Exchange Security Report

June 2019

ANALYSTS

WEIRONG CHEN, JINCHENG XU

AMBER@TOKENINSIGHT.COM

Find, Create, Spread Value in Blockchain.

TokenInsight also provides in-depth analysis on projects, industry research report and consultancy service, further information is available by following contacts:

TokenInsight.com bd@tokeninsight.com

TOKENINSIGHT.COM

TABLE OF CONTENTS

1 Background Introduction

1.1 SECURITY STATUS OF CRYPTOCURRENCY EXCHANGES 2

1.2 SOURCES OF EXCHANGE SECURITY ISSUES 5

2 User Survey Results on Exchange Security

2.1 METHODOLOGY DESCRIPTION 6

2.2 RESULT ANALYSIS 7

3 Exchange Security Rating Description

3.1 TOKENINSIGHT'S SECURITY RATING DIMENSION 12

3.2 SAMPLE DESCRIPTION 14

4 Exchange Rating Results

4.1 NETWORK SECURITY ANALYSIS 16

4.2 R ISK RESPONSE MECHANISMS 20

4.3 ACCOUNTS AND STORAGE SETTINGS 26

4.4 SUMMARY 31

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

KEY POINTS

① Security incidents and loss of funds surrounding exchanges have frequently occurred in

various scale. However, as cryptocurrency exchanges pay more attention to security issues and invest more into their internal systems, the overall solution has become increasingly more mature.

② In general, users believe that both the largest exchanges and emerging rising exchanges with

significant accurate trading volumes are safer. Notably, industry users currently have a high sense of trust with the largest exchanges.

③ Users hold a basic understanding of security issues surrounding exchanges, but the security is not

the only factor for users when choosing to trade on an exchange.

④ Security detection shows that most exchanges have strong routine security defense mechanisms in place.

⑤ The largest exchanges and most popular exchanges have emergency mechanisms established. Some such as emergency funds, insurance, real time alert detection, and others in place to ensure the security of user assets in case of an attack.

⑥ Aside from internal improvements on internal security mechanisms, crypto exchanges have also

enhanced security measures with the help of external third-party service providers.

⑦ The security rating results of some exchanges are as follows (see text for all rating results and

rating descriptions):

 

1

Exchange�Security�Rating

A

BBB

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

2

01 . BACKGROUND INTRO

1.1 Security Status of Cryptocurrency Exchanges The soaring price of Bitcoin has been driving the blockchain technology from geek circle to the public gradually, and further pushing up the price of Bitcoin. Therefore, the mood of users trading in digital currency is continuously rising. As a trading place in digital currency, exchanges store a large amount of user funds, and numerous hackers are eager to make ill-gotten gains by exploiting the loopholes of exchanges.

‣ Figure1-1 Funds Stolen from Exchanges in Recent Years

Source TokenInsight�

According to TokenInsight statistics, at least USD 1.6 billion worth of digital currency assets were stolen from exchanges from 2014 to the first half of 2019, with at least USD 200 million already stolen in the first half of 2019. In 2017 and 2018 collectively, more than ten security breaches occurred on exchanges, the highest in nearly five years combined.

TokenInsight found that the change in security incidents overtime followed a similar growth trend to market volatility and the price of cryptocurrencies. Being that the maximum amount of funds stolen occurred at the end of the bull market. From 2014 and 2018, cryptocurrency exchanges had the most substantial amount of funds stolen, reaching a record high in 2018. Compared alongside the digital currency market, the price of BTC rose from USD 90 to about USD 1,000 at the end of 2013 and then entered the bear market in 2014. At the end of 2017, the digital currency market, represented by BTC, entered another bull run but then spiraled into a downward trend at the start of 2018.

Exchange�Stolen�Fund

Unit

100M

0

2

4

5

7

9

2014 2015 2016 2017 2018 First�half�of�2019

2.30

8.58

1.130.800.06

4.90

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

3

‣ Figure 1-2 Exchange Incidents

Time ExchangeRegistered Region

Stolen Amount Causes (Presumptive)

February 2014

Mt.Gox Japan 850,000 BTC

Very controversial and has many different stories. Officials claimed to have been attacked by hackers, but public assumption believes it to have been an inside job.

August 2014 Poloniex USA12.3％ BTC was taken from the platform

Hackers successfully attacked the exchange due to a vulnerability in the platform's code.

January 2015

Bitstamp UK 19,000 BTC

Hackers used communication tools to chat with exchange employees and sent malicious software, thus invading Bitstamp's internal exchange system..

August 2016 Bitfinex Hong Kong 120,000 BTCHackers found vulnerabilities in the exchange wallet.

December 2017

Nicehash Slovenia 4,700 BTCHackers found security vulnerabilities in the website.

January 2018

Coincheck JapanUSD 534 million

NEM tokens were stored insecurely in single-signature hot wallets where hackers stole private keys to obtain NEM.

February 2018

BitGrail ItalyUSD 170 million

Announced officially by the exchange revealing that the problem originated from the Nano development team, who in turn refuted the statement.

June 2018 Bithumb South Korea USD 30 million

Hackers sent a large number of emails to exchange employees and attacked the exchange's hot wallets through malicious code.

September 2018

Zaif Japan USD 60 million Hot wallets were invaded by hackers.

January 2019

CrytopiaNew Zealand

USD 3 millionHackers found vulnerabilities in the exchange wallet.

January 2019

QuadrigaCX

CanadaUSD 190 million

The mysterious death of Gerald Cotten, founder of the Exchange, led to the loss of the exchange's cold wallet private keys.

March 2019 DragonEx Singapore USD 6 millionThe private key of the primary account was exposed through its interactive API.

Source TokenInsight

Background Intro

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

Background Intro

‣ Figure 1-3 Theft of Some Exchanges

Time ExchangeRegistered Region

Stolen Amount Causes (Presumptive)

March 2019 Bithumb South Korea USD 19 millionTheft was committed by internal personnel.

