Crypto exchanges might be vulnerable to hackers.
The Black Hat Security Conference revealed this in a report, further stating that there are three ways a cybercriminal can breach the said system.
Despite the established and secured way to protect funds, they emphasized that there are still ways for the evil mind to reign.
Furthermore, the crypto exchange attacks were functioning like “an old-timey bank vault with six keys that all have to turn at the same time,” according to the statement.
The fact that cryptocurrency private keys were composed into smaller pieces, there is a slight chance that an attacker has to find them together before stealing funds.
Case in the point, an insider or other financial institution exploiting a weakness in an open-source library created by a cryptocurrency exchange is the first way where hackers can creep in any exchange.
The report also expounded in verbatim “in the vulnerable library, the refresh mechanism allowed one of the key holders to initiate a refresh and then manipulate the process so some components of the key actually changed and others stayed the same. While you couldn’t merge chunks of an old and new key, an attacker could essentially cause a denial of service, permanently locking the exchange out of its own funds.”
As well, an attacker could also manipulate another unnamed key management from an open-source library flaw in the key rotation process.
He attacks the relationship between an exchange and its customers with untruthful validation statements.
Those with evil motivations can slowly figure out the private keys from exchange users over various and repetitive key refreshes. Stealing, then, comes after.
The third way is when crypto exchange trusted parties derive their portions of the key.
Every party is assumed to generate a couple of random numbers for public verification. Binance, for instance, didn’t check these random values and had to fix the issue back in March.
Reports also mentioned that “a malicious party in the key generation could send specially constructed messages to everyone else that would essentially choose and assign all of these values, allowing the attacker to later use this unvalidated information to extract everyone’s portion of the secret key.”
In closing, Shlomovits and Aumasson shared that the goal of the research was to call attention to how relaxed it is to make mistakes while implementing multi-party distributed keys for cryptocurrency exchanges.
These mistakes, simply put, are available in open-source libraries.