Researchers at the security conference, Black Hat, revealed that crypto currency exchanges could be vulnerable Bitcoin Up to hackers. Although the exchanges have high privacy and security to protect their funds, researchers still found three ways hackers can attack the exchanges, according to Wired on Aug. 9.
The attacks on the crypto currency exchanges operated more like „an old bank vault with six keys that all have to be turned at the same time,“ the news said. The private keys to crypto currencies were divided into smaller pieces. This means that the attacker has to find them all together before he can steal the funds.
Aumasson, a cryptographer, and Omer Shlomovits, co-founder of the key management company, KZen Networks, divided the attacks into three categories: an internal attack, an attack that exploits the relationship between an exchange and a client, and the partial extraction of the secret keys.
An intern or other financial institution taking advantage of a vulnerability in an open source library produced by a crypto-currency exchange is the first way hackers can attack an exchange, the news says. Explaining that:
„In a vulnerable library, the update mechanism allowed one of the key holders to initiate an update and then manipulate the process so that some components of the key actually changed and others remained the same. While it is not possible to merge fragments of a new and old key, an attacker could essentially cause a denial of service, permanently blocking the exchange of its own holdings“.
An attacker could also take advantage of another unnamed key management of an open source library failure in the key rotation process. The attacker could then manipulate the relationship between an exchange and its customers with false validation statements. Those with malicious motivations can slowly discover the private keys of exchange users through multiple key updates. A dishonest exchange can then initiate the theft process, according to the news.
The last way researchers said attacks could occur is when reliable parts of the cryptomoney exchange get parts of their keys. Each part apparently generates a random pair of numbers for public verification. The researchers said that Binance, for example, did not verify these random values and had to fix the problem in March. The news added that:
„A group with malicious key generation could send specially constructed messages to everyone else that would essentially choose and assign all of these values, allowing the attacker to later use this unvalidated information to extract everyone’s secret key part.
Shlomovits and Aumasson told the news media that the goal of the research was to draw attention to how easy it is to make mistakes when implementing keys distributed among multiple parties by cryptomoney exchanges. Specifically, these errors can be even more vulnerable in open source libraries.
As reported by Cointelegraph earlier, CryptoCore launched a phishing campaign against several cryptomone exchanges and managed to steal USD 200 million in two years.
Bitcoin is about to overtake PayPal in market capitalization, demonstrating the importance of crypto currencies in the global financial system.