March 2019 Biki Singapore 120,000 USDT

Users were not bound to Google authentication codes and SMS of third-party authentication code service providers, so the operation was hijacked, resulting in a financial losses.

May 2019 Binance MaltaUSD 41 million

Hackers attacked Binance through multiple channels, obtaining a large number of user API keys, Google 2FA authentication codes, and other relevant information.

Source TokenInsight

4

The above statistics show the theft from exchanges in recent years, the amount of funds stolen, and their likely causes. Some exchanges have compensated users for their losses caused by these security incidents. However, there were also significant amounts of stolen funds that led to some exchanges declaring bankruptcy, and user funds could not be recovered. Therefore, choosing a safe exchange is a critical condition for users to protect their interests.

 

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

5

1.2 Sources of Exchange Security Issues Exchanges are places where users can trade and make digital currency transactions. On the one hand, security problems are often caused by poor user awareness in regards to their information, whereas, on the other hand, there are various vulnerabilities on the exchange.

Cryptocurrency exchanges face a large number of investors from various backgrounds, some of whom lack security awareness or understand how to protect their information. These are perfect targets for hackers to take advantage of and exploit vulnerabilities. For example, hackers take advantage of weak users ability to distinguish real websites, guiding them to enter a phishing scheme through fake websites where user accounts and passwords are then stolen and manipulated. In March 2019, Biki, an emerging cryptocurrency exchange, failed to require users to carry out a secondary authentication mechanism such as Google authenticator, email or SMS authentication code, thus resulting in user information to be hijacked by hackers and causing the loss of financial assets. Additionally, hackers found the opportunity to attack other security vulnerabilities, resulting in the further loss of user assets and thus increasing the operating costs of exchanges.

‣ Figure 1-4 Statistics on the Causes of Exchange Security Incidents Source TokenInsight�

According to TokenInsight statistics, about 88% of the security incidents in recent years were caused solely by the security problems from exchange platforms. For example, a security vulnerability on some exchanges led hackers to steal the private keys of hot wallets. The most significant theft in cryptocurrency exchange history was seen by Coincheck back in January 2018, which was caused by hackers obtaining the exchange's private keys to hot wallets.

User�security�awareness�is�weak12%

Platform's�own�security�problem88%

Background Intro

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

6

02 . USER SURVEY RESULTS ON EXCHANGE SECURITY

As users of exchange platforms, investors are the most direct channel through experiencing issues related to exchange security. TokenInsight has conducted a user survey on this issue and presents the results as follows.

2.1 Methodology Description TokenInsight conducted a user survey from June 4 to June 10 by issuing an on-line community questionnaire. The purpose of this survey was to understand the user experience of individuals when related to exchange security. From this data, we aim to provide objective and transparent reporting as a reference to exchanges and users.

2.1.1 Issuing Channels

To more accurately and effectively reflect the user experience of investors on exchanges, the channels for issuing this questionnaire were not limited to contain specific exchanges. The channels involved in this questionnaire were strictly sought through Chinese channels, while English channels were not included. The user groups surveyed come from TokenInsight's own community, major media channels, project communities, and more. Using WeChat, major media, Apps, websites, and other communication methods have ensured the randomness and objectivity of this questionnaire's distribution to the greatest extent. Therefore, the information collected come from various sources, and the questionnaire samples closely represent the overall situation of investors throughout the community.

2.1.2  Questionnaire Information This questionnaire includes one-choice questions, multiple-choice questions, and fill-in-the-blanks. The contents of the survey mainly include the basic information of traders, criteria for selecting exchanges, and the level of understanding users have on exchange security. See Appendix I for more details regarding the original questionnaire.

2.1.3 Collection Sample After a week of publicity and distribution, TokenInsight officially collected 206 questionnaire samples. After excluding 2 questionnaires that the respondents failed to carry out answers on digital token transactions and 1 document with a high degree of repetitive responses, the remaining valid questionnaire sample size was 203.

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

7

2.2 Analysis Results

2.2.1 Users' Opinions on Secure Exchanges

Huobi and Binance are cryptocurrency exchanges that users believe are far safer than the industry average, and no obvious gap between other exchanges currently exist.”

This part of the analysis comes from the question - "What do you think is the most secure cryptocurrency exchange?"

According to data results from the TokenInsight questionnaire, the "three oldest exchanges" - Huobi, Binance and OKEx are still very secure exchanges from the users perspective. However, there are also differences among these three exchanges, of which the first two exchanges are more known throughout more users. The security methods of exchanges in users' minds are similar to the current overall pattern of the overall exchange industry, showing an oligopoly within the largest exchanges. There is a large gap between the largest exchanges and other smaller players in the market. However, there is no noticeable gap in regards to other exchanges.

From our survey, Huobi was ranked first, followed by Binance, while OKEx placed third but was still far behind Huobi and Binance in terms of votes. Gate.io resulted in a newly emerging category alongside MXC and BitMax.

‣ Figure 2-1 Secure Exchanges from User Opinions

Source TokenInsight�

0

53

107

160

242531

53

117

152

Results of User Survey on Exchange Security

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

8

Considering the use of exchanges by users, Huobi and Binance have the highest user satisfaction rate, that is, users typically prefer exchanges that they feel are more secure. The specific data represents that 80% of the users who use the Huobi exchange think Huobi is secure; 72% of the users who use Binance exchange think Binance is secure; 33% of the users think Gate.io they use is secure; only 6% of the users think OKEx they use is safe. Of course, it must also be noted that exchange security is not the only consideration when users choose which exchanges to trade on.

2.2.2 Users' Opinions on Security

TokenInsight Found That the Wallet Security of Exchanges Is a Major Area of Interest for Both Hackers and Users. Exchanges Need To Maintain Sufficient Transparency in Their Risk Response Mechanisms for Wallet Systems in Order To Gain More Trust From Users.”

