According to HedgewithCrypto, over the past decade hackers have hacked 49 crypto exchanges and stolen $2.7 billion. Nevertheless, venues continue to improve security \u2014 major thefts are becoming rarer. In 2020 there were nine hacks, last year four, and this year only one.<\/p>\n
Together with Gate.io<\/a> we explain which attack vectors hackers most often use, how the platform protects client funds, and what the largest crypto exchanges fear.<\/p>\n The most common reason for exchanges being hacked is vulnerabilities in the storage of private keys for hot wallets. According to HedgewithCrypto, hackers also exploited:<\/p>\n To protect clients, platforms must close these vulnerabilities and develop incident-response scenarios for different threats. Some exchanges employ unique measures:<\/p>\n A comprehensive security program is costly: Gate.io spends millions of dollars a year on it. The exact figure remains confidential.<\/p>\n Exchanges use two types of wallets: hot for daily operations such as deposits and withdrawals, and cold for secure asset storage.<\/p>\n Keys to hot wallets are typically kept on an internet-connected computer so the platform can sign transactions quickly. This is dangerous \u2014 hackers can access the machine, steal the private key, or redirect transactions to their addresses.<\/p>\n To manage hot and cold wallets Gate.io uses multisignature<\/a>, meaning the theft of a single key will not lead to loss of control over assets.<\/p>\n In addition, Gate.io keeps keys and backups in Hardware Security Modules for business tasks. All cold wallets are offline.<\/p>\n In 2020 hackers gained<\/a> access to Livecoin’s servers, raised Bitcoin and Ethereum quotes to $220,000 and $65,000 respectively, and then stole more than $2 million. Since 2014 such breaches have affected eight exchanges.<\/p>\n To counter such attacks, Gate.io uses<\/a>:<\/p>\n The Gate.io trading core consists of modular components. This approach prevents hackers from implementing a scenario of quote manipulation, instrument profitability or any other parameter of the platform.<\/p>\n To ensure internal security the exchange has implemented corporate firewalls and an access-control system for corporate resources. If one workstation is infected, the system will detect the virus at the first attempt to read data.<\/p>\n If an attacker gains access to a user account, they could steal funds despite wallet and platform protections. Therefore Gate.io requires users to enable two-factor authentication by one of the methods:<\/p>\n The user also sets a trading password. The platform prompts for it before any operation with assets: opening or closing a position, transferring funds, or withdrawing cryptocurrency to an external wallet. Additionally, they can configure a withdrawal whitelist.<\/p>\n Even with the account login and password, a hacker would not be able to withdraw or otherwise use funds from the account. Gate.io will notify the account holder of a login from a new IP address and log it in the login history.<\/p>\n For contingencies Gate.io runs an account-recovery service. The user provides contact details for close relatives or friends. If they do not access the platform for a long period, the exchange will contact the designated people and, after identity verification, hand over access to the account.<\/p>\n In 2022 crypto enthusiasts faced a new problem: exchanges used their deposits for their own operations. As Bitcoin and Ethereum prices fell, platforms’ positions became unprofitable. Firms halted withdrawals or even declared bankruptcy. Two years earlier Gate.io had developed an on-chain solution Proof-of-Reserves for independent reserve audits. It enables users to view their real balance on the exchange’s cold wallet by the UID hash.<\/p>\n In July 2022 the auditing firm Armanino LLP confirmed<\/a> that Proof-of-Reserves works correctly and Gate.io stores 100% of customer funds.<\/p>\n Crypto exchanges launch blockchains and tokens, but cannot guarantee the security of decentralized applications. Thus, in March 2021 hackers took over<\/a> Pancake Swap\u2019s DNS on BNB Chain, and intercepted the private keys of some traders.<\/p>\nWhat goes into exchange security<\/h2>\n
\n
\n
Protecting hot and cold wallets<\/h2>\n
Site and server security<\/h2>\n
\n
Account security<\/h2>\n
\n
Platform transparency<\/h2>\n
Security of the ecosystem<\/h2>\n