March 28th, 2018 at 1:03 pm UTC · 3 min read
Oleksii Matiiasevych, the lead Ethereum architect at Ambisafe and a reputable ethical hacker, discovered that at least eight top-rated cryptocurrency exchanges were susceptible to the manipulation of their Ethereum account balances.
Oleksii discovered a way for hackers to register a new account, fraudulently increase their balance, and then withdraw these funds from the exchange. This could have led to substantial losses before the fraud was even detected.
At the moment, eight exchanges have already either fixed the vulnerability, or are in the process of resolving it.
It all started when Oleksii and the team at Ambisafe began checking to see whether existing cryptocurrency exchanges were monitoring their deposits in compliance with Ethereum’s specifications. Simulations showed that several major centralized exchanges had a bug in common that allowed users ETH accounts to be manipulated and altered.
“At first, I detected one possible way for accounts to be compromised. We notified all the exchanges where this vulnerability was found and, just in case, sent a report to around 200 other exchanges that might have potentially been affected by the same bug. It seemed to us that we had done all we could.
However, later when I was nearly asleep, I suddenly realized that there might be one more way for hackers to take advantage of this technological flaw. I tested it in the morning and guess what – it worked too!” said Oleksii.
Over three days, Oleksii confirmed his suspicions by testing this exploit on the TOP-10 crypto exchanges. Then he moved on to the TOP-25 and ultimately to the TOP-50. Oleksii, the Giveth, and members from the White Hat Group immediately discovered the vulnerability on five major exchanges and notified those who had been affected.
Oleksii has since spotted the problem on three additional exchanges. As a result, over 200 reports have been sent out about potential Ethereum account balance manipulation and the threat that it poses.
However, decentralized exchanges have not been affected, as their user balances are reflected on the blockchain itself. On the contrary, centralized exchanges collect user deposits in a number of their own wallets and reflect every users balance in the database. This database is then updated by a deposits-processing system.
“ Orderbook.io by Ambisafe is a decentralized exchange and, thus, it is not in danger of the vulnerabilities discovered by Oleksii. We’re proud that the members of our team have improved the current state of affairs within the Blockchain industry. Our hope is that we will have the opportunity to provide more Blockchain companies with auditing and guidance in the future, especially if they are concerned about possible vulnerabilities. We look forward to supplementing the future integrity of the Blockchain ecosystem.”
Andrey Zamovskiy, CEO and Founder of Ambisafe
This is not the first time that Oleksii Matiiasevych has helped to prevent a crisis in the greater crypto marketplace. After he was informed about a breach in a Parity multi-signature wallet in July 2017, Oleksii personally saved $1.5 million that could have otherwise been stolen by fraudsters.
Despite the issues plaguing other wallet providers at the time, the multisig wallets developed by Oleksii’s team at Ambisafe proved to be resistant to the attack, assuring the safety of their client’s funds.
Ambisafe is a product company that offers secure multi-sig repositories, full-service token sales, and a variety of custom blockchain solutions for industries such as IoT, supply chain, and beyond.