading platforms.
CER as a part of Hacken ecosystem provides an objective rating and certification of crypto exchanges.
Hacken is a cybersecurity ecosystem that ensures the safety of IT companies and digital environments. The company provides complex cybersecurity services and hosts bug bounty programs on HackenProof platform.