Researchers at the Black Hat security conference revealed that crypto exchanges might be vulnerable to hackers. Although crypto exchanges have high privacy and security to protect their funds, researchers still found three ways hackers can attack these crypto exchanges, according to Wired on August 9.
The crypto exchange attacks were operating more like “an old-timey bank vault with six keys that all have to turn at the same time,” the report said. Cryptocurrency private keys were broken into smaller pieces. It means an attacker has to find them together before stealing funds.
Aumasson, a cryptographer, and Omer Shlomovits, cofounder of the mobile wallet ZenGo broke down the attacks into three categories: an insider attack, an attack exploiting the relationship between an exchange and a customer, and an extraction of portions of secret keys.
An Insider’s job, open-source library flaws and trusted parties verification
An insider or other financial institution exploiting a vulnerability in an open-source library produced by a cryptocurrency exchange is the first way where hackers can attack the exchange, says the report. It explained that:
“In the vulnerable library, the refresh mechanism allowed one of the key holders to initiate a refresh and then manipulate the process so some components of the key actually changed and others stayed the same. While you couldn't merge chunks of an old and new key, an attacker could essentially cause a denial of service, permanently locking the exchange out of its own funds.”
An attacker could also leverage another unnamed key management from an open-source library flaw in the key rotation process. The attacker can then manipulate the relationship between an exchange and its customers with false validation statements. Those with malicious motivations can slowly figure out the private keys from exchange users over multiple key refreshes. Then a rogue exchange can start the stealing process, according to the report.
The last way researchers said attacks could occur is when crypto exchange trusted parties derive their portions of the key. Each party reportedly generates a couple of random numbers for public verification. Researchers pointed out that Binance, for instance, didn't check these random values and had to fix the issue back in March. The report added that:
“A malicious party in the key generation could send specially constructed messages to everyone else that would essentially choose and assign all of these values, allowing the attacker to later use this unvalidated information to extract everyone's portion of the secret key.”
Shlomovits and Aumasson told the news that the goal of the research was to call attention to how easy it is to make mistakes while implementing multi-party distributed keys for cryptocurrency exchanges. Specifically, these mistakes can be even more vulnerable in open-source libraries.
As Cointelegraph reported before, CryptoCore launched a phishing campaign against several crypto exchanges and managed to steal $200 million in two years.