Decentralized Exchange Waves Scored a $6 Million Debut. Then It Got Hacked
When a decentralized cryptocurrency exchange supports fiat tokens and courts banks, yet makes customer identification optional, all bets are off.
According to data provided to CoinDesk by the blockchain project Waves, the company’s new decentralized exchange (DEX) was facilitating $6 million of crypto transactions a day in beta testing last month. That’s six times the daily volume that a rival DEX, AirSwap, boasted at its debut in April.
Waves, which is incorporated in Switzerland but headquartered in Russia, also told CoinDesk its DEX had 90,000 traders using 330,000 wallets ahead of its full launch this week – dwarfing the comparable figures for other DEXs.
There are a few reasons for this impressive performance coming out of the gate. One is speed, courtesy of the platform’s centralized matchmaking service – highlighting the contradictions inherent in so-called DEXs, which have a way to go before they live up to their name.
Another factor is that almost any trader can issue a token on Waves’ unique blockchain, even one that represents an IOU in fiat currency, and instantly trade it for bitcoin on the exchange.
Not least of all among its attractions for traders, standard know-your-customer ID checks are optional in this marketplace except in certain circumstances.
But the rollout hasn’t been all rainbows.
On Tuesday, when Waves officially ended the beta period and launched the full DEX, hackers hijacked both the exchange website and the company’s main site to phish for users’ personal wallet information. It took hours for Waves to regain control of the domains.
“Someone just faked my passport and gave it to support [staff] at the domain company and they changed the password at his request. Then the attacker was able to change the main website,” Waves CEO Sasha Ivanov told CoinDesk.
Undaunted by the incident, or by criticisms of Waves’ security practices, Ivanov told CoinDesk he hopes that even banks will also start launching currencies on his DEX.
“We are looking for partnerships with major banks because we hope major banks will want to issue their own fiat tokens.”
How it works
In order to transact on the DEX, users need Waves tokens. The broader project raised $22 million by selling these native tokens in 2016. The tokens are also used to run smart contracts and incentivize node operators on the Waves blockchain, a model similar to ethereum.
The network has garnered more than 200 unique nodes, including two run by the Canadian mobile gaming company RewardMob, which sees the DEX as a key attraction.
“Now we don’t have to worry about currency control from different countries and players wanting to cash out in different currencies. It allows players to trade their tokens between other players…The decentralized exchange was a huge, key component in our decision to go with Waves,” RewardMob CEO Todd Koch told CoinDesk.
His company launched its own Waves-based token and is preparing for an ICO. It operates tokenized rewards for multiple video games, such as a beer pong app, and maintains back-end wallets for more than 100,000 users.
“We want to integrate the DEX right into our app so that [when] a player earns our currency, they could easily exchange it for Waves or bitcoin or any other cryptocurrency,” Koch said.
Since the Waves DEX matchmaking software is open source, numerous nodes could run their own matchmakers and almost act like cryptocurrency miners earning fees (in Waves tokens) for processing trades.
But most of the trades are going through Waves’ own central matchmaker.
Dean Eigenmann, co-founder of blockchain governance startup Harbour and of the DEX project Dexy, found this approach dubious, saying it defeats the purpose of a DEX if service can be denied by a central authority.
Ivanov acknowledged that the current state of affairs is out of step with the decentralized ethos and will have to change. He said:
“A centralized matcher can just say ‘I don’t accept the trade,’ for now, so it’s important for us to make it more trustless.”
The Waves DEX generally requires identity checks in two instances: when users opt for fiat cash out, through the Czech Republic-based payment processor Coinomat, a separate company Ivanov launched in 2013; or when they issue a token on the Waves platform and then list it publically on the DEX.
Private token issuance traded through private listing options, according to Ivanov, does not require identity checks for compliance. And neither does trading of bitcoin for other tokens.
“For now, you can do crypto-to-crypto trading without any type of KYC,” Ivanov told CoinDesk.
But Drew Hinkes, chief legal counsel and co-founder of the crypto advisory firm Athena Blockchain, told CoinDesk that exception probably doesn’t apply to users in the U.S.
