Cryptocurrency exchanges might be vulnerable to hackers – stated researchers at the Black Hat security conference. Its transactions do have high privacy and security to protect their funds. Despite that, researchers managed to find three ways hackers can use to attack such exchanges.
According to the report, the crypto exchange attacks operated like an old-fashioned bank vault with six keys that all have to turn simultaneously. Hackers broke private crypto keys into smaller pieces. However, that means an attacker has to find them all before stealing funds.
Omer Shlomovits, the cofounder of the key-management firm KZen Networks and Aumasson, a cryptographer, divided the attacks into three categories. There is an insider attack, an extraction of portions of secret keys, and an attack exploiting the relationship between an exchange and a customer.
An insider or other financial institution exploiting a vulnerability in an open-source library produced by a crypto exchange is a soft spot. Hackers attack there first – said researchers. They explained that, in the vulnerable library, the refresh mechanism allowed one of the key holders to initiate a refresh. After that, he/she could manipulate the process, so some components of the key changed, while others stayed the same.
You can’t merge chunks of an old and new key. However, an attacker could cause a denial of service, which would permanently lock the exchange out of its own funds.
What are the second and third ways?
Hacker could leverage another unnamed key management from an open-source library flaw during the key rotation process. After that, he/she could manipulate the relationship between an exchange and its customers with false validation statements. Scammers could slowly figure out the private keys from exchange users over multiple key refreshes. Afterward, a rogue exchange can start the stealing process.
The third way in which attacks could occur is when crypto exchange trusted parties derive their portions of the key. During that process, each party reportedly generates a couple of random numbers for public verification. As researchers pointed out, some platforms don’t check these random values.
According to Shlomovits and Aumasson, the goal of the research was to call attention to how easy it is to make mistakes while implementing multi-party distributed keys for crypto exchanges.