Millions Of Dollars For Safety: How Gate.io Protects Customer Funds
According to the HedgewithCrypto portal, over the past 10 years, hackers have hacked 49 crypto exchanges and stole $2.7 billion. Nevertheless, the sites are constantly improving their protection – there are fewer significant thefts. There were nine hacks in 2020, four last year, and only one this year.
Together with Gate.io, we tell you what attack vectors are most often used by hackers, how the platform protects customer funds, and what the largest crypto exchanges are afraid of.
Table of Contents
What is the security of the exchange?
The most common reason for hacking exchanges is the vulnerabilities of the private key store to hot wallets. According to HedgewithCrypto, the hackers also used:
- trading platform bugs;
- gaps in server protection;
- distribution of malicious programs;
- bribing employees.
To protect customers, sites must close these vulnerabilities and develop scenarios for responding to various threats. Some exchanges use special measures:
- Gate.io has developed a program for on-chain auditing of reserves and is the first of the mainstream crypto exchanges to provide proof of 100% security of user balances;
- BitMEX implemented in the trading engine a reconciliation of user balances after each transaction and a stop crane to stop operations if the account of at least one trader does not match the history of his transactions;
- Coinbase launched Coinbase Tracer, its service for checking the purity of transactions;
- Kraken installed video surveillance systems in the server rooms and put armed guards on them.
Comprehensive site protection is expensive: Gate.io spends millions of dollars annually. The exact amount is under wraps.
Hot and cold wallet protection
Exchanges use two types of wallets: hot wallets for daily transactions, accepting deposits and withdrawals, and cold wallets for securely storing assets.
Hot wallet keys are usually stored in a computer with an internet connection so that the site can quickly sign transactions. This is dangerous – hackers can access the machine, steal the private key, or redirect transactions to their addresses.
Gate.io uses multi-signature to manage hot and cold wallets, which means the theft of one key will not lead to a loss of control over assets.
In addition, Gate.io keeps keys and backups in hardware security modules (Hardware Security Module) – analogues of Trezor and Ledger for business tasks. All cold wallets are offline.
Site and server security
In 2020, hackers gained access to the servers of the Livecoin exchange, raised Bitcoin and Ethereum quotes to $220,000 and $65,000, respectively, and then stole more than $2 million. Since 2014, eight exchanges have suffered from such hacks.
To counter such attacks, Gate.io uses :
- HTTPS protocol for secure data transfer between users and servers;
- own anti – DDoS and CloudFlare firewall to protect against traffic that can slow down or paralyze the platform;
- Web Application Firewall (WAF) to combat network attacks – SQL injections, access token spoofing, malicious code execution in the browser and password brute force attempts;
- secure DNS to prevent hackers from redirecting users to a phishing site.
Gate.io trading core consists of separate modules. This approach does not allow hackers to implement a scenario with the substitution of cryptocurrency quotes, profitability of instruments, or any other platform parameters.
The exchange has implemented corporate firewalls and an access control system for corporate resources to ensure internal security. If one working computer is infected, the system will detect the virus during the first attempts to read the data.
If an attacker gains access to a user’s account, they will be able to steal their funds despite the protection measures of wallets and the platform. Therefore, Gate.io requires users to set up two-factor authentication in one of the following ways:
- Code in SMS or email;
- Google Authenticator;
- Confirm entry through a YubiKey hardware security key, Gate.io Wallet S1 hardware wallet with a fingerprint scanner, or another device that supports the FIDO2 standard.
The user also sets a trading password. The platform requests it before any operation with assets: opening or closing a position, transferring funds or withdrawing cryptocurrency to an external wallet. In addition, he can set up a white list of output addresses.
Even with a login and password from the account, the hacker will not be able to withdraw or otherwise use the funds in the account. At the same time, Gate.io will notify the account owner about the login from the new IP address and write it to the login log.
For unforeseen circumstances, Gate.io has an account inheritance service. The user specifies the contact details of relatives or friends. If he does not enter the platform for a long time, the exchange will contact the indicated people and, after verifying their identity, will give them access to the account.
In 2022, crypto enthusiasts faced a new problem: exchanges used their deposits for their operations. Due to the fall in the rates of bitcoin and Ethereum, the positions of the sites became unprofitable. Companies have suspended withdrawals or even filed for bankruptcy.
Two years prior, Gate.io developed an on-chain Proof-of-Reserves solution for independently auditing reserves. In it, you can find out your natural balance on the exchange’s cold wallet by the UID hash.
In July 2022, the audit company Armanino LLP confirmed that Proof-of-Reserves is working correctly and Gate.io keeps 100% of the deposited funds.
Crypto exchanges launch blockchains and tokens but cannot guarantee the security of decentralized applications. So, in March 2021, hackers took over the DNS Pancake Swap on BNB Chain and intercepted the private keys of some traders.
To address this vulnerability, Gate.io has added a transaction reversal and fallback inference mechanism to GateChain. Users create particular storage addresses and set the number of blocks within which they can cancel sent transactions.
In addition, the vault owner can bind a backup address to it for withdrawal of funds in case the private key is lost. To do this, you need to contact Gate.io technical support.
After the rebranding, the slogan “Our highest priority is the security of users’ data and assets ” appeared on the “About Gate.io” page. And it’s true: the exchange’s security system closes the known vulnerabilities of trading platforms.
But Gate.io does not stop there: the exchange launched a bounty program for white hat hackers and developed a hardware wallet with a Wallet S1 fingerprint scanner.