Last fall, the bankruptcy of the FTX crypto exchange undermined many investors’ confidence in centralized trading platforms. Although a year has passed and the story has calmed down, this is no reason to relax. Now is the best time to learn how to weed out potentially dangerous platforms.

CEX problem

Despite the fact that advanced users have always treated centralized crypto exchanges (CEX) with reasonable caution, the functionality of the latter, namely speed, convenience and a low entry threshold (the user does not require special skills and knowledge in the field of cryptocurrencies) allowed CEX to capture the lion’s share crypto market. On cold crypto wallets of the world’s largest exchange Binance stored 2.72% of the total Bitcoin supply, and one of the addresses is biggest in the world by number of coins.

Despite the fact that CEX exchanges in the crypto world are the main source of news about hacks of unprecedented scale and theft of (often irrevocable) user funds, their share in the industry remains huge. Unfortunately, end users often sacrifice reliability for the sake of convenience. At the same time, with every new story about a hacked or failed exchange, attention to security issues is growing. New methods of protection are emerging.

Not stock exchanges

Let’s start with an important, albeit obvious, point. Cryptocurrency exchanges are sometimes compared to stock exchanges. This is fundamentally wrong. Stock exchanges are strictly regulated by the government and are themselves involved in creating industry standards. Cryptocurrency (even in 2023) is poorly regulated and often does not perform any regulatory functions themselves. It is just a regular business that makes money by helping investors trade. For his services, he receives a profit from a commission on each transaction.

This does not mean that there cannot be responsible and relatively safe companies in the market that provide quality services despite the fact that they are not regulated by the state (or are less regulated in comparison with the stock market). This also means that you can be deceived in the stock market. You just have to take into account the difference, remembering that cryptocurrency here is a high-risk area. And do not hope that in the event of a collapse, someone else will solve your problems, first of all, still counting on yourself.

Not your key – not your coins

Surprisingly, the cryptocurrency exchanges that have come to dominate the market, by their existence, largely undermine the original concept that led to the creation of Bitcoin and cryptocurrency as a phenomenon. CEXs centralize control in a system designed to decentralize and free finance from the power of governments, banks and other intermediaries. Therefore, many of the advantages of cryptocurrencies that provide reliability simply stop working in the case of centralized exchanges. First of all, this concerns private keys – a synonym for “ownership of funds”. Yes, yes, in practice it is useful to proceed from the well-known principle “not your key, not your coins.” And since on a centralized exchange the key remains with it, you should assume that the funds are at the complete disposal of the exchange, and not you. But convenience?

Mandatory Precautions

On the Internet and even on specialized trading resources you can find many instructions for users on how to choose the right crypto exchange. It is worth focusing on general, basic recommendations, which include:

  • Do your own research (do your own research) – the user should independently understand the activities of the exchange: find out about the reputation, read reviews and news, study the size of commissions.

  • Evaluate the exchange website – visual design, convenience, translation into other languages ​​and literacy of the site indicate the “seriousness of intentions” of the trading platform. It is also useful to pay attention to the availability of technical support. This sometimes (though not always) helps to weed out dubious projects made in haste.

  • Compliance, the presence of AML and KYC checks – all this allows you to ensure that the project is ready for legislative regulation. Although the very presence of such checks may carry risks of a different nature – third parties (for example, attackers who hacked an exchange or government agencies) may gain access to some information. In this case, we only emphasize: the platform intends to work within the requirements of a specific jurisdiction, and there should be no problems with this. The criterion may be important for individual users, especially today, when there are examples of the state seizing the servers and property of “unscrupulous exchanges.” But again, we emphasize that the criterion is ambiguous.

  • Security is the most obvious and difficult indicator to evaluate from the outside, so it is often describe in the most general terms. We will try to point out some points that will allow us to assess the level of security of the exchange.

How to evaluate the security of an exchange

An exchange as a product that provides services to consumers is exposed to threats from all sides: weak points can be transactions, smart contracts, storage of private keys, a website and an application, the list goes on. The problem is that not only users who do not have access to information about vulnerabilities, but also the exchange itself can learn about critical problems only at the moment when the attacker has already withdrawn funds. Even those exchanges that invest heavily in security cannot guarantee flawlessness. Even such giants as, for example, Binance were exposed successful attacks. What, then, should a user looking for a reliable trading platform pay attention to?

Safety Certificates

There are several security organizations in the crypto industry, including the CryptoCurrency Security Standard (CCSS), ISO 27001, and the EEA EthTrust security levels specification. These standards define the level of requirements required. Exchanges that have received at least security certificates correspond basic industry standards.

“Strength tests”, white hat hackers

Another good way to improve security is penetration testing. This is a cybersecurity practice in which ethical (white hat) hackers attempt to test every part of a product for potential vulnerabilities. For the exchange, this is an important measure; however, from the outside, the effectiveness of such steps, as well as their presence, is difficult to verify. Especially if the test is carried out by the company’s own programmers, and not by third-party auditors.

Another good sign would be rewarding ethical hackers for reporting vulnerabilities. Many exchanges are willing to pay hundreds of thousands of dollars to find critical issues. Some, by the way, even post statistics of payments to such hackers. This is a good sign.

Safety ratings

From time to time, various security ratings of crypto exchanges are published and updated on the Internet, which, using their methods, evaluate security from the position of an external observer. For example this. This is especially useful if ratings publicly publish their methodology. Yes, it is also useful to study.

The New Side of Compliance

Gone are the days when the state showed little interest in stories of cryptocurrency theft. Today, public authorities intervene in such situations, security agencies begin to investigate cybercrimes along with ordinary thefts. There are already known isolated cases where law enforcement agencies helped to return funds to defrauded exchange users, and of course, the “useful intervention” of states in such stories will only expand. Therefore, for exchanges that actively cooperate with the state, the chance to return money to users may increase (if something bad happens). And, accordingly, those exchanges that were registered in dubious offshore companies will be less successful in applying for help from “big brother.” On the other hand, we should not forget about the risks of personal data leakage in a scenario where the state more actively intervenes in the regulation of crypto-platforms. In this case, you yourself must decide what risks are acceptable for you.

Importance of Audit

Audit is another important aspect that allows you to judge the seriousness of the exchange. There are teams ready to evaluate the product from different angles: from the audit of smart contracts and security, to the classic financial audit of the company. And if the exchange regularly undergoes audits (or, even better, simultaneous audits by several independent auditors), this significantly increases the credibility of the exchange.

Availability of reserves

One of the most important criteria may be whether the exchange has confirmed reserves in case of unforeseen disasters. Bits.media published extensive material about this. The presence of large reserves gives much less reason to doubt the stability of the site.

Conclusion

Both users and exchanges have learned a lot from years of stories of collapses, bankruptcies and hacker attacks. But in any case, the old principle “not your key, not your coins” continues to work in 2023. If the question arises of entrusting your funds to CEX, it is better to conduct a “personal audit” of each potentially useful trading platform in advance. At least according to the criteria that we described. The criteria related to the regulation of the activities of platforms by the state and, in particular, AML\KYC verification remain controversial. But in this case, the end user must independently assess the acceptable risks when choosing a platform that does or does not adhere to such a policy.

This material and the information contained herein do not constitute individual or other investment advice. The opinion of the editors may not coincide with the opinions of the author, analytical portals and experts.