“We know from the 2013 guidance issued by FinCEN [Financial Crimes Enforcement Network] that a lot of people in the crypto ecosystem need to have a BSA, the Bank Secrecy Act, and AML, which is anti-money laundering, compliance programs,” Hinkes said. “Those programs are required to include customer identification programs.”
According to this guidance, if an exchanger accepts or transmits a virtual currency, or if the exchanger buys or sells virtual currency for any reason, they are a money transmitter under FinCEN’s jurisdiction, and thus required to check ID.
“The guidance says that, when defining a money transmitter, they don’t care whether you use real currencies or convertible virtual currencies,” said Hinkes, who is also an adjunct professor at New York University’s School of Law and Stern School of Business.
Meanwhile, Waves node operator RewardMob requires users to hand over personal information such as their full names and addresses, according to Koch, who cited requirements of Canadian sweepstakes law.
This week’s phishing attack not only put a damper on the DEX launch, it also prompted criticism of Waves’ practice of having users enter their recovery seeds – strings of words that act like passwords for crypto wallets – into a website to use its software wallet.
Drawing a different lesson from the hack, Ivanov said, “We and the whole industry need to work on decentralized domain name systems.”
The incident was not the company’s first brush with security flaws, though.
In 2017, an audit by the cybersecurity firm Kudelski Security pointed out Waves’ unique blockchain was susceptible to several types of attack and that users’ wallet passwords were stored in a cleartext database that was “readable to anyone accessing the file system.”
When asked about this, Ivanov said:
“Most of the recommendations were carried out. As for the passwords, all the critical moments have been fixed. They are still stored in a clear config file.”
Eigenmann said he was unimpressed with Waves’ infrastructure or ICO.
“It’s just embarrassing the level of software development skills which goes into some of these projects,” he told CoinDesk. “I don’t see any real value in tokens for exchanges.”
Regardless of the controversy, Waves’ volume is staggering for a new exchange with self-custody options.
According to Waves’ internal data, on June 23rd alone DEX traders swapped Waves tokens for $1.59 million worth of bitcoin and $251,697 worth of monero, just to name a few.
Ivanov said he was grateful to the community for supporting their ICO and is eager to deliver real value to global businesses.
“Our blockchain is quite fast,” he said, claiming Waves can process 500 transactions per second. “We have a very active Brazilian and Turkish community, you can even trade a token Lira on our exchange.”
Bank vault via Shutterstock
Written by CoinDesk.com
Binance Prepares to Enter the South Korean Market
Binance Eyes South Korean Market
Binance, the world’s largest cryptocurrency exchange by trading volume, is eying the South Korean market for expansion, Business Korea reported Tuesday.
Quoting CEO Changpeng Zhao during his keynote speech at the Blockchain Partners Summit in Seoul on July 21 and 22, the publication elaborated:
He stressed the importance of the South Korean market, saying that his company would enrich its community in the market.
The company has “hired Koreans as a local marketing director and a Binance Lab director, which is a social impact fund,” the publication added.
Binance added the Korean language to its website in August last year. “Now, our customers from Korea can use our website in their native language,” the company wrote at the time.
The timing proved fortuitous as the following month the Chinese government shut down exchanges in China, forcing local traders to move to exchanges elsewhere including South Korea. Binance also moved its operations out of China at that time.
Competing with Korean Crypto Exchanges
According to reports, South Korea has about 100 crypto exchanges, 31 of which are members of the Korean Blockchain Industry Association. However, only four exchanges hold the majority of the market share of crypto trading in the country.
Bithumb and the Kakao-backed Upbit are the largest crypto exchanges in the country, although Upbit is an affiliate of the U.S. exchange Bittrex.
At the time of this writing, Coinmarketcap shows Upbit has a 24-hour trading volume of $780,019,012 while Bithumb has $601,046,530.
The other two large Korean exchanges are Coinone and Korbit. A few other Chinese crypto exchanges have tried to open in South Korea such as Huobi and Okcoin.
“The number of South Korean Binance users is not that large yet. Still, it is one of the most favorite foreign cryptocurrency exchanges for South Korean traders,” Business Korea detailed. The Investor earlier this year wrote, “contrary to widespread speculation that Korean users account for a significant part of the Binance user-base, Zhao told reporters that they make up only about 1 percent and are the 10th largest group in terms of nationality.”