This part of the analysis comes from the question - "what do you pay more attention to when scoring the security of exchanges?"

From the user's perspective, the first three aspects that users are most concerned about are: whether the exchange's wallet is secure enough to store assets, whether there is a risk response mechanism in case of a security breach, and whether there are vulnerabilities in the exchange's website. According to the summary of theft-related occurrences from exchanges over the years, the wallet has become an important target of hacker attacks, while on the contrary, becoming one of the most concerned aspects for users in regards to exchange security.

When surveyed, user attention on exchange security incidents placed only in the middle of their main concerns. Users were more concerned about the exchanges response mechanisms after a breach occurred. It was more important to users that exchanges would maintain a certain degree of transparency in its risk response mechanisms in the event of a hack. In terms of response mechanisms, some exchanges have set up special funds to compensate users for losses after experiencing a security breach. Binance has already established its Binance Secure Asset Fund for Users (SAFU) after the exchange experienced a hack on July 2018, guaranteeing the reimbusments of user assets. Additionally, it has invested part of its transaction fees into its SAFU as a source of compensation for users' losses.

Results of User Survey on Exchange Security

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

‣ Figure 2-2 Security Scoring Points Most Concerned by Users Source TokenInsight�

In addition to the information provided above, other concerns about exchanges revolve around surrounding issues regarding exchange API, internal management experience, phishing websites, vulnerability detection, website stability, and others. For reference, keywords can refer to the following word cloud map display presented below.

9

0

60

120

180

‣ Figure 2-3 What is the security in users' opinions?Source:TokenInsight

The safety ofwallet storage

Risk response mechanism

Password strength

Had a safety incident before or not

Need email or mobile phone verification for

offsite loginWebsite

Results of User Survey on Exchange Security

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

2.2.3 What is the user's willingness to trade on breached exchanges?

Analysis from this next section comes from the question - "how willing are you to trade on exchange's that have a history of being hacked?" The questions are in the form of a 5-point scale.

The average willingness of users to trade on stolen exchanges is 2.44. We also found that the older users are, the more reluctant they are to trade on hacked exchanges. Specifically, the post-90s generation has the highest tolerance and willingness to trade on breached exchanges and the highest willingness to trade, reaching 2.5. The post-70s generation has the lowest willingness to trade on hacked exchanges, which is only 2.18. Samples of other age groups are too small to include in this comparison.

‣ Figure 2-4 Transaction Willingness of Users of Different Ages Source TokenInsight

10

0

1

2

3

4

5

Post-70s Post-80s Post-90s Average

2.442.52.452.18

Results of User Survey on Exchange Security

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

11

2.2.4 How do users rate the security of exchanges?

Analysis from this next section comes from the question - "do you think cooperation with third-party security service providers can guarantee the security of the exchanges?" and "do you think it is important for exchanges to force users to use secondary authentication services such as Google Authenticator and SMS authentication?". The above questions are in the form of a 5-point scale.

‣ Figure 2-5 User's rating of exchange security impact factors Source TokenInsight�

In terms of technology, users have a high degree of recognition for "the strength of an exchange's development and technical team, which guarantees the security of the exchange", with an average score of 4.29. The higher the disclosure of the strength of an exchange's technical team, the more confident users are in the security of the exchange.

‣ Figure 2-6 Recognition of different educational backgrounds on the security guarantee of exchanges in cooperation with third-party security service providers

Source TokenInsight�

It is worth noting that the higher the education level of users, the higher the technical testing scores of third parties and the trust level of third-party security service providers.

0

1

2

3

4

53.833.683.783.853.88

1

2

3

4

5

�

3.834.064.29

third-party technical test scores

cooperation with security service providers

Master’s degree

Undergraduate degree

Junior college degree

HIgh school Average

strength of technical team

Results of User Survey on Exchange Security

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

12

03 . EXCHANGE SECURITY RATING DESCRIPTION

3.1  TokenInsight's Security Rating Dimensions As the primary "custodian of funds" for users, exchanges can ignite a sense of insecurity each time a security incident occurs. Security is also an essential aspect in TokenInsight's exchange rating system, where security is rated on three dimensions: network security, risk response mechanisms, and account and storage settings.

The sub-dimensions in each dimension and testing methods utilized by TokenInsight are described below.

3.1.1 Network Security

Network security is a very complicated problem. Under the premise that it is impossible to conduct an internal code security audit on exchanges, we have performed security auditing on the exchange's web application and corresponding transaction pages with a series of professional external audit and testing tools.

For webpage security auditing, we utilize the ImmuniWeb series of products and tools built by High-Tech Bridge to detect and audit corresponding web pages from the following several aspects: whether the web pages conform to mainstream standards and specifications regarding security and privacy; whether the implementation of SSL/TLS security protocols conform to mainstream standards; potential phishing website threats, and others.

For more in-depth testing of web applications, TokenInsight utilizes the Burp Suite's (professional edition) from PortSwigger for testing. Specific testing methods include XML external entity injection, SQL injection, operating system command injection, cross-site command code, document path traversal, and more. According to the testing results, TokenInsight will be issued a report on the severity and degree of confidence of the vulnerabilities found.

3.1.2 Risk Response Mechanisms

Specific inspection contents of the risk response mechanisms include the following aspects: whether there are unexpected events that cause abnormal transactions or theft of funds, whether there are perfect prevention and compensation mechanisms to deal with unexpected events, and whether there are safe partners or the disclosure of security audit reports.

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

13

Another example of a risk response mechanism is Huobi Global's investor protection fund. This will be used to compensate Huobi's users in advance in case of sudden breaches on its platform and is designed to protect the rights and interests of investors. At present, there are 51,157,900 HTs locked, which are currently worth about USD 174 million. Huobi has used the fund several times to protect the rights and interests of its users.

