Researchers Find Flaws in Security Protocols Developed by Major Crypto Exchanges

Private key protocols for some crypto exchanges have been implemented with bugs that could have been exploited by a well-placed malicious party, researchers say.

AccessTimeIconAug 10, 2020 at 3:39 p.m. UTC
Updated May 9, 2023 at 3:10 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Cryptocurrency exchanges holding user funds have risked falling into numerous security pitfalls by failing to ensure security protocols are properly implemented, according to new research.

  • Speaking to Wired for an article Sunday, Jean-Philippe Aumasson, the co-founder exchange security firm Taurus Group, said he and his team, along with Omer Shlomovits from crypto wallet maker ZenGo, had uncovered three significant vulnerabilities in the way some custodial exchanges hold user funds.
  • While private crypto wallets usually have just one private key for the holder, exchanges go a step further and split keys up into different components – a distributed key scheme – so no one entity has complete control over the main wallet.
  • That generally improves security but, as Taurus Group found, the new attack vectors stemmed from splitting private keys up partly because they assumed key holders, entities responsible for part of the key, would not be malicious.
  • Some vectors come from the refresh function that enhances privacy by replacing key components so a third party can't slowly work out a full private key.
  • In one example, from open-source software from an exchange the researchers refused to identify, a malicious key holder could change, or threaten to change, part of the component so the full private key is lost – preventing the exchange from accessing funds again.
  • Arguably the biggest vulnerability came from a key-generation protocol from Binance where the key holder pretended to be the protocol itself, assigning other key holders the random values they need to verify their identity.
  • Armed with that information, a hacker could compromise the system from the moment it was set up, giving them access to the rest of the private key and allowing them to drain wallet funds.
  • Binance fixed the problem in March and said it recommends users go through the key-generation procedure only if they are concerned one of the holders could be malicious.
  • Both Aumasson and Shlomovits said the research highlighted just how easy it was for vulnerabilities to appear in ostensibly secure mechanisms.
  • Aptos Is Not a Security: Anchorage General Counsel
    00:45
    Aptos Is Not a Security: Anchorage General Counsel
  • Telegram Users Can Now Send Crypto to Each Other via Wallet Bot: Report
    07:20
    Telegram Users Can Now Send Crypto to Each Other via Wallet Bot: Report
  • Bitstamp CEO on Regulatory Implications of Ethereum’s Proof-of-Stake Transition
    01:14
    Bitstamp CEO on Regulatory Implications of Ethereum’s Proof-of-Stake Transition
  • Grayscale, Disclosing SEC Queries, Says Cryptos XLM, ZEC, ZEN May Be Securities
    05:05
    Grayscale, Disclosing SEC Queries, Says Cryptos XLM, ZEC, ZEN May Be Securities
  • Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.