Have you thought about launching own Cryptocurrency Exchange Platform? That is a good deal, however, such a decision is accompanied by several challenges. Here some tips and a short review on how to start a cryptocurrency exchange. Let’s go today thorough basic steps and try to figure the best strategy for the development.
Different resources may provide you various definitions and classifications. Like on the type of governance:
Or by the type of currency/workflow:
Though, we will define exchanges into:
Most of the Security challenges are connected with Classic exchanges, therefore we will focus today on Classic one mostly.
Most of the Cryptocurrency Exchange tokens are not based on own Blockchain but are built with the use of already existed one. In order to finish development fast but also have a winning strategy, the choice of first basic currencies shall be wisely considered. We would recommend you to have a look at Tether, Ethereum, and Bitcoin.
Why?
Withdrawals are a powerful instrument where you can limit currencies for withdrawals, set fees, etc. We provide more technical details on this question and on how to start a cryptocurrency exchange overall in our personal blog. Be free to visit it.
The most important part of backend development is the mechanism for indicating your transactions. Namely, this is the part where you embed Blockchain to your project.
It will “see” new transactions, distribute cash between accounts and execute withdrawals.
It’s time to cover up the exchange. Finish backend, create Depth of Market, draft basic user interface and make it a secure and fine place for your traders. How to launch a favorable cryptocurrency exchange? Here are security tips from Inn4Science team:
Multi-accounts and Crypto scamming users are a common problem for any exchange.
Solution: To use device and IP validation. If they match for several accounts to block a fraud user. As well as to use a monitoring system.
Summary: If you use a personal system of account management it is very important to have a tool for user disconnection on the fly. While having token authorization you need to implement a session storage system with the access tokens.
The system shall have the functionality to withdraw an authorization token of the user, even when the user is active. Therefore, you will be able to prevent suspicious activity either manually by the administrator, or automatically by the monitoring system.
A very popular way to tarnish the exchange reputation is to interfere with the workflow of the site. For example, the substitution of payment addresses.
Solution: classical monitoring of the website. Close access to any unauthorized changes to the code, that is delivered to the live server. Constantly monitor changes. As well as put hidden notifications on changes to critical parameters (for example, addresses of cold wallets and administrator’s backup contacts).
Do not forget about a more simple but not less important thing as validation. While creating your system, be sure that all sensitive and personal user data, in any case, should not be available via requests’ substitution. As an example, you may use ID monitoring. Whenever the system gets a request, the monitoring will compare the IDs of the authorized user and the user whose data is requested.
It is worth mentioning, that in case you intend to use the above-mentioned solution, the users’ IDs should not be openly displayed and provided. It is highly recommended to encrypt the IDs. Even simple, non-resource intensive encryption algorithms will dramatically complicate the possibility of a bruteforce attack for a potential hacker.
Summary: There 2 variants of security, the one is pro-active and the second is passive. Pro-active, when system tracks suspicious activity it instantly blocks/freezes user account.
Passive, when system tracks suspicious activity user receives a notification via email/SMS/etc.
Use monitoring and a timeout condition to secure any part of the interface where your system makes a call to users’ data and to prevent a bruteforce attack of these data.
Exchange wallets are the conventionally public information. As your service needs to provide an address where the user can top-up his account. Wallets have a heightened risk of hacking.
Solution: use cold storage wallets. To prevent losing assets of your clients, do not store all the funds on hot wallets. As soon as your system monitors the new transaction, resend it to a cold storage wallet. Keep on hot wallets only necessary amount for basic operations.
Summary: The safest way is when coins are stored in the cold storage wallets and all the transactions within your exchange platform are virtual. For example, you can use the Hashicorp vault solution to store passwords of hot and cold wallets. Therefore, you can automatically conduct transactions between wallets.
You should be ready, that fraudsters will try to sully the exchange wallets and use them for money laundering.
Solution: set AML/KYC procedures as mandatory for all new accounts, this way you will know your users and where they received money. Create a pool of wallets, to provide addresses to clients. And if you feel that they are used for laundering, simply stop using this wallet. However, a number of crypto exchanges are currently running with no KYC.
Summary: The bogus accounts won’t be able to spam orders, fraudsters won’t be able to use your hot wallets for money laundering.
Even if you are Korean, Japanese or whatsoever exchange which is not subject to the European Union GDPR are applied to your exchange if it has customers from the European Union. And according to the GDPR, the client has the right to be forgotten. But here you may face the conflict situation, where you have just deleted the user account, and tomorrow you got Police at your door asking why you hide the crime.
Solution: you have absolute right, to sign a separate agreement with your clients, where the condition is set that their AML/KYC data is immutable and non-removable.
Summary: do not ignore GDPR rights unless you want to be fined for millions of dollars.
There are several countries where crypto trading is illegal, like China. Therefore you need to be sure you are not accepting clients from banned countries.
Solution: you may ban clients via their IP. However, if you have a French living in China that would be a bit confusing. A better option is to make the client responsible for his actions. Have a clear, visible note where you have a list, which countries are prohibited from trading, and that they have full responsibility.
Your database is a piece of a nice cake for hackers and maybe one of the primary targets.
Solution: have a secure encrypted data storage, as well as make cold copies of keys and cold copies of the database. The other good solution is to use data mirroring. Therefore, if one of your data storages is down (server, MySQL, NoSQL, etc.) you will have a live copy of data. Moreover, you will be able to promptly switch to this version. Also, the good thing is that most of the systems nowadays have an instant automatic switch for the data mirroring.
Summary: You shall encrypt any sensitive data available on the exchange with user key-pair. Remember to avoid storing user keys and passwords on the server. To validate user keys, you should use hash functions, for example, SHA256, RIPEMD128, RIPEMD-160, or any other suitable for your project.
An interactive interface goes along with dozens of buttons and other “active” places. Most of them will have a special condition to be active and available for interaction. Therefore, do not forget to have a double verification of actions, both on the front-end and back-end. This will counter any invalid actions on the server-side.
There are more challenges which you will face, but that is not connected to Blockchain, Cryptocurrency Exchange or other regulations. Those are:
Do not try to withstand all the challenges all alone, the security of the system is something you’d better not let to slide. In order to prevent future challenges, choose a reliable team today!
Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…
The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…
A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…
Meta has announced the removal of over 2 million accounts connected to malicious activities, including…
Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…
A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…