Security Tips for Your Cryptocurrency Exchange Platform

Have you thought about launching own Crypto Exchange Platform? That is a good deal, however, such a decision is accompanied by several challenges. Inn4Science has prepared you some tips and a short review on how to start a cryptocurrency exchange. Let’s go today thorough basic steps and try to figure the best strategy for the development.

Step 1 Types of exchanges

Different resources may provide you various definitions and classifications. Like on the type of governance:

  • Centralized exchanges (CEX)
  • Decentralized exchanges (DEX)
  • Hybrids

Or by the type of currency/workflow:

  • Fiat-Crypto Exchanges
  • Crypto-Crypto Exchanges
  • Peer-to-Peer Exchanges
  • Brokers

Though, we will define exchanges into:

  • Manual – where you simply have a landing page and managers get a client’s order to mail, messenger, etc.
  • Peer-to-peer – a matching board. Such an exchange has a simple interface where buy/sell orders are placed. The exchange itself isn’t involved in trading, as clients are exchanging currencies between each other.
  • Classic exchange – with automating trading. May have futures, trades on margin, leverage and tight spreads. Should also have various tools for data analysis like SMA( simple moving average ) MACD( moving average convergence divergence ), RSI ( relative strength index ) and others.

Most of the Security challenges are connected with Classic exchanges, therefore we will focus today on Classic one mostly.

Step 2 Choosing your marketplace

Most of the crypto tokens are not based on own Blockchain but are built with the use of already existed one. In order to finish development fast but also have a winning strategy, the choice of first basic currencies shall be wisely considered. Inn4Science would recommend you to have a look at Tether, Ethereum, and Bitcoin.

Why?

  • USDT is highly appreciated at the current market due to 100% backing by reserves of Tether Limited and traditional cash equivalents.
  • Ethereum blockchain is easy used and therefore has dozens of various tokens based on Ethereum smart contracts. If you have ETH embedded from the start, it will be much easier to add new exchange pairs of “Ethereum” tokens.
  • BTC is a digital gold among cryptocurrencies. Most of the high-volume traders are working only with Bitcoin.

Step 3 Withdrawals

Withdrawals are a powerful instrument where you can limit currencies for withdrawals, set fees etc. We provide more technical details on this question and on how to start a cryptocurrency exchange overall in our personal blog. Be free to visit it.

Step 4 Gateway

The most important part of backend development is the mechanism for indicating your transactions. Namely, this is the part where you embed Blockchain to your project.

It will “see” new transactions, distribute cash between accounts and execute withdrawals.

Step 5 Marketplace

It’s time to cover up the exchange. Finish backend, create Depth of Market, draft basic user interface and make it a secure and fine place for your traders. How to launch a favorable cryptocurrency exchange? Here are security tips from Inn4Science team:

Challenge 1: Scammers

Multi-accounts and scamming users are a common problem for any exchange.

Solution: To use device and IP validation. If they match for several accounts to block a fraud user. As well as to use a monitoring system.

Summary: If you use a personal system of account management it is very important to have a tool for user disconnection on the fly. While having token authorization you need to implement a session storage system with the access tokens. The system shall have the functionality to withdraw an authorization token of the user, even when the user is active. Therefore, you will be able to prevent suspicious activity either manually by the administrator, or automatically by the monitoring system.

Challenge 2: Substitution

A very popular way to tarnish the exchange reputation is to interfere with the workflow of the site. For example, the substitution of payment addresses.

Solution: classical monitoring of the website. Close access to any unauthorized changes to the code, that is delivered to the live server. Constantly monitor changes. As well as put hidden notifications on changes to critical parameters (for example, addresses of cold wallets and administrator’s backup contacts).

Do not forget about a more simple but not less important thing as validation. While creating your system, be sure that all sensitive and personal user data, in any case, should not be available via requests’ substitution. As an example, you may use ID monitoring. Whenever the system gets a request, the monitoring will compare the IDs of the authorized user and the user whose data is requested.

