The cybersecurity experts warn the bugs in open-source libraries might lead crypto exchanges to become easy targets for hackers.
Various financial institutions including highly protected crypto exchanges still use open-source libraries, where programs with the source codes are easily downloadable free of charge. However, the cybersecurity experts revealed the number of vulnerabilities in the open-source programs that can lead to fatal and costly damages.
Despite the fact that companies that manage millions of funds apply high cybersecurity requirements, the tiny underlying mistakes in the multiparty distributed key cryptography are easy to miss.
Cryptocurrency private keys, the sophisticated form of cryptography that allows users to access their digital funds, might be split into different components never fully known by each party, be it the user or the digital wallet that stores private keys.
However, cybersecurity experts at the Black Hat security conference earlier this month unveiled the potential weaknesses in multiparty distributed key cryptography schemes.
The fatal vulnerabilities were identified by Omer Sholomovits, the co-founder of mobile wallet ZenGo, reported in the popular tech magazine Wired. According to this discovery, the results might be classified into three categories of attacks.
I. Changing key’s components
The first category includes the insider at the particular cryptocurrency exchange. With the ability to freely access the open-source library, the malicious actor is able to exploit the vulnerability in its mechanism for refreshing the secret keys. The constant rotation here provides a higher level of security as the secret keys are harder to compromise.
However exploiting the bug in the library’s refresh mechanism, hackers are able to manipulate the process changing some of the key’s components. Although many other components remain unaffected, the old and new chunks of the key do not match anymore, causing the service denial and permanent lock of a crypto exchange to access its own funds.
II. Failing validations
The second type of attack focuses on the vulnerability in a key rotation process when it fails to validate all the statements among the cryptocurrency exchange and its user. The crucial flaw here allows to extract the user’s private keys by using multiple key rotations. The hacker then becomes able to initiate transactions withdrawing funds from the user’s accounts.
The following bug in an open-source library was incorporated by the unnamed key management company.
III. Exploiting random numbers
The third category of attacks occur when the trusted parties obtain their particular pieces of the key. Each of them generates several random numbers and later publicly verify among themselves if these key pieces match with each other, however without revealing a full content.
In case the open-source protocol is not checked for these random pieces, the hackers are able to extract the separate portions from all the different parties and later reassemble the full view of a secret key.
According to the expert, such a flaw in an open-source library was developed by Binance cryptocurrency exchange, however was fixed back in March.
All types of the identified attacks are not ordinary cases and require a “privileged position within the crypto exchange”, highlighted the experts. According to them, making mistakes while implementing multiparty distributed keys to crypto exchanges is highly possible. Moreover, such mistakes might have dramatic consequences as the protocols are easily accessible through the open-source libraries.
Despite that the distributed key schemes still are a critical defense factor against crypto exchange hacks.