Why cryptocurrency exchanges are hacked so often

Last year, at least five major cryptocurrency exchanges were hacked, resulting in the loss of hundreds of millions of USD. The fault for such hacks resides on two fronts: the client side and the server side.

On the client side:

  • Cross Site Scripting (aka XSS) allows attackers to use your browser as their own. A malicious JavaScript simply substitutes the withdrawal wallet address right before you withdraw funds.
  • Open redirects that allow hackers to (1) make real exchanges appear as malicious sites in search engines and (2) increase the success rate of malware installation attacks. The typical attack downloads a “new version of the trading desktop client”, which is really malicious software that steals your wallet.
  • SSL issues related to mobile apps are a relatively minor issue (they are more common in countries like China, Iran and Russia, where governments can intercept internet connections with their own certificates).

On the server side:

  • NoSQL/key-value injections allow attackers to target new technologies like NoSQL and in-memory databases. These are newer methods and are rarely discovered by developers and frameworks.
  • Logic issues (mainly race conditions) are critical and hard to discover by automation tools like source code analyzers. An example of this is simultaneously processing more than one withdrawal transaction, which could result in a negative account balance.
  • Authentication issues (e.g. bypasses) have become risky due to logical or input validation problems that allow access to a user session without the proper credentials being checked.