Researchers that attended the recent Black Hat security conference confirmed that digital currency exchanges remain vulnerable to hackers. While digital asset trading platforms may have attempted to provide adequate security to protect users’ funds, researchers argue that cryptocurrency exchange attacks have been operating like “an old-timey bank vault with six keys that all have to turn at the same time.”
As reported by Wired, private keys associated with crypto-assets that are broken into smaller pieces means that attackers have to find all of them and then try to piece them together before they can have a chance at stealing the funds.
Cryptographer Aumasson, and Omer Shlomovits, the co-founder of KZen Networks, a digital asset key-management company, explained one of the ways a hacker could try to attack an exchange:
“In the vulnerable library, the refresh mechanism allowed one of the key holders to initiate a refresh and then manipulate the process so some components of the key actually changed and others stayed the same. While you couldn’t merge chunks of an old and new key, an attacker could essentially cause a denial of service, permanently locking the exchange out of its own funds.”
An attacker might also be able to use false validation statements to potentially manipulate the relationship between a crypto exchange and its users. According to the researchers, hackers can eventually figure out a customer’s private keys over multiple “key refreshes.”
Another way to carry out an attack is when “trusted” parties of a crypto exchange derive their part of the key. In this scenario, each party might be able to generate a couple of random numbers that may be used for public verification. The researchers revealed that in certain instances, Binance did not properly check these random values and then had to go back and try to fix the issue (in March 2020).
The report noted:
“A malicious party in the key generation could send specially constructed messages to everyone else that would essentially choose and assign all of these values, allowing the attacker to later use this unvalidated information to extract everyone’s portion of the secret key.”
Shlomovits and Aumasson emphasized that it can be easy to make critical mistakes while implementing multi-party distributed keys for digital asset exchanges. According to the researchers, these mistakes might be easier to make and be more common in open-source libraries (which are used by many crypto projects).