The Methodology Of Testing Crypto-Exchanges & Crypto-Wallets
Crypto-wallets and crypto-exchanges can suffer from hacker attacks (or from the stupidity of users, developers, as well as problems with the logic of the system). This could be helped by testing to identify vulnerabilities and problems in the logic of the application, but we still have not found a formalized methodology in which it was written on what you need to pay attention during testing. Having tested already a dozen exchanges and wallets, we decided to formalize the order of their testing, who is interested, welcome under the cut.
- When testing exchanges and wallets, we paid attention to their functioning, and we formulated the aspects of their testing below in the form of a small methodology, but everything in order.
First of all, you need to understand what is important for the customer? For the customer, it is important that no money be stolen from the exchange or purse and the preservation of personal data of users. And since, in fact, each exchange or purse, in most cases, is a website or a web application, the customer wants to simulate a hacker attack, i.e. testing of the Black Box (see Table 1), but for completeness of testing choose to conduct more testing Gray Box (see Table 1).
To test the logic of work, you need a test crypto-currency. And since each exchange has its own restrictions on the input/output of funds, the amount of the test cryptocurrency must be at least the minimum allowable for withdrawal and it should be sufficient to conduct at least 5 transactions of purchase-sale and/or input-output.
Table 1. Types of testing, depending on the information provided.
| Type | Description |
| Black Box | Testing is carried out without the involvement of the customers technical team |
| Gray box | Contact with customers technical team, Adding accounts that are tested from the “white list”, the customer provides the means (coins) for testing |
| White Box | A full customer support providing source code for the application provision of logs granting access to various privileges provision of funds (coins) in the amount necessary for testing |
Features of testing crypto-exchanges and crypto-wallets
1.KYC Verification testing is a requirement of most crypto-exchanges and ICO.
This section examines the testing of file downloads (photos or screenshots of documents that confirm the identity of a person).
- Check for the ability to download executable files to the system server
- Checking for the possibility of stealing scanned documents – brute-force the names of files and directories.
- Checking for unauthorized access to the server file system.
2.I/O Testing Tools
- Checking the correctness of rounding of numbers when I input/output funds.
- Checking the address of the purse address at the input/output of funds (the most simple mistake is not checking the purse of the sender and receiver, but very critical).
- Checking the logic of the input-output of funds.
- Verification of the bypass of the confirmation of the execution of the purchase-sale operation (two-factor authentication code, OTP, special password).
- Check for Race condition of vulnerabilities in the withdrawal of funds.
- Checking the possibility of going beyond the limits of I/O funds.
3.Testing of purchase-sale cryptocurrency (to concern only to stock exchanges)
- Checking the correctness of rounding numbers when buying and selling funds.
- Check for spoofing addresses when buying-selling.
- Checking the logic of work when buying and selling funds.
- Verification of the possibility of substitution or modification of a sell order.
- Verification of the bypass of the confirmation of the execution of the purchase-sale operation (two-factor authentication code, OTP, special password).
- Checking the possibility of a Race condition when buying/selling.
- Checking the possibility of changing the address of the purse.
Testing the Web Part
4.Testing the registration process
- Checking the filtering of incoming parameters during registration.
- Verification of user confirmation functionality.
- Check the ability to search through usernames, e-mail addresses, and phone numbers.
- Checking the possibility of circumventing the captcha check during registration.
- Check for vulnerabilities and logic when resetting passwords and changing data.
5.Testing the Authentication Process
- Verification of filtering parameters during authentication.
- Verification of the possibility of selecting a username and password for the dictionary account (protection against brute force).
- Checking the CAPTCHA check circumvention.
- Verify the bypass of two-factor authentication.
- Verification of the possibility of disabling two-factor authentication.
- Check the possibility of data leakage during authentication.
6.Testing of frameworks and technologies used in the development of the exchange
During the testing on the vulnerability, it is necessary to determine the technologies and techniques (frameworks) with which the exchanges were developed. Thus, understanding the technology by which a wallet or a stock exchange was developed, it is possible to find possible exploits or vulnerabilities already discovered in open sources. It is necessary to verify that all third-party libraries, frameworks, and software do not have publicly available vulnerabilities at the time of release or the correct configuration of security systems (for example, CloudFlare).
7.OWASP Testing
The OWASP methodology contains a checklist that addresses all possible security risks for the website. Thus, such a check allows you to identify possible vulnerabilities (well, much depends on the directness of the hands of experience and the skills of the tester).
The most common are:
- Checking the filtering of parameters on the back end, so-often they are checked only on the front-end
- The absence of HTTP request flags, which is not critical, but can lead to password caching or the ability to perform a Clickjacking attack
- Lack of session management: this can lead to the fact that if you steal a cookie or directly access an attacker to a computer or phone, you can perform operations from a valid user
- Vulnerable versions of open services
- Using JSON Web Tokens (JWT), with weak encryption algorithms
8.API testing
- Testing for the vulnerability of the API by writing a program module to interact with the API and checking for possible logical vulnerabilities on the client side and the API.
- Use Swagger to view the structure of the request, this is necessary to understand what to send to the server and thus to check the API for the vulnerability.
9.Testing WebSockets
Soft, which is usually used for testing:
- BurpSuite
- Acunetix
- Zenmap
- Owasp ZAP
- SQLmap
And other tools as needed.
Conclusion:
In this article, we tried to formalize and structure the methodology for testing exchanges, which we applied in more than 10 cases of testing exchanges and wallets. To date, the industry of blockchain technologies, decentralized solutions, and cryptocurrency are at the peak popularity stage. The FAQs and methodologies become obsolete much faster than Moore’s Law, therefore the article does not pretend to be an exclusive manual for testing crypto exchanges, only expresses the experience gained in the course of repeated repetition of this procedure.
