New research by ICORating has delivered a series of insights into the security frameworks of high volume crypto exchanges. The research shows that while exchanges by and large pay a lot of attention to security, a number of serious loopholes still exist, potentially jeopardising the safety of funds stored on these platforms. Over the past 8 years, at least 31 crypto exchanges have been hacked and over a 1 billion dollars stolen. While some have recovered from such hacks, others have gone bankrupt or suffered repeat attacks.

Console Errors and User Account Security

In putting the report together, security measures were assessed by ICORating against potential flaws that could affect exchanges and their users. 100 exchanges whose daily trade value is more than one million USD were selected and four issues were assessed namely, console errors, user account security, registrar and domain security, and web protocols security.

The findings showed that only 49 percent of exchanges do not have console errors or warnings about console errors, which despite not being critical security failures, have been known to cause data loss in the past. Exchanges without code errors were 68 percent of the total, meaning that 32 percent of exchanges have code errors, possibly resulting in defective operation.

The analysis of user account security statistics showed that 41 percent of exchanges accept passwords with less than eight symbols, 37 percent of exchanges accept passwords with only letters or digits, 5 percent of exchanges permit account creation with no email verification, 3 percent of exchanges have no two-factor authentication, and most strikingly of all, only 46 percent of exchanges scale all four security queries.

Registrar & Domain Security and Web Protocols Security

ICORating used Cloudflare’s domain security check to assess exchanges for errors connected with their registrar and domain. In particular, their registry locks, registrar locks, role accounts, expiration and DNSSEC were asses for errors. The results of the assessment showed that only 2 percent of exchanges use registry locks, just 10 percent of exchanges use DNSSEC, and only 4 percent of exchanges are using best practice in 4 out of the 5 areas.

In assessing web protocols security, the presence of Strict-Transport-Security header , X-XSS-Protection header , Content Security Policy header, Content-Security-Policy (CSP), X-frame-options header, and  X-content-type-options header was assessed.

The results showed that just 10 percent of exchanges have the five headers, 29 percent of exchanges don’t have any of the mentioned headers and only 17 exchanges have a Content Security Policy header

ICOratings final security ranking for all the exchanges assessed had Coinbase in first place, followed by Kraken and BitMEX in second and third respectively. A few weeks ago, Zaif crypto exchange - ranked 89th on the ICORating security ranking - was attacked, leading to the loss about 6 000 BTC.