3.1.3 Account and Storage Settings Account settings are mainly divided into an exchange's restriction on user passwords and double authentication mechanisms. The exchange imposes restrictions on the type and length of each user password characters when registering. For example, it requires the user's password must include letters, numbers or special characters, and requires the user's password to be no less than eight characters long.

Storage settings are designed to measure how the exchange stores its user's funds and whether it uses methods of separating hot and cold wallets to store funds. Hot wallets are vulnerable to hacker attacks due to networks operating in real-time, while cold wallets are relatively safe.

These two results are both derived from TokenInsight in combination with the information disclosed by exchanges, experience assessments of each organization, and the tracking of exchange wallet addresses.

 

Description of Exchange Security Rating

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

14

‣ Figure 3-1 Exchange List I

Exchange Registered Region Trading type

Binance Malta Spot trading

Coinbase Pro USA Spot trading

Huobi Global Seychelles Spot trading and contract trading

Kraken USA Spot trading and contract trading

BitFlyer Japan Spot trading and contract trading

Bitstamp UK Spot trading

OKEx Malta Spot trading and contract trading

KuCoin Singapore Spot trading

Bitfinex Hong Kong, China Spot trading

Liquid Japan Spot trading

Bittrex USA Spot trading

Poloniex USA Spot trading

Coinsuper Hong Kong, China Spot trading

Bibox Estonia Spot trading and contract trading

Source TokenInsight�Date 2019/6/15

3.2  Sample Size Description

The 40 exchange samples covered in this report is regarded as TokenInsight's TOP40 exchanges in its List of Q1 Comprehensive Ratings of Exchanges in 2019. These 40 exchanges are registered in 14 countries/regions of each continent, and the list is as follows.

Description of Exchange Security Rating

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

15

‣ Figure 3-2 Exchange List Ⅱ

Exchange Registered Region Trading type

HitBTC UK Spot trading

BitMart USA Spot trading

Gemini USA Spot trading

Upbit South Korea Spot trading

Bitbank Japan Spot trading

Bitbay Poland Spot trading

Bithumb South Korea Spot trading

Bit-Z Hongkong， China Spot trading

BitMax Singapore Spot trading

Exmo UK Spot trading

YoBit Russia Spot trading

FCoin Singapore Spot trading and contract trading

Coinone South Korea Spot trading

Gate.io Cayman Islands Spot trading and contract trading

LBank Hong Kong, China Spot trading

ZB Hong Kong, China Spot trading

Bgogo Cayman Islands Spot trading

DigiFinex Seychelles Spot trading

Coineal Seychelles Spot trading

Coinsbank UK Spot trading

CoinMex Belize Spot trading

CoinBene Singapore Spot trading

CoinTiger Singapore Spot trading

CoinEgg UK Spot trading

BCEX Canada Spot trading and contract trading

DragonEX Singapore Spot trading

Source TokenInsight�Date 2019/6/15

Description of Exchange Security Rating

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

16

04 . RATING RESULTS

4.1 Network Security Analysis In this report, network security issues refer to the technical problems related to the design and implementation of exchange websites and network applications regarding security. In addition to the software systems, other mechanism issues such as asset storage mode, password strength, and others, are discussed in separate chapters. Mobile applications are not considered in this rating, and the products of different terminals of the exchanges may be evaluated in the future on an independent basis.

In this rating methodology, the security ratings for the website applications of exchanges are mainly divided into two categories: basic web scanning and deep penetration testing.

4.1.1 Website Security Scanning We use High-Tech Bridge's ImmuniWeb series products to scan the security of websites and evaluate the certificates used within them, the security and privacy compliance of data, and the usage of SSL certificates. High-Tech Bridge is a Swedish company founded in 2007 and was named Europe's leading service provider in 2012.

‣ Figure 4-1 Website security testing Source TokenInsight High�Tech�Bridge�

According to testing results, 37.5% of websites of exchanges only receive an F security rating, and nearly half of the websites of exchanges achieve a low C grade security rating. The factors that may downgrade the security ratings of an exchange website are as follows: websites without web application firewalls may be subject to intrusion, websites with various components not updated are vulnerable, HTTP security headers are not effectively configured, and others.

0

3

6

10

13

16

A A- B+ B B- C+ C F

15

3

65

3332

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

4.1.2 Website Security Penetration & Testing

For penetration testing, we use PortSwigger's professional services and tools to test and evaluate the applications of exchanges websites from five different aspects based on more than 20 test parameters. PortSwigger is a British company founded in 2008, and its Burp Suite is an integrated platform used for performing web application security testing.

The results from the penetration testing are classified as high, medium, and low risk - according to possible vulnerability severity and confidence. Note that the numbers indicated in the results from penetration testing may refer to several different problems at once, or the same problem altogether and may recur multiple times throughout different websites. Moreover, as testing results for the same websites at different times and under different testing conditions may be different, these testing results are for reference only.

According to testing results on penetration, websites from 6 out of the 40 selected exchanges have high-risk vulnerabilities with different confidence levels, 16 have medium-risk vulnerabilities, and 29 have low-risk vulnerabilities. They account for 15%, 40% and 72.5% of the total sample sizes respectively. It was also found that most of the vulnerable exchanges typically had no more than three defects. This shows that most exchanges are now paying more attention to network security, and no severe problem have been found.

‣ Figure 4-2 Analysis of vulnerability types in penetration testing Source TokenInsight PortSwigger�

The problems found during penetration testing can be roughly divided into 14 different types. The most common issues include SSL Certificates and Strict Transport Security not being enforced. There are 14 kinds of problems, as shown in the figure above. This same problem occurred on the same exchange website multiple times but is only counted once. As shown in the figure above, the types of vulnerabilities detected are relatively concentrated, and the three most common vulnerabilities account for more than half of the occurrence frequency. The severity of common vulnerabilities is not considered to be high. Overall, most exchanges have no apparent problem with their websites.

