Researchers at the Black Hat security conference showed that cryptocurrency exchanges can be vulnerable to hackers. While cryptocurrency exchanges have a high degree of privacy and security to protect their funds, researchers are still finding three ways hackers can attack cryptocurrency exchanges, according to Wire’s August 9 post.
The report says that the cryptocurrency attacks functioned as “an old bank vault with six keys that must rotate simultaneously.” Private keys for cryptocururrency are divided into smaller parts. This means that an attacker must find them together before stealing the money.
Aumasson, an expert in cryptography, and Omer Shlomovitz, co-founder of the key management company KZen Networks, categorized attacks into three categories: insider attacks, attacks that exploit the relationship between the exchange and the customer, and secret key pieces.
Insider Post, Open Source Library Disadvantages and Proxy Verification
The report says that an insider or any other financial institution that exploits a vulnerability in an open source library created by a cryptocurrency exchange is the first way hackers can attack a stock exchange. He explained this:
“In the risk library, the update mechanism allowed the keyholder to start the update and then process the process so that some key components actually changed and others remained the same. Even if you can not merge the old and new key parts, an attacker can essentially cause denial of service, which will permanently shut down leading to exchange at your own expense. ”
An attacker could also exploit another anonymous keystroke due to the lack of an open source library in the key rotation process. An attacker could then manipulate the relationship between the exchange and its customers with false verification data. Those with malicious motives may be reluctant to discover private keys through user exchanges after multiple key updates. According to the report, a fraudulent exchange can start an elevator.
According to the researchers, the latter method can occur when the reliable parties in the cryptocurrency exchange extract their parts from the key. It is assumed that each party generates two random numbers for public verification. The researchers noted that, for example, Binance did not check for these random values and should have solved the problem back in March. The report was added:
“The malicious party that generates the key can send specially crafted messages to anyone who basically picks up all these values and sets them so that the attacker can later use this unconfirmed information to extract some part of the secret key.”
Shlomovitz and Aumasson reported on the news that the purpose of the study is to draw attention to how easy it is to make mistakes when implementing multiple distributed keys for cryptocurrency exchange. In particular, these errors can be more vulnerable in open source libraries.
As Cointelegraph previously reported, CryptoCore launched a phishing campaign against several cryptocurrency exchanges and managed to steal $ 200 million in two years.