In an interview with Soso Lab this month, Zhao said the main reason Binance had gained popularity in South Korea was due to Korean exchanges listing only a limited number of coins. “If you want to trade newer coins then Binance is a good choice. We got lucky in that sense,” Zhao revealed. According to Coinmarketcap, Binance currently lists 376 coins while Upbit has 268 and Bithumb has 37. Zhao told the media outlet:
We do have a lot of users, what we call Binancians, in Korea…I think Korea is a hot market.
Korean Regulation Undergoing Changes
South Korea introduced crypto regulation at the end of last year. In January, the government implemented the real-name system for cryptocurrency trading.
Bithumb, Upbit, Coinone, and Korbit have access to real-name accounts but the rest of the exchanges currently do not. This creates problems for the regulators who believe that without the real-name accounts, exchanges have to continue using corporate accounts to trade cryptocurrencies and these accounts are prone to money laundering.
Recently, the country’s top financial regulator, the Financial Services Commission (FSC), announced its plan to undergo a major restructuring including setting up a dedicated bureau for crypto policies. The government has also indicated that it will ease crypto regulation.
With the changing crypto regulatory environment in South Korea, the Investor reported Zhao saying earlier this year that Binance had postponed its plan to launch in Korea “until Seoul fine-tunes the regulatory framework.”
Reflections on a Swatting: Inside One Bitcoin Engineer’s Security Battle
October 16th, 2017 started off like any other Monday. I awoke at 6 a.m. and drove to the YMCA to play racquetball, ready to start the week with a win.
When I finished playing, I tweeted out a cute quip:
I then hit the steam room and the shower to relax and freshen up. Upon returning to my neighborhood, I encountered an unusual problem: a police cruiser with its lights flashing was blocking the entrance. I came to a stop and rolled down my window:
“Hi Officer, is there a problem? I’m just trying to get to my house.”
“Sorry, we have to secure the area due to an ongoing incident.”
“Is it an active shooter?”
“Unclear, but we have information that he has long guns on the premises.”
“Well shit, what should I tell my family to do? They’re at the house.”
“Call them and tell them to get in the car and exit the community.”
I pulled off the main road and found a place to park so that I could call the house.
“Hey, don’t panic but the police are locking down the neighborhood due to an incident. You should get in the car and leave.”
“OK, I’ll be right out.”
I waited a few minutes and then received a call back.
“The police stopped me as I was leaving and asked me if I was OK. Apparently they were called to our house! They want you to come speak with them at the mobile command unit around the corner.”
I drove back to the entrance and told the patrol officer that his captain wanted to speak with me, so he waved me through. Upon entering the mobile command unit, the first thing I was asked was:
“Sir, do you have any enemies?”
To which I replied:
Then came the media
It wasn’t long before the news stations showed up; apparently, they didn’t even know what “swatting” meant.
The news stations managed to get a copy of the phone call that was made by the attacker; you can listen to it here. The attacker claimed that they shot and killed someone and were holding others hostage after rigging the front door with explosives.
Once the news crews left and everything calmed down, I figured I should let the attacker know that they failed to achieve their goal.
Within a few hours of making my tweet, I received a threatening voicemail from a number with a New York area code; you can listen to the voicemail here. Note a common theme between the 911 call and the voicemail — both times he demands $50,000 (or the equivalent in BTC.)
“Next time I do anything to you, it won’t involve the police.”
Within 48 hours the Durham Police Department told me that they had traced the call to a throwaway server in Texas but hit a dead end and were turning the case over to the FBI. I never heard from the FBI. I lost any confidence in the ability of law enforcement to protect me a long time ago, so this was disappointing but not surprising.
What did I do in response? I installed 360-degree 4K resolution surveillance around my property, double-checked the rest of my physical security setup, took a few firearms out of the safe, and I waited.
Fortunately in my intuition, the attacker didn’t have the guts to put his own life in danger by physically attacking me proved to be right. There were no further (physical) incidents.
Shit just got real
Swatting is not a game; it can be fatal. Case in point:
I have little hope that the perpetrator will be found, but I feel compelled to offer an additional incentive.