17

12%

5%

5%

7%

8%

8%10%

20%

25%

strict transport security not enforcedSSL cetrificateopen redirectionSSL cookie without secure flag setlink manipulationexternal service interactioncookie without http-only flag setpassword field with autocomplete enabledothers

Exchange Rating Result

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

18

‣ Figure 4-3 Results of Exchange Security Testing

Exchanges Domain nameWebsite Security

Penetration testing

High risk Medium risk Low risk

Bgogo bgogo.com A- 0 1(High certainty) 1 (High certainty)

Bibox bibox.com C+ 0 1 (High certainty) 1 (High certainty)

Binance binance.com B+ 0 0 0

Bit-z bit-z.com F 01 (High certainty) 1 (Certainty)

1 (High certainty) 2 (Certainty)

Bitfinex bitfinex.com B 0 1 (High certainty) 1 (High certainty)

BitMax bitmax.io C 0 1 (High certainty) 1 (Certainty)

Bittrex bittrex.com B- 0 1 (High certainty) 2 (High certainty)

BCEX bcex.ca F 0 1 (High certainty) 1 (High certainty)

Bitbay bitbay.net B- 0 0 0

Bitbank bitbank.com A- 0 1 (High certainty) 1 (High certainty)

Bitflyer bitflyer.jp B+2 (High certainty)

0 0

Bithumb bithumb.com F 01 (High certainty) 1 (Certainty)

1 (High certainty)

BitMart bitmart.com C+ 0 0 1 (Low certainty)

Bitstamp bitstamp.net F 0 0 1 (High certainty)

Coinbase coinbase.com B+4 (High certainty)

05 (Low certainty)

CoinBene coinbene.com F 0 1 (High certainty) 1 (High certainty)

Coineal coineal.com F7 (High certainty) 3 (Certainty）

3 (High certainty) 3 (Certainty)

CoinEgg coinegg.com F1 (High certainty)

0 2 (High certainty)

Coinsuper coinsuper.com B 0 0 1 (Low certainty）

Source TokenInsight

Exchange Rating Result

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

19

‣ Figure 4-4 Results of Exchange Security Testing

Exchanges Domain nameWebsite Security

Penetration testing

High risk Medium risk Low risk

CoinMex coinmex.com C+ 0 0 1 (Certainty）

Coinone coinone.co.kr F 0 02 (High certainty) 2 (Certainty)

Coinsbank coinsbank.com C+ 0 0 0

CoinTiger cointiger.com F 0 0

Digifinex digifinex.com A 01 (High certainty)

1 (High certainty)

DragonEX dragonex.im B 0 0 0

exmo exmo.com C 0 0 0

FCoin fcoin.com F 0 0 1 (High certainty)

Gate gate.io F 0 2 (High certainty)

Gemini gemini.com F 0 0 0

HitBTC hitbtc.com B- 02 （High certainty)

0

Huobi Global

hbg.com A 0 0 0

Kraken kraken.com A- 0 0 0

KuCoin kucoin.com B-1 (Low certainty)

1 (High certainty)

LBank lbank.info C+ 0 0 0

Liquid liquid.com F 01 (High certainty)

2 (High certainty) 2 (Low Certainty)

OKEx okex.com C+ 0 0

1（High certainty）

7（Certainty）

35（Low Certainty）

Poloniex poloniex.com B- 0 3 (certainty) 0

Upbit upbit.com F 0 02 (High certainty) 2 (Certainty)

Yobit yobit.net C 0

1 (High certainty) 3 (Certainty)

7 (High certainty) 3 (Certainty)

ZB zb.com F1（Low

Certainty)

1 (High certainty) 1 (Low Certainty)

Source TokenInsight

Exchange Rating Result

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

4.2 Risk Response Mechanisms

4.2.1 Security Incidents

TokenInsight has conducted the statistical analysis on security incidents seen from exchanges over the past three years (from June 2016 to June 2019), including, but not limited to, trading anomalies caused by hacker attacks, fund theft, and system problems caused by internal or external factors.

‣ Figure 4-5 Security Incidents of TOP40 Exchanges Source TokenInsight�

�

Security incidents have occurred on 10 of the Top 40 exchanges, i.e. 25% of them, in the past three years. The registered geographical locations of these exchanges are classified according to different continents, and no major security incident has occurred on those registered in Seychelles or Africa in the past three years; Asia is still home to the largest number of registered exchanges, with security incidents occurring on more than 25% of those exchanges so far, and the more specific distributed countries/regions are Singapore and South Korea.

‣ Figure 4-6 Reasons for Exchange Thefts Source TokenInsight�

The leading causes of these security incidents are briefly summarized here and are divided into three reasons mentioned above. Among the incidents seen from Top 40 exchanges, 60% are attributable to the exchanges themselves, and 40% is attributable to phishing website attacks and improper information handling of users. These exchanges have relatively high credibility and will not run away.

40%

20%

40%

20

North�America

Africa

Europe

Asia

0 6 12 18

With�Security�Incidents Without�Security�Incidents

Information leakage is caused by phishing websites/improper operation of users

Exchange technology vulnerabilities cause hackers to obtain user data

There are vulnerabilities in exchange wallets /private key management is improper

Exchange Rating Result

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

21

During the dimensions of this study, whether to consider a security breach as an crucial factor for judgment is decided. Therefore, TokenInsight will list the details of the exchanges and rate them accordingly.

‣ Figure 4-7 Security Incident of Exchanges in Recent Three Years

Exchanges Security incident (Yes/No) Handling mode

BCEX N/A N/A

Bgogo N/A N/A

Bibox N/A N/A

Binance Yes

A thorough security review of the exchange's security system was carried out after the intrusion in May 2019, and security funds were used to compensate for users' losses.

