 Hi, my name is Fahagan. I'm working at Positive Technology Company of Banking Security Research Group. Today I'd like to talk about security of crypto exchanges. The research I did between 2090 and 2020 years. When I started my career, I have found my first vulnerability at Kraken. It was 2013. I have found open redirect vulnerability which was duplicate, but the Kraken sent me a little bit tip of half of Bitcoin and at that time it was $100. At 2013 I was a student. So, after that time I have found a lot of vulnerabilities at crypto exchanges like XSS, SQL injection, directory traversals etc. If you will read the news and you can see that there are a lot of hacks of exchanges. The big hacks was with empty gogs, Bitfinex, Binance. For example, from empty gogs was stolen over 8000 bitcoins. A few years ago I asked me a question. So, how are crypto exchanges hacked? As for me, using an XSS it was so hard to hack crypto exchanges or using open redirect I think it's not possible too. As for me, there are four ways how to hack the servers of crypto exchanges. The first point is we are insiders. It's when developers leave some backdoors in a code and after some time using the backdoor they steal money. The second point is a vulnerability in third-party software which using exchanges for example some outdated CMS or the vulnerability for example in app-h and something like that. But as for me, more realistic to hack the exchanges by finding vulnerability at smart contracts or in custom codes. The next question that arises is which vulnerability to search? Of course you can search for XSS, Scaling injection but their vulnerability are often fixed at the application development stage. I started looking for different vulnerabilities at the application logic level in the particular vulnerabilities of dress conditions type. For those who don't know in short what is a dress condition? The vulnerability of dress condition is peculiar of application that support multi-trading and multi-processing. From the Valorance blog I took an example of the work of program for transferring money from one user to another. Ideally when transferring money it's first check the balance of the first user has as much money as it needs to be transferred. If so the money from the balance of the first user will be debit and added to the second user. But what happened if two transfer requests come in parallel at the same time? When both threads will at the same time check the if operation and proceed to step 2. At the same time debit money from the balance of the first user and add it to the balance of the second user. If the first user had $1000 and we requested a transfer of the maximum amount then the first user will have minus $1000 and on the second account and the second user will have $2000. For the research I took the top 100 exchanges but it's not from a coin type website. Also I took a turbo intruder $100 in litecoin and doggiecoin. Since the commission of 4 withdrawing those coins was one of the lowest at that time. How do I understand where to look? In what functionality? A third to read what was the trend of the exchanges at that time. What new functionality they added? From the Binance block I saw that they added margin trading. And here you can see that there is a functionality to transfer amount from one account to another from margin to spot. And another functionality was internal transfer. This is when money and debit from one user account and added to another user account at the database level and not at the blockchain level. So let's look at the four logical vulnerabilities that I found. The first vulnerability was in snapx exchange. The snapx exchange was closed on February of this year so I can write their name here. When we want to buy bitcoin we send a request to the exchange and say the price at which we want to buy and the quantity. After if we have a required amount on our balance then the exchange will place an order to buy or sell. So what will happen? You will send several parallel requests to exchange for example to buy some bitcoin. In case I haven't sent two requests to buy 100 bitcoins at price of $1. The exchange placed to buy order which had total cost of $200 and I had $0 in my balance. By cancelling one buy order my balance increased by $100. And by cancelling the second order my balance became $200. This way I was able to double my balance using race condition. I reported this vulnerability to developers and they fixed within two weeks. Here is the screenshot of my trading account. My start balance was $10,000 and after a few seconds I increased my balance to $20,000. The second exchange used the same vulnerability as the binance associated with internal transfer. But internal transfer was done with the help of promo codes. By design one user was able to create some promo code with some amount. After promo code creation the exchange will freeze the amount and if some other user will activate the promo code the exchange will add frozen amount to the second user balance. I have tried race condition from the second user by activating the promo code 1 but no luck. But when I created two promo codes and tried again race condition with only the first promo code then the exchange added amount from promo code 1 to my account and after that from promo code 2. I'd like to mention that I didn't know promo code 2 value. Here is the screenshot that I was able to activate the promo code 1 two times. Let's see another type of vulnerability. When we're trying to withdraw money from our account the exchange deducts a commission from the money that we want to withdraw and the remaining amount is sending to address that we wrote. I found one crypto exchange that positioned itself as a commission free exchange. I thought that if the exchange doesn't take a commission then I wonder what is the minimum amount that can be withdrawn from the exchange. It turned out that this amount in dollar terms is very small. When I tried to withdraw 1 million Ethereum the exchange itself pay around $10 for the transaction. I wrote to the crypto exchange that you can send the smallest amount of Ethereum and the exchange will pay a large amount instead of me and you can empty the exchange's hot wallet by sending a lot of transactions. The exchange replied to me that this is their business and this is not a vulnerability. When we try to withdraw amount from the exchange usually the exchange send us email for confirmation and if we will click the accept button or link the exchange will send our amount to some address. Rest conditional vulnerability was in a few websites in a few exchanges by accept confirmation link. When I sent a few times accept confirmation request I saw that the exchange sent to another account another address many times the amount which I requested or when I tried to send the amount in my deposit address then the exchange increased my balance a few times. Here you can see the appropriate draw link which I sent a few times with our rest condition and here you can see that my account was 0.05 Ethereum and after that the exchange added to my balance 6 times of value which I tried to withdraw to my deposit address and here you can see my final Ethereum balance. As a conclusion 25% of exchanges had a rest condition and 80% of 25% exchanges was possible to sell amount or manipulate balance of crypto exchanges. So that's it. Thank you very much.