Bringing Security to
White-box Penetration Testing
The client developed a cryptocurrency exchange platform, with high liquidity as well as plenty of functional features. The Exchange supported both spot and leverage exchange, with a leverage ratio up to 200 times that of Bitmex. Specifically, its Circuit mode was also encrypted in the exchange, together with 2-layer and 3-layer security, hot wallet and cold wallet were made available to serve users’ diverse needs.
Tokyo Techies conducted a comprehensive penetration testing and code review of the client’s system (cloud infrastructure, web, mobile, and blockchain wallet system respectively) in just 14 days and identified all the possible holes that could make the system vulnerable to cyber attacks.
Cryptocurrency is rapidly growing in value. With that comes greater risk.
Cryptocurrency exchanges are becoming extremely prone to hacks and cyberattacks. In 2021 alone, there have been more than four major heists of some of the largest cryptocurrency exchanges around the world. More than $7.6 billion in Crypto assets have been stolen since 2011 (CoinDesk, 2020) and with hackers finding new ways to tackle the security system, the situation only seems to be getting worse.
The client, a cryptocurrency exchange, was aware of the risks associated with the cryptocurrency industry and wanted to have an external penetration test and an in-depth code review of their newly-developed cryptocurrency exchange platform to discover possible vulnerabilities within only three weeks (they come to TT three weeks before) before the release date of their platform.
As part of a white-box test, the team was given all necessary permissions to perform a penetration test towards the system within only 14 working days. The focus of this test is to perform multiple investigation activities and attacks to discover and confirm existing vulnerabilities in the system. The team’s overall objective was to review the system architecture, evaluate the network, identify subsystems, and exploit flaws while reporting the findings back to the company. (Tokyo Techies conducted a comprehensive penetration testing and code review of the client’s system (cloud infrastructure, web, mobile, and blockchain wallet system respectively) in just 14 days and identified all the possible holes that could make the system vulnerable to cyber attacks.)
Given a very tight schedule, The Team applied following simplified audit workflow:
With such a short timeline, the team’s proposed approach is to rapidly analyze the current system to identify potential risks, prioritize the most critical items, execute penetration tests, report security issues, suggest solutions and verify hotfixes as soon as possible. During the initial planning phase, cross-border collaboration was done with between our team in Japan and their team in Vietnam.
After the release of the platform, Tokyo Techies will also assure the system’s security level, fully analyze all risks in the system and propose plans for further improvements. Regular audits before any major releases will also be done.
In the comprehensive audit and code review of the client’s cloud architecture, web application, mobile application, and blockchain wallet, Tokyo Techies’ found over 30 security issues with the system. Around ten of them were critical and major vulnerabilities which will need to be fixed immediately before the platform’s release.
One of the major issues was that restrictions on many API functions were missing. This could potentially allow users to access and change information on another user’s data, which poses a serious security risk. Tokyo Techies suggested relevant fixes and made sure that they were implemented properly.
Another issue was that the platform was using outdated software. It was using outdated versions of Apache, OpenSSL, jQuery Bootstrap, Bootstrap-Vue, Laravel, and PHP, which presents a substantial risk of security breaches and compliance violations allowing hackers to target known vulnerabilities to gain unauthorized access. Especially in this case, the company is promoting this platform as a modern, very secure platform, and so the use of outdated software shouldn’t be adopted in the first place.