Bitbank N/A N/A

Bitbay N/A N/A

Bitfinex YesAbout 120,000 BTCs were stolen in 2016, and tokens were issued as creditors' rights and debt-to-equity swaps were conducted.

BitFlyer N/A N/A

Bithumb YesThe exchange will compensate users for the USD 6.02 million stolen in March 2019.

BitMart N/A N/A

BitMax N/A N/A

Bitstamp N/A N/A

Bittrex N/A N/A

Bit-Z N/A N/A

Coinbase Pro N/A N/A

CoinBene Yes (with official denial) N/A

Coineal N/A N/A

CoinEgg N/A N/A

CoinMex N/A N/A

Coinone N/A N/A

Coinsbank N/A N/A

Coinsuper N/A N/A

Source TokenInsight Public�Information

Exchange Rating Result

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

22

‣ Figure 4-8 Security Incident of Exchanges in Recent Three Years

ExchangeSecurity incident (Yes/No)

Handling mode

CoinTiger Yes No loss of user funds

DigiFinex N/A N/A

DragonEX YesThe exchange will compensate users for the USD 6.02 million stolen in March 2019.

Exmo N/A N/A

Fcoin N/A N/A

Gate.io Yes No loss of user funds

Gemini N/A N/A

HitBTC N/A N/A

Huobi Global N/A N/A

Kraken Yes Some users were hacked in July 2016.

KuCoin N/A N/A

LBank N/A N/A

Liquid N/A N/A

OKExYes (without official response)

N/A

Poloniex N/A N/A

Upbit N/A N/A

YoBit N/A N/A

ZB Yes Some user passwords were leaked in June 2019

Source TokenInsight Public�Information

Exchange Rating Result

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

23

4.2.2 Risk Prevention and Compensation Mechanisms

Phil Potter, a former CSO of Bitfinex and co-founder of Tether, recently talked about the operation of exchanges, saying that "running a Bitcoin exchange means that you will be constantly attacked and hackers will not always attack in the way you expect". Security is a considerable challenge for exchanges. No matter how sophisticated their technology systems are, it is unavoidable that hackers will find a way to exploit some imperfections. Therefore, the emergency mechanism established by exchanges in times of security breaches is essential.

The core demand for users is the security of their digital assets on the exchange. After a security incident occurs, will exchanges directly declare bankruptcy for failure to pay off debts to users or compensate users' funds? For this purpose, TokenInsight studied the risk compensation mechanisms of exchanges for users.

‣ Figure 4-9 Risk Compensation Mechanisms of Exchanges

Exchange Risk Compensation Mechanisms

BinanceThe investor protection fund was established in July 2018, and 10% of all transaction fees were deposited at an independent address for the fund.

BitflyerThe insurance clause covers losses caused by cyberattacks and employees' misconduct, amounting to up to USD 8.9 million. The insurance company is Mitsui Sumitomo Insurance.

Bithumb

There are two kinds of comprehensive cyber security insurance, with a maximum of USD 5.3 million, covering information maintenance, data loss and theft, cyber threats, and compensation for investors' personal information leakage. Insurance companies include Hyundai Marine & Fire Insurance, which is the second largest non-life insurance company in South Korea, and Heungkuk Fire & Marine Insurance.

Coinbase Pro The insurance service of digital assets and USD assets stored in hot wallets is provided by Federal Deposit Insurance Corporation.

CoinoneThe insurance policy is available and the insurance amount is up to USD 2.7 million. Insurance company is Hyundai Marine & Fire Insurance, which is the second largest non-life insurance company in South Korea.

GeminiThe insurance service of digital assets and USD assets stored in hot wallets is provided by Federal Deposit Insurance Corporation.

HuobiThe security provision mechanism was introduced in February 2018, with a total of 20,000 BTC for dealing with possible extreme security incidents.

UpbitThe insurance policy is available and the insurance amount is up to USD 4.5 million, which mainly covers insurance related to personal information disclosure.

Source TokenInsight Public�Information

Exchange Rating Result

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

24

The specific mechanisms of risk compensation of each exchange are listed above. Generally speaking, exchanges having suffered or having not experienced security incidents have some public user risk compensation mechanisms. However, the proportion is still low, as only 8 of the TOP40 exchanges have such mechanisms in place.

The trading strategies are as follows: exchanges led by Binance and Huobi use transaction fees from their platforms as a risk compensation mechanisms to deal with security incidents; while exchanges in USA, Japan and South Korea led by Coinbase and Bitflyer, which are traditional insurance companies, insure the user funds to hedge the risks of data leakage and fund theft that may occur on the exchanges.

4.2.3 Security Service Provider

Since 2018, more and more exchanges have cooperated with third-party security service providers to promote the strength of exchanges at the security level and the project ecosystem level. At present, the scope of services provided by third-party security service providers covers the audit of exchanges and smart contracts of online projects of exchanges. The security services for exchange platforms involve the security testing of server-side code, APP security, business logic, relevant solutions, and more. The testing is the most important for the security detection of exchanges.

By June 2019, 20 (i.e. 50% of) exchanges have already cooperated with third-party security service providers. Some exchanges have collaborated with more than one security service provider. Among them, Huobi has works with several relevant security companies in the industry.

