Crypto Exchanges: How Secure Are They?
Currencies exist for one purpose: to be exchanged. As such, the manner in which they are exchanged is hugely important. In the world of fiat currency, institutional banks are largely responsible for ensuring safe passage of money from one person’s hand to another’s.
In the world of DeFi however, no such institutions exist of course. Crypto exchange platforms are often considered to be the closest thing to banks in the crypto space, but in many respects they are in fact quite different, and can be susceptible to exploitation in ways traditional exchanges cannot. Let’s take a look at how crypto exchanges work and where their strengths and weaknesses lie.
Centralised Exchanges
Essentially, crypto exchanges function as automated marketplaces. A seller agrees to sell a digital asset, and a buyer agrees to purchase at a mutually agreed price. Crypto can also be converted into stablecoin, or swapped for another cryptocurrency or token. In order for transactions to happen quickly, sufficient liquidity is required to ensure that there is never a stagnation of open orders. This would result in buyers paying more for crypto orders than expected due to the price of the asset changing in the interim between an order being opened and closed. This is known as ‘slippage’. A fee is also typically charged for facilitating a transaction, which varies depending on the sum being exchanged (usually larger amounts result in higher fees).
There are hundreds of crypto exchanges in existence but an important differentiator is whether they are ‘centralised’ or ‘decentralised’. Centralised exchanges are often the most popular (as indicated by their daily volume) and include Binance, Coinbase and FTX. These exchanges are licensed, regulation-compliant bodies which despite not being institutionally-backed or covered by the SIPC (Securities Investor Protection Corporation), are sometimes FDIC-insured (Federal Deposit Insurance Corporation). Binance and Coinbase for instance are both insured by the FDIC up to the value of $250k per individual for their operations in the United States. (Both of these organisations are provided as an example as they only supervise services provided to US citizens or operating in the USA.)
Centralised exchanges are also required to abide by KYC (know your customer) which involves requiring identity-verification to begin trading as well as AML (Anti money-laundering) legislation which differs from jurisdiction to jurisdiction. While all this may sound incredibly appealing as a result of its legitimacy, it should be noted that most centralised exchanges require you to place your tokens in their custody without providing you the private key to your funds. This might not be too irksome to the ‘crypto-curious’ dabbling in small amounts, but a crypto-savvy user would likely prefer permanent custody of their funds.
Decentralised Exchanges
Decentralised exchanges (sometimes referred to as Dex’s), differ from centralised exchanges in that they facilitate peer-to-peer and pooled transactions. Most Dex’s deploy blockchain smart contracts to manage transactions automatically and typically do not require custody of assets to make an exchange. They are also faster to get started with as they are not yet required to carry out KYC/AML checks. Transaction fees for utilising a Dex are usually lower, and more obscure tokens such as memecoins can be traded which would not ordinarily be listed on a centralised exchange. However if a Dex is Ethereum-based, transaction fees are currently extremely high due to the current cost of gas.
Additionally, because they are decentralised, users don’t run the risk of having their funds frozen if regulators decide to terminate a centralised platform — a Dex cannot be terminated in this manner (although regulators have recently pondered holding DEX creators and administrators responsible). The majority of centralised exchanges are regulation-compliant, but it is impossible to ever say definitively that an exchange (which in the case of a centralised exchange typically has custody of your funds) will not be shut-down. This is a particular risk for smaller, lesser-known centralised exchanges which might not be regulation-compliant.
How Secure Are Exchanges?
While decentralised exchanges can generally be considered to have more functionality, they are not without drawbacks. Funds utilised to enact a transaction are handled automatically by smart contracts — leaving Dex-liquidity susceptible to theft via hacking, or malicious manipulation through techniques such as frontrunning (although frontrunning can be used to exploit centralised exchanges as well). Just last week, the newly launched Arkadiko Dex protocol was hacked, costing the platform 10% of its treasury ($1.5M).
Unlike centralised exchanges which can sometimes have a large portion of user funds in ‘cold-storage’ (stored completely offline), the majority of Dex user funds are online and ripe for the taking via exploit. Coinbase claims to have more than 98% of its customer funds offline. DeFi has a habit of making financial ‘middlemen’ redundant but for a US-user at least, the assurance offered by an FDIC-insured transaction-mediator (i.e large centralised exchanges) is not always a bad thing.
That being said, if a centralised exchange is not responsible with their storage of user funds, there are in fact fewer barriers to entry for a hacker to gain access to those funds. Hackers need only gain access to the platform’s centralised treasury to bring the exchange down. In the case of Dex’s however, a specific liquidity pool might have to be targeted and exploited. A helpful analogy might be comparing each of a decentralised individual liquidity pools or swaps to a vessel’s water-tight compartments — in most cases, damage would be localised to the targeted area and the ‘ship’ would not sink.
As hackers innovate with new means of identifying and exploiting protocol weaknesses, it is now more important than ever for DeFi platforms to strengthen security and peer-review their smart-contract integrity. In the digitised age of information, know that if an exploit exists — it will be exploited.
Written by Rob Henderson for Novum Insights.
