Security analysis of the most popular cryptocurrency exchanges

So you’ve finally decided to buy some Bitcoin, Ethereum or any other coin that’s all the rage these days?

At Sqreen, we’re not so much interested in the cryptocurrency craze, but of course more interested in the security aspect of it. After digging into the security of past ICOs (and discovering some disturbing security issues), we’ve now decided to look deeper into cryptocurrency exchanges.

Cryptocurrency exchanges are platforms that allow users to trade coins. Until very recently, and the development of pure decentralized exchanges, all cryptocurrency exchanges were acting as the middleman between the token buyer and seller.

Making sure these platforms are secure are essential to provide data and asset security to users. Let’s see why.

Why is security important to digital currency exchanges?

Well, it really depends on the level of honesty of the exchange. If you’re just here to do an exit scam like Coingather you probably don’t need any.

But let’s just think about a couple of critical points for exchanges:

  • Exchanges store a massive amount of valuable Personally identifiable information (PII). From names to addresses, to government identification details, taxpayer identification number and a lot more.
  • Exchanges handle of course a lot of cash or coin deposits and withdrawals.

Gimme all your bitcoins

Examples of successful hacks are countless. The most famous is probably the Mt.Gox hack that left thousands of users without a penny (worth $450 million at that time and x times more today). But others faced similar outcomes: Bitfinex got breached for over 120K BTC, or Youbit and their $70Mio bankruptcy, or Nicehash and their $68Mio breach.

At Sqreen, we monitor and protect several crypto exchanges, ICOs, and companies involved in the crypto/blockchain space more generally. What we see is that the percentage of malicious requests that these applications have to handle is higher by 2-3 orders of magnitude.

Security status in Cryptocurrency exchanges

So knowing that risk, you would think that all exchanges would take every single action possible to protect their users?

Well, that’s not exactly the case…

Facepalm gif

We’ve taken a list of 140 cryptocurrency exchanges and checked for basic security issues that applications should implement.

Here is an overview of what we found:

Security Best Practice %
DDoS Protection 80.58%
X-Frame-Options 65.47%
Strict-Transport-Security 39.57%
X-Content-Type-Options 35.25%
X-XSS-Protection 29.50%
Using Vulnerable libraries 25.90%
Don’t Expose Server Information 20.14%
Application Security Protection 15.11%
Content-Security-Policy 2.16%
Public-Key-Pins 0.72%

This table shows that out of the 140 exchanges we analyzed less than 40% of them are using headers like the Strict-Transport-Security header or the X-XSS-Protection header. 20% expose server information which isn’t a security vulnerability in itself but that clearly shows the low level of security best practices implemented. And 26% of them use frontend libraries with known vulnerabilities. Only 2% implemented a Content-Security-Policy that, if done well, can offer powerful protection against clickjacking or XSS….

We can do better.

Our analysis isn’t saying that these exchanges have blatant vulnerabilities. But I’m questioning whether they implemented deeper security controls and protections if they didn’t implement basic security best practices that only take a few minutes (or seconds with Sqreen) to implement.

After taking the volume that these platforms handled in the last 24h, I wanted to see if there was a correlation between volume traded and security.

Chart cryptocurrency exchanges volume vs. security

The answer is clearly no. There’s no correlation between transaction volume and security maturity.

The 10 biggest crypto exchanges have an average grade of 3.8 out of a maximum of 10 and a median of 4.5.

We can do better.

BTW the platform with the largest daily $ volume (on the day we did our analysis) only scored a 2/10.

Where should I buy my cryptocurrencies?

We’re not here to do any aggressive public shaming. But if pointing the finger at a couple of better-performing platforms can help cryptocurrency traders to choose a safer trading platform, that’s what we will do.

DISCLAIMER: we’re not recommending any of those platforms.

So here are the 5 best cryptocurrency exchanges:

Exchange Country 24h Volume Security Score (out of 10)
bitflyer.jp Japan $252,479,706 7
coinbase.com US $216,382,640 7
bitfinex.com Hong Kong $1,489,668,291 6
kraken.com US $481,817,858 6
itbit.com US $42,310,323 6

Conclusion

In this article, we analyzed the security of 140 cryptocurrency exchanges and discovered some worrying security issues in most of them.

Security shouldn’t be taken lightly (especially if you’re handling >$20billion a day…).

c'mon do something... bitcoin

Want to learn more about Sqreen, and how it helps you protect your apps from intrusions or data loss? Check out our docs or website.