 

Exchange Rating Result

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

25

‣ Figure 4-10 Exchange Security Service Providers

Exchange Security�Service�Providers

Bgogo Armors Labs

Bibox CertiK, John Wick Security, CM Blockchain Security Center and RatingToken

Binance 360、CertiK

BitFlyer DigiCert

BitMart SlowMist and CM Blockchain Security Center

Bit-Z KnownSec, John Wick Security and ChainsGuard

CoinBene Armors Labs, AnChain, Link Security Technology and KnownSec

Coineal John Wick Security

CoinMex Link Security Technology

Coinone SK infosec、THERORI

Coinsuper SlowMist, KnownSec and John Wick Security

CoinTiger Chaitin Tech, KnownSec, Certik, Link Security Technology and John Wick Security

DigiFinex Decentralized Vulnerability Platform (DVP)

FCoin KnownSec and John Wick Security

Huobi Global360, SlowMist, CertiK, AnChain, KnownSec, Chaitin Tech, Link Security Technology and John Wick Security

KuCoin 360, Hacker One, KnownSec, SlowMist and Link Security Technology

LBank SlowMist, KnownSec, Link Security Technology and BUGX

OKEx CertiK、BYSEC.IO

ZB John Wick Security

Source TokenInsight Public�Information

Exchange Rating Result

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

26

4.3 Account and Storage Settings

4.3.1 Account Settings

Account settings are embodied in the requirements of the exchanges for password security, login, and trading security of its registered users. The password security can be considered from two aspects: the restrictions on the length and strength of user passwords by exchanges and the need for secondary authentication for the first login.

‣ Figure 4-11Exchange account settings Source TokenInsight�

In terms of password setting requirements, more than 30 exchanges have imposed restrictions of more than 8 bits on length and combination of numbers and letters. In other words, more than 75% of exchanges evaluate the coefficient of difficulty from user passwords, and half of them require users to distinguish between upper and lower case and special symbols. In addition to password settings, secondary authentication for login or trading can also improve the security of user funds. Generally speaking, secondary authentication can be conducted through Google Authenticator, mobile phone authentication and email authentication. Some exchanges also provide anti-phishing codes against phishing websites. When the phishing code is set, the email sent by the exchange will contain the code, which helps users to determine whether the received email comes from the exchange.

Among these 40 exchanges, all exchanges offer users the option of secondary authentication, but the exchanges will have specified different situations for compulsory secondary authentication for users. Generally speaking, only 30% of the trading requires users to perform secondary authentication after they register for the first time, and this is a compulsory secondary authentication for users. These exchanges include 12 exchanges, such as Binance, Coinbase Pro and Huobi.

Number�of�Exchanges

0

8

16

24

32

40

Yes No

Password length more than 8 bits

Upper and lower case/special symbol

Number/letter combination

Secondary authentication for first login

Exchange Rating Result

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

‣ Figure 4-12 Exchange account restrictions

ExchangePassword length more than 8 bits

Number/letter combination

Upper and lower case/special symbol

Secondary authentication for first login

BCEX 100% 100% 0% 100%

Bgogo 100% 0% 0% 0%

Bibox 100% 100% 0% 0%

Binance 100% 100% 100% 100%

Bitbank 100% 0% 0% 0%

Bitbay 100% 100% 100% 0%

Bitfinex 100% 100% 100% 0%

BitFlyer 100% 100% 100% 100%

Bithumb 100% 100% 100% 100%

BitMart 0% 100% 0% 0%

BitMax 100% 0% 0% 0%

Bitstamp 100% 100% 100% 0%

Bittrex 100% 0% 0% 0%

Bit-Z 0% 100% 0% 100%

Coinbase Pro 100% 100% 100% 100%

CoinBene 0% 100% 0% 0%

Coineal 100% 100% 100% 0%

CoinEgg 100% 100% 100% 0%

CoinMex 0% 100% 0% 100%

Coinone 100% 0% 100% 0%

Coinsbank 0% 0% 0% 100%

Coinsuper 100% 100% 100% 100%

CoinTiger 100% 100% 0% 0%

DigiFinex 100% 0% 0% 0%

DragonEX 100% 100% 100% 0%

Exmo 0% 0% 0% 0%

Source TokenInsight Public�Information

27

Exchange Rating Result

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

28

‣ Figure 4-13 Exchange account restrictions

ExchangePassword length more than 8 bits

Number/letter combination

Upper and lower case/special symbol

Secondary authentication for first login

FCoin 100% 100% 100% 100%

Gate.io 0% 100% 0% 0%

Gemini 100% 100% 100% 100%

HitBTC 0% 100% 100% 0%

Huobi Global 100% 100% 0% 100%

Kraken 100% 100% 100% 0%

KuCoin 100% 100% 100% 0%

LBank 100% 100% 0% 0%

Liquid 100% 100% 100% 0%

OKEx 100% 0% 0% 0%

Poloniex 100% 0% 0% 0%

Upbit 100% 100% 100% 0%

YoBit 100% 100% 100% 0%

ZB 100% 100% 0% 0%

Source TokenInsight Public�Information

Exchange Rating Result

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

29

4.3.2 Fund Storage

The cold and hot wallet isolation mechanism is available for the fund storage of exchanges. Cold wallets refer to the off-line wallets. Since they are not connected to the network in real-time, the security of cold wallets is very high. Cold wallets are generally less active, and each transfer involves a large amount. Hot wallets refer to online wallets, and hackers are more likely to have access to hot wallets. For exchanges, hot wallets are used to meet the daily transfer needs of users. The security of hot wallets is lower than that of cold wallets, and the fund balance of hot wallets in exchanges is generally lower than that of cold wallets.

The relationship between hot and cold wallets and user addresses of most exchanges are as follows: the exchanges assign a recharge and deposit withdrawal address to each user. When new fund flows into the user's recharge address, this part of the funds will be stored in a hot wallet from the exchange. The interaction between hot wallets and user addresses is frequent, but the transfer amount of hot wallet is generally small, rarely involving the transfer of thousands of BTCs. The frequency of interaction between hot and cold wallets is very low, and the amount involved in each transfer is at least higher than hundreds of BTCs.

‣ Figure4-14 Fund Storage Distribution of Exchanges Source TokenInsight�

According to the storage mechanism of TOP40 exchanges, 28% of the exchanges do not use cold wallets to store funds. Among exchanges using cold wallet storage, Japanese exchanges Liquid and BitBay store all their funds in cold wallets, while American exchanges Coinbase stores more than 90% of their funds in cold wallets. All the exchanges are detailed in the table below.