It is worth mentioning, that in case you intend to use the above-mentioned solution, the users’ IDs should not be openly displayed and provided. It is highly recommended to encrypt the IDs. Even simple, non-resource intensive encryption algorithms will dramatically complicate the possibility of a bruteforce attack for a potential hacker.

Summary: There 2 variants of security, the one is pro-active and the second is passive. Pro-active, when system tracks suspicious activity it instantly blocks/freezes user account.

Passive, when system tracks suspicious activity user receives a notification via email/SMS/etc.

Use monitoring and a timeout condition to secure any part of the interface where your system makes a call to users’ data and to prevent a bruteforce attack of these data.

Challenge 3: Wallets managements

Exchange wallets are the conventionally public information. As your service needs to provide an address where the user can top-up his account. Wallets have a heightened risk of hacking.

Solution: use cold storage wallets. To prevent losing assets of your clients, do not store all the funds on hot wallets. As soon as your system monitors the new transaction, resend it to a cold storage wallet. Keep on hot wallets only necessary amount for basic operations.

Summary: The safest way is when coins are stored in the cold storage wallets and all the transactions within your exchange platform are virtual. For example, you can use the Hashicorp vault solution to store passwords of hot and cold wallets. Therefore, you can automatically conduct transactions between wallets.

Challenge 4: AML/KYC

You should be ready, that fraudsters will try to sully the exchange wallets and use them for money laundering.

Solution: set AML/KYC procedures as mandatory for all new accounts, this way you will know your users and where they received money. Create a pool of wallets, to provide addresses to clients. And if you feel that they are used for laundering, simply stop using this wallet.

Summary: The bogus accounts won’t be able to spam orders, fraudsters won’t be able to use your hot wallets for money laundering.

Challenge 5: GDPR

Even if you are Korean, Japanese or whatsoever exchange which is not subject to the European Union GDPR are applied to your exchange if it has customers from the European Union. And according to the GDPR, the client has the right to be forgotten. But here you may face the conflict situation, where you have just deleted the user account, and tomorrow you got Police at your door asking why you hide the crime.

Solution: you have absolute right, to sign a separate agreement with your clients, where the condition is set that their AML/KYC data is immutable and non-removable.

Summary: do not ignore GDPR rights unless you want to be fined for millions of dollars.

Challenge 6: Excluded countries

There are several countries where crypto trading is illegal, like China. Therefore you need to be sure you are not accepting clients from banned countries.

Solution: you may ban clients via their IP. However, if you have a French living in China that would be a bit confusing. A better option is to make the client responsible for his actions. Have a clear, visible note where you have a list, which countries are prohibited from trading, and that they have full responsibility.

Challenge 7: Data Storage

Your database is a piece of a nice cake for hackers and maybe one of the primary targets.

Solution: have a secure encrypted data storage, as well as make cold copies of keys and cold copies of the database. The other good solution is to use data mirroring. Therefore, if one of your data storages is down (server, MySQL, NoSQL, etc.) you will have a live copy of data. Moreover, you will be able to promptly switch to this version. Also, the good thing is that most of the systems nowadays have an instant automatic switch for the data mirroring.

Summary: You shall encrypt any sensitive data available on the exchange with user key-pair. Remember to avoid storing user keys and passwords on the server. To validate user keys, you should use hash functions, for example, SHA256, RIPEMD128, RIPEMD-160, or any other suitable for your project.

Extra: Interface

An interactive interface goes along with dozens of buttons and other “active” places. Most of them will have a special condition to be active and available for interaction. Therefore, do not forget to have a double verification of actions, both on the front-end and back-end. This will counter any invalid actions on the server-side.

There are more challenges which you will face, but that is not connected to Blockchain, crypto or other regulations. Those are:

  • API Validation – hackers may use your API to interfere with the system
  • Load testing – be sure to understand how much your system is loaded and to have enough resources for a smooth work
  • DDoS attacks – the most common hacker attack
  • CSRF vulnerability
  • and much more.

Do not try to withstand all the challenges all alone, the security of the system is something you’d better not let to slide. In order to prevent future challenges, choose a reliable team today!

You Might Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>