Cryptocurrency exchanges are a central part of the cryptocurrency ecosystem. Because there are a number of different cryptocurrencies, crypto users need the ability to both purchase/sell crypto for fiat and to trade between different types of currencies.
Cryptocurrency exchanges provide this ability to trade one type of currency for another. These exchanges come in two types:
The decentralization of DEXs can be a major advantage. However, it also creates potential security concerns. With a centralized exchange, there is an organization responsible for the exchange’s operation and that may provide restitution in the event of a breach or other incident. With a fully decentralized exchange, such mechanisms may not be in place, making security more vital.
CER is a new platform designed to rank the security of DEXs. Their rankings are based upon a number of different factors. However, the most important considerations for DEX cybersecurity are whether or not the platform has undergone a security audit, whether an effective bug bounty program is in place, and if the DEX website is properly configured to use SSL/TLS.
Let’s take a closer look at these three factors:
At their core, DEXs are computer programs running on a decentralized smart contract platform. The use of a smart contract platform has its advantages but also raises the stakes for security. Due to the immutability of the blockchain’s distributed ledger, it is largely impossible to reverse the effects of a successful smaart contract hack. For this reason, it is essential to ensure that a smart contract is as secure as possible before deploying it.
A crucial part of this process is subjecting the smart contract to a comprehensive penetration test or security audit. This involves having an experienced cybersecurity team thoroughly investigate the smart contract, web frontend, and other infrastructure for potential exploitable vulnerabilities. While this does not guarantee that all potential security holes will be identified and remediated, a good security audit and penetration test can make a DEX much less vulnerable to attack.
In addition to checking if an audit has been performed at all, some important criteria to look for when evaluating a DEX’s security audit include:
A successful security audit doesn’t guarantee that a DEX is free of exploitable vulnerabilities. However, it is a crucial first step to securing a DEX.
Not every vulnerability in a DEX will be discovered by a security audit. For this reason, it is vital to have a mechanism in place for independent security researchers to look for and report security flaws and be rewarded for their efforts.
All DEXs should have a bug bounty program registered on a major bug bounty platform (eg. HackerOne, BugCrowd). This helps build visibility and increases the probability that ethical hackers will look for and identify vulnerabilities in the platform, enabling them to be corrected before they are exploited by a malicious hacker.
DEXs have web-based frontends, and these frontends should follow security best practices. Among these is the use of SSL/TLS. SSL/TLS provides authentication, confidentiality, and integrity protections. This helps users to ensure that they are on the right site and that their data is not being eavesdropped upon or modified as it flows over the internet.
Qualsys scores websites based upon how they implement the SSL/TLS protocols. All DEX sites should have a high score from Qualsys SSL Labs.
DEX owners and users alike have an incentive to ensure that these platforms are secure against cyber threats. A cyberattack against one of these platforms can ruin its reputation and cause the loss of its customers’ digital assets.
To find out how you can protect your DEX from cyber attacks, contact Halborn today at [email protected].