With�Cold�Wallet�Storage73%

Without�Cold�Wallet�Storage28%

Exchange Rating Result

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

‣ Figure 4-15 Exchange Fund Storage

Exchange Fund Storage Exchange Fund Storage

BCEX N/A CoinsbankHot and cold wallet system

Bgogo N/A CoinsuperHot and cold wallet system

Bibox Hot and cold wallet system CoinTiger N/A

Binance Hot and cold wallet system DigiFinex N/A

Bitbank Hot and cold wallet system DragonEX N/A

Bitbay Hot and cold wallet system ExmoHot and cold wallet system

Bitfinex Hot and cold wallet system FCoin N/A

BitFlyer Hot and cold wallet system Gate.ioHot and cold wallet system

Bithumb Hot and cold wallet system GeminiHot and cold wallet system

BitMart Hot and cold wallet system HitBTCHot and cold wallet system

BitMax Hot and cold wallet system Huobi GlobalHot and cold wallet system

Bitstamp Hot and cold wallet system KrakenCold wallet system (with semi-cold wallet)

Bittrex Hot and cold wallet system KuCoinHot and cold wallet system

Bit-Z Hot and cold wallet system LBank N/A

Coinbase Pro Hot and cold wallet system LiquidHot and cold wallet system

CoinBene N/A OKExHot and cold wallet system

Coineal Hot and cold wallet system PoloniexHot and cold wallet system

CoinEgg N/A UpbitHot and cold wallet system

CoinMex Hot and cold wallet system YoBit N/A

Coinone Hot and cold wallet system ZB N/A

Source:�TokenInsight,�public�information�Note:�N/A�means�no�relevant�information�found.

30

Exchange Rating Result

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

31

4.4 Summary

4.4.1 Rating Results

The above three aspects and seven sub-dimensions are comprehensively analyzed and evaluated. TokenInsight gives the comprehensive ratings to each exchanges in the security dimension. The ratings only reflect the performance of the exchanges in the seven sub-dimensions mentioned above, and are insufficient to fully reflect the resistance of the exchanges to internal and external attacks. The rating results should not be the sole reference for investors to choose exchanges.

‣ Figure 4-16 Exchange Security Ratings

Exchange Rating

Huobi�Global A

Coinsuper A

Binance A

Gemini A

Bit yer BBB

Upbit BBB

Coinbase�pro BBB

Coinone BBB

Kraken BBB

KuCoin BBB

FCoin BB

LBank BB

Bibox BB

Bitbay BB

Bithumb BB

Bitmart BB

Bitstamp BB

CoinMex BB

Source TokenInsight

Exchange Rating Result

TO

KE

NIN

SIG

HT

R

ES

EA

RC

H

TOKENINSIGHT.COM

32

‣ Figure 4-16 Exchange Security Ratings

Exchange Rating

Coinsbank BB

CoinTiger BB

Exmo B

Gate B

HitBTC B

Liquid B

OKEx B

Poloniex B

BCEX B

Bgogo B

Bitbank B

Bit nex B

BitMax B

Bittrex B

Bit-z B

DragonEX B

Yobit CCC

ZB CCC

CoinBene CCC

Coineal CCC

CoinEgg CCC

Digi nex CCC

Source TokenInsight

Exchange Rating Result

The report is based on public sources considered to be reliable, but TokenInsight Inc. does not guarantee the accuracy or completeness of any information contained herein. The report had been prepared for informative purposes only and does not constitute an offer or a recommendation to purchase, hold, or sell any cryptocurrencies (tokens) or to engage in any investment activities. Any opinions or expressions herein reflect a judgment made as of the date of publication, and TokenInsight Inc. reserves the right to withdraw or amend its acknowledgment at any time in its sole discretion. TokenInsight Inc. will periodically or irregularly track the subjects of the reports to determine whether to adjust the acknowledgement and will publish them in a timely manner.TokenInsight Inc. takes its due diligence to ensure the report provides a true and fair view without potential influences of any third parties. There is no association between TokenInsight Inc. and the subject referred in the report which would harm the objectivity, independence, and impartiality of the report. Trading and investing in cryptocurrencies (tokens) may involve significant risks including price volatility and illiquidity. Investors should fully aware the potential risks and are not to construe the content of the report as the only information for investment activities. None of the products or TokenInsight Inc, nor any of its authors or employees shall be liable to any party for its direct or indirect losses alleged to have been suffered on account thereof.All rights reserved to TokenInsight Inc.

Symbols and Definition of Risk Ratings

AAA The chain has a very stable system and is almost impossible to be affected by external risk factors, operating under extremely low risk.

AA The chain has a relatively stable system and is affected to a much less extent by external risk factors, operating under relatively low risk.

A The chain has a stable system and is affected to a little extent by external risk factors, operating under low risk.

BBB The chain is very good at risk management and has rare accidents, user ecosystem operating in a very good condition.

BB The chain is relatively good at risk management and has less accidents, user ecosystem operating in a relatively good condition.

B The chain is good at risk management but has a certain possibility of accident, user ecosystem operating in a mediocre condition.

CCC The chain is less good at risk control but has possibility of accident, user activity and experience being mediocre.

CC The chain is mediocre at risk control and has large possibility of accident, user activity and experience being bad.

C The chain is bad at risk control and has very large possibility of accident, user activity and experience being awful.

D Non security at all

To Obtain the Latest Data and Rating Reports in Blockchain Industry

Website www.tokeninsight.com

Cooperation bd@tokeninsight.com

Other Contacts

WeChat Official Account Tokenin

Official Twitter TokenInsight

Official Weibo TokenInsight

Official Telegram https://t.me/TokenInsightOfficial

TokenInsight Inc.Global Token Data & Rating Agency

Official Twitter

WeChat Mini APP