- Cybersecurity researchers exposed key flaws in cryptocurrency exchanges that could see users lose a fortune.
- The researchers – Jean-Philippe Aumasson, cofounder of a crypto technology firm, Taurus Group, and vice president at Kudelski Security and Omer Shlomovits, creator of mobile crypto wallet, ZenGo – declined to name the exchanges at risk.
During Wired’s Black Hat Security Conference, held on Aug. 6, Aumasson and Shlomovits discussed three key flaws on crypto exchanges storage of users’ funds. According to their research, crypto exchanges are time and again falling to these weaknesses due to weak or failure to correctly implement the security protocols.
Crypto exchanges have significantly improved their security, especially in safeguarding users’ private keys. Unlike traditional bank vaults, crypto exchanges do not store all the private keys in one place to avoid a single point of failure attacks. To enhance security, the exchanges split up the private keys into different components so that no single party directly has access to the funds.
However, the “complex” procedure of securing private keys through splits raises some flaws in implementation.
One of the major flaws lies in having a malicious insider “exploiting a vulnerability in an open-source library” in one of the major exchanges, the researchers said. The vulnerability of the library arises in the refresh function. They further declined to give the name of the exchange due to security reasons.
Many of the top exchanges have a refresh function of the split private keys held by each person to prevent attackers from slowly gathering each part of the “split private key” and gaining access to the wallet funds. According to Aummasson:
“The refresh mechanism (vulnerable library) allowed one of the key holders to initiate a refresh and then manipulate the process, so some components of the key changed, and others stayed the same.”
While this would not permit the attacker to steal the funds, the exchange could permanently be locked out of access on all its funds.
The second flaw is from an unnamed digital asset management firm whereby an attacker in control of exchange would compromise the relationship between the exchange and its customers. This attack also focuses on private key shuffling, whereby the attacker draws the users’ private keys after multiple key shuffles. With the private keys, funds are in the hands of the attacker.
Finally, a key generation attack, first noticed on Binance exchange (who solved the issue partially in March). Attackers target the very beginning of the key generation process when the trusted parties derive random numbers for the ‘zero-knowledge proof” security mechanism.
In Binance’s case, the open-source library never audited or checked the random numbers, which could enable a hacker to send their random values to the “split private key” trusted parties and, in return, extract everyone’s portion of the private key – accessing the funds.
These problems stem from a person with privilege in the crypto exchanges initiating the attack, the researchers concluded.