Tasked to write on the security issues of the KuCoin exchange hack, I found instances of oversight. Thanks to members of our crypto community (especially Hacken!) who provided valuable insight into this matter, I was able to suss out what could have gone wrong in this whole picture. Sharing my article here with the Publish0x community:
On September 26, cryptocurrency exchange KuCoin issued a statement that it experienced a ‘security incident’. At that point, some USD 150 million in BTC (bitcoin), ERC-20 (ethereum-based tokens), and other cryptocurrencies were estimated to be stolen.
Over the next couple of days, that amount had grown to USD 280 million, effectively making the KuCoin hack the third-largest crypto hack. Only Coincheck, which suffered a USD 534.8 million hack in 2018, and Mt. Gox, which lost USD 460 million in 2014 to another hack, were ahead in terms of loss.
Past lessons unheeded
According to Johnny Lyu, KuCoin’s chief executive officer, the funds were emptied out of KuCoin’s hot wallets. The assets in their cold wallets “remained safe and unharmed.”
Hot wallets are used as temporary storage systems for assets that are being traded on exchange platforms and are often a point of weakness in the security architecture of exchanges. So, is it really acceptable that such large amounts of funds would still be held on hot wallets?
Dyma Budorin, chief executive officer at Hacken Group, an established crypto cybersecurity firm, thinks not: “We would like to point out critical areas exchanges should really focus on to avoid such hacks. Firstly, there should be strict management of cold and hot wallets, with the hot wallets periodically initialized. The storing of 95+% of all deposits should be in cold wallets and the other less than 5% placed in several hot wallets, each with their own private key.”
Commenting on the method of attack, Budorin said that the KuCoin management obviously “made a decision not to disclose the truth as we can see from [the] false communications” that were disclosed when the hack happened.
“Based on public information and the attack method, we have different versions [of what could have happened],” says Budorin. “On one hand, it looks like a social engineering attack on the KuCoin employees who had access to the private keys that were worth USD 200+ million. The fact that such a huge wallet could be accessed by a computer/user means that KuCoin is lacking internal controls over crypto on the cold wallets… Also, we need to consider the malicious actions of responsible employees who had the appropriate access. From the outside, the attack on the web infrastructure could happen, but this version is unlikely.”
Some industry experts believe the hack was an inside job.
“As far as our research goes, some exchanges fake it!” declares Sidharth Sogani, founder and chief executive officer at Crebaco Global, a crypto research database organization. “They fake the hack, but the funds are settled internally… Hack is just an excuse… Let me clarify one thing, with the kind of encryption the crypto industry uses, it’s almost impossible to hack unless the user is stupid or there is an insider.”
Decentralization in danger
Last year’s controversial USD 40 million Binance hack now pales in comparison with the KuCoin hack.
When Binance, the largest exchange in the cryptocurrency space, lost USD 40 million in BTC, there was talk of rolling back transactions that met with vehement community resistance.
An economic system birthed by decentralization principles, the Bitcoin network was theoretically not supposed to be able to support centralized moves like transaction rollbacks. In practice, however, the concentration of mining power in the hands of a few groups could mean otherwise.
With the KuCoin hack, there was nary an attempt at a community discussion. Immediately, Bitfinex and Tether froze a combined $33 million worth of USDT from the ETH and EOS chain. Ocean Protocol paused their smart contract, and many more ERC-20 projects either restarted, froze, or paused their protocols.
“The projects that paused, or reversed smart contracts after the hack, are abandoning the principles of decentralization,” states Budorin. “Some projects block tokens that have been hacked. Others pause the hacked tokens, burn them, and issue new tokens. We are returning to the DAO situation: some groups of people can manage the tokens of all the users. What does this mean? Your tokens are not your tokens — they are the tokens of the team that issued them, and they can take them away at any time.”
Others saw this as a sign that decentralized exchanges (DEX) are the way to go.
“The KuCoin hack certainly puts into perspective the true necessity for trustless decentralized networks in the blockchain space,” says Jack Choros, chief marketing officer of crypto site CryptoRadar.org. “The fact that a central authority can reverse a contract or a transaction on the smart contract is definitely concerning… Using decentralized exchanges is another option. Decentralized exchanges don’t rely on centralized servers, which means you’re only taking a risk on smart contract execution, not human error or hacking.”
In the meantime, are more regulations or more security the way to go?
“These exchange hacks will not stop till there are better regulations by the government, which seems to be a few years from now,” says Crebaco CEO Sogani.
The Hacken Group, which provides cybersecurity data from their CER.live platform that is used for CoinGecko’s Trustscore (an established crypto industry ranking platform for exchanges and projects), plans to update their exchange scoring methodology. It will soon include “the element of internal controls audit over cold wallets’ private key management.”
“Maximum attention must be paid to cybersecurity, with regular penetration tests, regular auditing of cryptocurrencies’ storage systems, and other appropriate measures must be taken,” Budorin cautions. “Be sure you work with professionals!”