I want to make it extremely clear that I will not tolerate threats against myself or anyone I care about. I will defend myself and my loved ones until my dying breath with every resource at my disposal.
The following message is signed with this PGP key.
There was a lot of speculation that this was related to the bitcoin scaling debate, but the attacker never said what his motivations were. After the fact, he left me this voicemail demanding a ransom payment… but didn’t even give me an address to which I should send the BTC!
After speaking with other folks who have been harassed, I fully expected other annoyances such as:
- Using stolen credit cards to purchase things and ship them to my house.
- Purchasing drugs / illegal things on darknet sites and shipping them to my house.
- Tampering with the accounts for my utilities to get them turned off.
- Forging a deed in an attempt to claim ownership of my home.
On November 9, I got email bombed by a bot that was signing me up for a ton of email marketing lists.
Since the emails were “legitimate” marketing rather than mass emails from a few sources, I decided pretty quickly that the best option was to just I turn off my email for the day and made most of the signups bounce, preventing my email address from getting added to the lists of the marketers. Having 8 years of experience writing email marketing software has its perks.
Twelve hours later statoshi.info was DoS attacked and my host blackholed the IP address to save their own infrastructure. No big deal.
A few thoughts on OPSEC
I’ve kept this detail a secret for the past year, but I wasn’t home when the attacker sent the SWAT team to my house. I truly hope that the perpetrator reads this article and gets to realize how miserably they failed.
I highly suspect that the reason the attacker chose to strike when he did was from the tweet you see at the beginning of this article. I generally vary my social media posts and delay tweeting anything that may tie me to a specific location.
So, when the attacker saw that I “just woke up” he incorrectly assumed that I must be at home – he was clearly not sophisticated enough to know my routine. I can only imagine how this story may have played out differently if not for this one tiny point.
Had I been home, we may not have made contact with the SWAT team until they were breaking down the door, which would have likely ended badly.
The real problem with swatting
I’ve waited so long to reveal the details of this day because I wanted to take additional steps to improve my operational security. I’ve written down all of the precautions I’ve taken over the past year and intend to publish them soon.
The thing is, I was lucky that the Durham Police Department is more competent and cautious than other departments in the U.S. Had a few variables been different that day, I could easily be dead.
While I certainly blame the attacker for the actions they took, my root cause analysis places the blame squarely upon law enforcement for creating an exploitable vulnerability. The militarization of police combined with non-existent authentication creates a great environment for swatting.
When you think about it, the asymmetry is disturbing – a single anonymous phone call can result in lethal force being deployed in a matter of minutes against an arbitrary target. A single anonymous phone call costs only a few dollars to make and yet can consume tens if not hundreds of thousands of dollars in public resources just to determine whether or not a threat is real.
What’s the solution? While I’m a huge privacy advocate, I don’t think it should be possible for someone to deploy lethal force with no risk to themselves. At the very least, you should have to put your reputation on the line so that you can be held accountable.
My recommendation to law enforcement agencies: Realize that swatters are almost always going to place a call from outside of their target’s locale. As such, they can’t actually call 911 – they have to find a non-emergency number they can call that will escalate them to 911. These escalations should be red flagged as suspicious.
Trace the source of the phone call; if it traces back to a completely different state than the caller’s claimed location, red flag!
If the source phone number of the caller isn’t registered in their name (or anyone’s name) then ask for proof of identification. If the caller refuses to identify themselves (my attacker hung up when asked) then it’s a red flag!
I leave you with an excerpt from “The Crypto Anarchist Manifesto” (emphasis mine):
“Computer technology is on the verge of providing the ability for individuals and groups to communicate and interact with each other in a totally anonymous manner. Two persons may exchange messages, conduct business, and negotiate electronic contracts without ever knowing the True Name, or legal identity, of the other. Interactions over networks will be untraceable, via extensive re- routing of encrypted packets and tamper-proof boxes which implement cryptographic protocols with nearly perfect assurance against any tampering. Reputations will be of central importance, far more important in dealings than even the credit ratings of today. These developments will alter completely the nature of government regulation, the ability to tax and control economic interactions, the ability to keep information secret, and will even alter the nature of trust and reputation.”