Are Decentralized Crypto-Exchanges the Solution to Attacks?
Within the last four years, up to $1.3 billion worth of crypto-currency has been stolen through hacks that have occurred on crypto-currency exchange platforms. According to Miko Matsumura, CEO of Evercoin, a non-custodial crypto-currency exchange, the biggest problem for these exchange platforms is the fact that they are centralized (also known as custodial).
Simply explained, custodial exchanges hold users’ money for them and also have control over their private keys. These private keys are what users use in order to access their funds. The fact that an entity holds these keys on behalf of all the users puts the users’ funds at risk. If a hack were to occur on a custodial platform, which we have seen before, these hackers will have access to the users’ keys, thus allowing them to access their money. Of all the problematic practices that centralized exchanges are known for, critics have raised the most concern about this one in particular.
Matsumura has urged users to avoid using exchanges that will require them to give over their private keys. Under no circumstances should users give their private keys to an exchange or any other entity. Doing so can make their accounts vulnerable, and this could lead to catastrophic results should an exchange platform be infiltrated.
The numerous hacks that have occurred on custodial exchanges have caused many investors to think twice about investing in crypto-currency. The first way these non-custodial exchanges can calm investors’ fears is through explaining the added security that decentralized exchanges offer. Jay Zhou, CMO of Loopring, a protocol for decentralized crypto exchanges, explained that due to the decentralized nature of the exchanges, users will always have their assets in their wallets. A wallet is a term used for the storage space of users’ crypto-currency. There are two types of wallets – a hot wallet (that refers to an online wallet for storing cryptocurrency) and a cold wallet (an offline wallet that usually comes with password-protection).
It is usually advised that users – and exchanges – keep the majority of their funds in cold wallets to prevent cybercriminals from accessing all their money. Michael Ou, CEO of CoolBitX, the creator of cold wallet storage system Coolwallet, seconds this saying that “Exchanges should implement multiple hardware wallets plus multiple authorization for internal transactions.” Exchanges should also “offer hardware wallets to every user” and “ask users to keep the coins in their own hardware wallets [in order] to reduce the coins collected as much as possible, and avoid the exchange wallet from becoming a honey pot for hackers,” adds Ou.
By taking matters into their own hands, users don’t have to put their trust in a third party to handle any of their assets or settle any trades or disputes. This gives users total control, allowing them to feel comfortable about where their money is being held.
In order for decentralized exchanges to become successful, companies must have basic crypto-currency trading knowledge and experience before launching such an exchange, Zhou added.
Remarks from Kenny Shih, executive director at Coinsuper, a Hong Kong based exchange, supported Zhou’s recommendation. Shih mentioned that traditional institutions (e.g. banks) want to know that an exchange is operating legitimately. Simply put, they want to ensure that the exchange is trading with investors who are qualified and legitimate. Transparency is important for investors and institutions seeking to invest in crypto-currency because they need to know that their funds are being traded on the platform. Allaying the concerns of these traditional institutions would go a long way in attracting more mainstream investors to cryptocurrency.
While the decentralized exchanges continue to grow, centralized exchanges can focus on improving their security in order to prevent more hacks from occurring. The less hacks that occur successfully, the more credible crypto-currency exchanges will appear to mainstream society. Kiran Raj, Chief Strategy Officer at Bittrex, mentioned that security is an integral part of blockchain technology, “Centralized exchanges serve a key role in the blockchain ecosystem by combatting malicious actor; providing market transparency and price discovery; as well as a secure platform for increased participation.” The presence of reliable security is what will draw more mainstream investors into the crypto-world. The public needs to know that their investments – their money – are safe. Ou describes the situation in three parts: as hacks scare off potential investors, exchanges can reduce the rate of hacks by encouraging users to use cold wallets, thus “The reduction of hacks will make potential investors feel more comfortable to participate in the crypto market.” Investors will feel more encouraged to invest in crypto-currency once they know that their assets will be with an exchange they can trust.
