Security analysis of the most popular cryptocurrency exchanges
Thanks to a subscriber for this article which may be of interest. Here is a section:
This table shows that out of the 140 exchanges we analyzed less than 40% of them are using headers like the Strict-Transport-Security header or the X-XSS-Protection header. 20% expose server information which isn’t a security vulnerability in itself but that clearly shows the low level of security best practices implemented. And 26% of them use frontend libraries with known vulnerabilities. Only 2% implemented a Content-Security-Policy that, if done well, can offer powerful protection against clickjacking or XSS….
We can do better.
Our analysis isn’t saying that these exchanges have blatant vulnerabilities. But I’m questioning whether they implemented deeper security controls and protections if they didn’t implement basic security best practices that only take a few minutes (or seconds with Sqreen) to implement.
After taking the volume that these platforms handled in the last 24h, I wanted to see if there was a correlation between volume traded and security.
The answer is clearly no. There’s no correlation between transaction volume and security maturity.
The 10 biggest crypto exchanges have an average grade of 3.8 out of a maximum of 10 and a median of 4.5.
Cryptocurrencies are completely unregulated. For many libertarians that were early backers of the theme that is considered good news. However, the downside is that a substantial number of exchanges have collapsed following hacking incidents and large numbers of investors have been robbed.
What I find particularly interesting is there is still an argument about whether the sector should be regulated. If a boiler room operation sets up and starts hard selling illiquid pink sheet traded shares to retail investors it would be quickly pursued by regulators. However, when a cryptocurrency exchange does much the same thing with digital tokens they remain free from regulation and that is despite hundreds of billions having been funneled into the sector globally.
Bitcoin crashed between December and early February and as the epicentre of risk in the sector has the greatest potential to form a lengthy type-3 base formation.