Page 39 - FIGI: Security Aspects of Distributed Ledger Technologies
P. 39
user is able to and uses a weak password, such as early 2019 as a non-custodial exchange using a dele-
one that contains a dictionary word and doesn’t take gated POS (dPOS) system on the Binance chain with
measures to make brute force of password guessing a decentralized network of nodes. Users hold their
257
an easy task, which includes ‘dictionary attacks’ in own private keys and manage their own wallets. It
guessing passwords and has results with such values. integrates into crypto-asset wallets – hardware and
software types - held by the user. Custodial exchang-
Mitigation & Recommendations: es may give better rates than non-custodial DEXs but
Passwords should always use a mixture of capital have additional wait times as they tend to process
letters, numbers and special characters. Many recom- withdrawals in batches. There is however no inter-
mend the use of multi-signature addresses with the chain interoperability in between tokens: rather these
need for two signatures required to release funds DEXs ‘peg’ a token to a coin, with the peg’s token
and one wallet provider as an alternative to ensure interchangeable for the real crypto-currency.
additional safety against lost credentials. Essentially Service providers of wallets and currency exchang-
no single point of failure can occur since an attacker es are the primary attack targets for crypto hacking
would need to possess two authentications from two because they present lucrative targets in a central-
different sources to release funds from an account. ized location and are single points of failure whose
Other mitigation procedures implemented include design may be prone to vulnerabilities. 258
two-factor authentication (as required by Coinbase.)
Public-private key or online seed generation (such • If substantial amounts of funds are stored in hot
as strong password generators) are available readily wallets an exchange or wallet service, it presents a
online. These are not recommended though except most lucrative target;
from confirmed, trusted sources as generators may • Phishing attacks can be relatively easy and low
keep a copy of the user’s newly generated key pair cost for attackers to perform and can be effective
to later use for malicious purposes, such as the unau- without the victim realizing their vulnerability or
thorized access to the user’s funds. 255 infection. These attacks can target both users of
an exchange or employees to obtain access infor-
8.5.4 Issue: Attacks on Crypto Exchanges mation.
• Vulnerabilities can occur at the coding level which
Dimension Affected: Application can open up holes to lucrative exploits (such as
While crypto-assets as components of a DeFi the DAO regarding smart contracts, Mt. Gox with
ecosystem are themselves largely decentralized, inadequate version control of software program-
DeFi payment processors and the ability to buy and ming and lack of testing, among others.)
259
sell crypto currencies is largely centralized. That is, • Inadequate hot wallet protection which can
there is currently no practical method to undertake include failure to use multi-signature protection,
260
‘atomic swaps’ that allow pure peer-to-per exchange too much crypto available in hot rather cold stor-
of value. Centralization though can take one or more age, among other similar attacks.
forms: the most prevalent are centralized crypto • Cross Site Scription (XSS) attacks such as a mali-
exchanges such as Coinbase and the world’s largest. cious javascript can be used to
Binance who will act as a custodian of the crypto-as-
set seller’s value in what is called a ‘hot wallet.’ This Mitigation and Recommendations:
role includes holding the private keys of value hold-
ers. Media reports of these custodial crypto exchang- • Best practice would be to keep the majority of val-
es being hacked, and value stolen from user’s hot ue - especially those not in need of immediate use
wallets are an almost weekly occurrence though. - in ‘cold storage.’
• This can be set up to require 2 of 3 available
Vulnerabilities: authorizations to be used, such as one private key
Theft of User Funds/Tokens: There are non-custodi- being held at the wallet company, another held by
al decentralized exchanges (DEXs) such as such as the user in cold storage and a third key being held
Flyp.me and Localbitcoins.com which simply act as a in the custody of a trusted person or party.
261
meeting place for those buying and selling crypto-as-
sets and do not store – that is, do not have custody of 8.5.5 Specific Threats: Attacks on Individual
- any buyer/seller value or keys/credentials and value. Crypto Wallets
A newer DEX version is Binance DEX, launched in Dimension Affected: Application
256
Security Aspects of Distributed Ledger Technologies 37