One of the reasons the mainstream world feels they are not ready for decentralized exchanges is due to the anonymity that is often seen as a benefit for users. Many institutions fear that this will promote illegal entities to make use of these platforms to launder their money. Shih emphasized that crypto-currency exchanges also need to take regulation seriously. Incorporating means such as KYC (Know Your Customer) and AML (Anti-Money Laundering) is a way to win the trust of mainstream investors and financial institutions. KYC and AML involve the verification of users of exchange platforms – especially detailing where they source their funds and whether they are being traded in a legitimate way.
But Sterlin Lujan, Communications Ambassador at Bitcoin.com suggests that decentralised exchanges are more in line with the “purpose of cryptocurrency” i.e “to maintain user privacy, freedom, and anonymity” because of these KYC regulations. Centralized exchanges comply with Know Your Customer and Lujan explains that “In this regard, “KYC” regulations are antithetical to the spirit of cryptocurrency. Many crypto-holders prefer to keep their identity to themselves as they trade coins.” The concern that the sensitive information provided through KYC could also be lost to hack is “just one of many reasons why decentralized exchanges are so important and why they are emerging,” adds the executive.
Matsumura recommended that all exchanges conduct frequent security and penetration tests in order to ensure that their systems are always free from security flaws. Penetration tests involve the process of identifying any major security flaws on the platform. Security flaws can never be taken for granted. The presence of one alone can spell disaster for any platform.
Hosho founder, Yo Sub Kwon, one of the major blockchain leaders in blockchain security, supported Matsumura’s recommendation with his statement:
“Exchanges should do the bare minimum by getting annual penetration tests. They should be actively having their security tested, with every feature added or significant code changed often. We also encourage all exchanges to implement an ongoing bug bounty program to award hackers for their efforts rather than penalizing them or encouraging them to go to black markets.”
Bug bounty programs are rising in popularity; with companies like PolySwarm, a decentralized threat intelligence community, encouraging white hat hackers – cybersecurity experts who use their skills for good reasons – to participate in identifying security flaws on a variety of online platforms. Simply explained, a bug bounty program involves a group of white hat hackers screening platforms for any irregularities or security flaws that could lead to future problems. These hackers are rewarded for their work and platforms are able to test the security on their platforms, preventing any malicious entities from infiltrating their system.
Steve Bassi, CEO of PolySwarm explained that “Having a bug bounty program allows honest users to contribute by:
- Allowing them to avoid legal risk via clearly defined the bug bounty parameters
- Rewarding them for their hard work in identifying flaws and helping them get fixed. It is a no-brainer and I would argue an essential aspect of the security of any widely used platform.”
Though, Bassi stressed that “bug bounty programs are not a substitute for rigorous, professional, third party audits; they complement.”
Many people in the crypto-currency industry believe that we are ready for decentralized platforms. It is up to exchanges, and other companies that require high-level security on the blockchain, to take the steps required to ensure that their platforms are secure and reliable.
Al-labaghi, Head of RightBTC, a global cryptocurrencies exchange, said that most importantly, all exchanges need to put in the effort to educate their users on how to manage their wallets, keep their assets secure, and how to trade safely. The RightBTC head also highlighted that most crypto-currency investors – especially the new ones on the scene – are not clued up on appropriate security measures. Moreover, the majority of exchanges focus more on ensuring that their exchanges are easy to use, but do not divert enough attention towards educating their users on trading safely.
Decentralized exchanges have not been widely adopted yet because they are neither fast, practical, nor inexpensive enough to build in comparison to centralized exchanges. Low liquidity and the lack of orders placed on decentralized exchanges as a result of high fees and validation time also means that they are not currently worth the while of traditional investors. Lujan also notes that many “suffer from poor UI and UX” and some also require users to be online simultaneously, making it inconvenient to complete transactions. Decentralization, as described here, is an inevitability as it does provide greater transparency when trading on the blockchain. But as centralized exchanges remain the norm there is the imperative for them to offer greater security and safety information to users in the meantime.