Millions Spent on Security: How Gate.io Protects Customer Funds

According to HedgewithCrypto, over the past decade hackers have hacked 49 crypto exchanges and stolen $2.7 billion. Nevertheless, venues continue to improve security — major thefts are becoming rarer. In 2020 there were nine hacks, last year four, and this year only one.

Together with Gate.io we explain which attack vectors hackers most often use, how the platform protects client funds, and what the largest crypto exchanges fear.

What goes into exchange security

The most common reason for exchanges being hacked is vulnerabilities in the storage of private keys for hot wallets. According to HedgewithCrypto, hackers also exploited:

• bugs in the trading platform;
• phishing;
• breaches in server security;
• the distribution of malware;
• employee bribery.

To protect clients, platforms must close these vulnerabilities and develop incident-response scenarios for different threats. Some exchanges employ unique measures:

• Gate.io has developed a program for on-chain auditing of reserves and, as the first of mainstream crypto exchanges, provided proof of 100% backing of user balances;
• BitMEX implemented a post-trade balance reconciliation in the trading engine and a circuit breaker to halt operations if a trader’s account does not reconcile with their trade history;
• Coinbase launched Coinbase Tracer — a proprietary service for verifying the integrity of transactions;
• Kraken installed surveillance in server rooms and stationed armed guards.

A comprehensive security program is costly: Gate.io spends millions of dollars a year on it. The exact figure remains confidential.

Protecting hot and cold wallets

Exchanges use two types of wallets: hot for daily operations such as deposits and withdrawals, and cold for secure asset storage.

Keys to hot wallets are typically kept on an internet-connected computer so the platform can sign transactions quickly. This is dangerous — hackers can access the machine, steal the private key, or redirect transactions to their addresses.

To manage hot and cold wallets Gate.io uses multisignature, meaning the theft of a single key will not lead to loss of control over assets.

In addition, Gate.io keeps keys and backups in Hardware Security Modules for business tasks. All cold wallets are offline.

Site and server security

In 2020 hackers gained access to Livecoin’s servers, raised Bitcoin and Ethereum quotes to $220,000 and $65,000 respectively, and then stole more than $2 million. Since 2014 such breaches have affected eight exchanges.

To counter such attacks, Gate.io uses:

• the HTTPS protocol for secure data transmission between users and servers;
• its own anti-DDoS and CloudFlare firewall to protect against traffic that could slow or disable the platform;
• Web Application Firewall (WAF) to counter network attacks — SQL-injections, token tampering, executing malicious code in the browser, and password-guessing attempts;
• secured DNS to prevent hackers from redirecting users to phishing sites.

The Gate.io trading core consists of modular components. This approach prevents hackers from implementing a scenario of quote manipulation, instrument profitability or any other parameter of the platform.

To ensure internal security the exchange has implemented corporate firewalls and an access-control system for corporate resources. If one workstation is infected, the system will detect the virus at the first attempt to read data.

Account security

If an attacker gains access to a user account, they could steal funds despite wallet and platform protections. Therefore Gate.io requires users to enable two-factor authentication by one of the methods:

• a code via SMS or email;
• Google Authenticator;
• sign-in via a hardware security key such as YubiKey, Gate.io hardware wallet Wallet S1 with a fingerprint scanner or another device supporting the FIDO2 standard.

The user also sets a trading password. The platform prompts for it before any operation with assets: opening or closing a position, transferring funds, or withdrawing cryptocurrency to an external wallet. Additionally, they can configure a withdrawal whitelist.

Even with the account login and password, a hacker would not be able to withdraw or otherwise use funds from the account. Gate.io will notify the account holder of a login from a new IP address and log it in the login history.

For contingencies Gate.io runs an account-recovery service. The user provides contact details for close relatives or friends. If they do not access the platform for a long period, the exchange will contact the designated people and, after identity verification, hand over access to the account.

Platform transparency

In 2022 crypto enthusiasts faced a new problem: exchanges used their deposits for their own operations. As Bitcoin and Ethereum prices fell, platforms’ positions became unprofitable. Firms halted withdrawals or even declared bankruptcy. Two years earlier Gate.io had developed an on-chain solution Proof-of-Reserves for independent reserve audits. It enables users to view their real balance on the exchange’s cold wallet by the UID hash.

In July 2022 the auditing firm Armanino LLP confirmed that Proof-of-Reserves works correctly and Gate.io stores 100% of customer funds.

Security of the ecosystem

Crypto exchanges launch blockchains and tokens, but cannot guarantee the security of decentralized applications. Thus, in March 2021 hackers took over Pancake Swap’s DNS on BNB Chain, and intercepted the private keys of some traders.

To address this vulnerability Gate.io added a transaction-cancellation and emergency-withdrawal mechanism to GateChain. Users create special storage addresses and specify the number of blocks within which they can reverse sent transactions.

In addition, the storage owner can bind a fallback withdrawal address to the storage in case of a lost private key. This requires contacting Gate.io support.

Conclusion

After a rebranding on the \”About Gate.io\” page a slogan appeared: \”Our top priority is the security of users’ data and assets.\” And this is true: the exchange’s security system closes known vulnerabilities of trading platforms.

But Gate.io does not stop there: the exchange launched a bug-bounty program for white-hat hackers and developed a hardware wallet with a fingerprint scanner Wallet S1.

Read ForkLog’s Bitcoin news in our Telegram — cryptocurrency news, prices and analysis.