Cryptocurrency exchange hacks seem to be part of parcel of the blockchain industry, and they have been for some time now. However, if the recent comments of Hartej Sawhney hold any credence, it appears that the issue could be far worse than we originally thought.
In a recent CNBC interview dedicated to cryptocurrency trading, Hartej Sawhney argued that the cryptocurrency equivalent of more than $2.5 million is stolen from third party exchanges each and every day. For those unaware, Hartej Sawhney is often regarded at the go-to blockchain security expert in the digital space. He is the co-founder of the Hosho Group, who provide enterprise-grade security to companies operating in the cryptocurrency sphere.
Sawhney used his appearance on the CNBC show to highlight the ongoing security flaws of cryptocurrency exchanges and how savvy hackers are taking full advantage. He directed a clear message to those providing third party exchange services to re-think their current security practices. Sawhney is quoted as telling the CNBC interviewer that “Exchanges need to learn to value security, but they are not getting regular penetration testing from cybersecurity companies.”
Internal security practices need to improve
Hartej Sawhney continued to add that due to the sheer incompetence of certain platforms, some cryptocurrency exchanges are literally “hanging fruits” for those that have the technical capabilities of bypassing weak security systems. More specifically, the blockchain security expert made reference to the safe keeping of hot and cold wallets.
There is a clear distinction between the underlying security threats of hot and cold wallets. Regarding the latter, cold wallets are essentially cryptocurrency funds that are held offline, with no direct access to an online server. Established exchanges such as Coinbase claim to hold 98% of client funds in cold storage, which is by the far the most secure way to keep digital tokens safe. However, hot storage – which is stored via online servers, is required for the day-to-day running of cryptocurrency exchanges, covering vital functions such as liquidity and withdrawals.
Upon discussing the full risks of the private keys linked to hot and cold storage, Sawhney then went on to highlight the lack of skills posed by those behind cryptocurrency exchange systems. For example, the security expert believes that third party exchange personnel have a substantial lack of experience when it comes to Solidity.
Moreover, he also believes that exchanges lack a QA mindset, subsequently leading to a severe lack of judgement. Sawhney argues that this is the key reason that many exchange platforms do not regularly audit their underlying security code, consequently opening the door to a range of external security threats.
The cryptocurrency exchange hack trend looks set to continue
Whilst the stark warning made by Hartej Sawhney will do little do install confidence in those that are still sitting on the crypto-investment fence, it appears that events are speaking for themselves. It didn’t take long for 2019 to get its first casualty, with New Zealand based exchange Cryptopia announcing on January 14th that it had suffered a security breach resulting in “significant losses”.
Although the investigation is still ongoing and thus, little information has been made public, it is estimated that the hack amounted to the cryptocurrency equivalent of $16 million. According to Elementus – a blockchain infrastructure firm, the vast majority of the stolen tokens were in the form of Ethereum. The remainder of the estimated $16 million balance was made up of smaller capped tokens, such as Dentacoin, Zap, Pillar and Mothership, among others.
Ultimately, whilst third party cryptocurrency exchanges are pivotal in the facilitation of the buying and selling of digital tokens, it is crucial that large quantities of funds are not stored online. If this is the course of action that you do decide to take, then it crucial that you install the most stringent of security safeguards on your account, such as two-factor authentication (2FA) multi-signatures, account access notifications and withdrawal delays