The Big Three: Proof of Funds, Bug Bounty, and Pentest
Three most vital markers of a crypto exchange security are Proof of Funds, Bug Bounty, and Pentest.
A pentest is a proactive cybersecurity measure aimed at identifying internal and external vulnerabilities of a software application by trying to breach existing security controls.
Penetration Test accounts for 2.5 of 10 points in the cryptoexchanges security ranking. Only a 10/10 pentest score receives a Tick in the CERtified Badge. Pentesting is so important for the overall score because it reveals actual security of the exchange against external attacks and offers practical recommendations to limit threats and eliminate vulnerabilities.
Not all pentests are created equal. We are dead serious about ensuring that every aspect of the pentest is valued correctly. We have a separate methodology for assessing pentest and assigning points. Our methodology is based on OWASP Web Security Testing Guide, has customized checks, and accounts for business logic typical assets, functions, and common vulnerabilities of cryptoсurrency exchanges. In addition, the pentest is only valid for 1 year.
Bug bounty program is a way to receive reports on security flaws from hackers and independent security researchers before cybercriminals can exploit those vulnerabilities.
Again, CER live has a separate methodology for evaluating the quality of a project’s bug bounty. We have the following validity requirements:
- published on the exchange website or a trusted bug bounty platform,
- allow intrusive testing
- scope covers entire infrastructure
- include structured in scope/out of scope and clear program rules
- have at least Hall of Fame of bug hunters
- have clear statistics on reports, rewards, SLAs
Bug Bounty also accounts for 2.5 of 10 points in the overall security score. Only cryptoexchanges with a 10/10 bug bounty score receive a Tick in the CERtified Badge.
Proof of Funds
Proof of Funds is so important because it indicates the general validity and liquidity of cryptoexchanges. Users have reasonable expectations that they will be able to access and withdraw their funds from the exchange at any time. However, in the past two months, there have been numerous reports of exchanges suspending their operations, i.e. banning users from trading, swapping, and withdrawing their funds. Any withdrawal limit always erodes customer trust. Therefore, Proof of Funds is the most vital characteristic of an exchange’s trustworthiness from a financial standpoint. In CER’s rating, a crypto exchange gets a tick if the balance on hot and cold wallets is more than $1M in ETH and BTC.
You will never see a CERtified Badge with three Ticks for exchanges with poor scores in these three indicators. Consider Proof of Funds, Bug Bounty, and Pentest as three main pillars of security. They create the foundation of a cryptoexchange’s security.
In addition to the Big Three, CER’s team of independent experts also analyze 13 other indicators in accordance with our transparent methodology to come up with the most fact-based and comparable security rating. We also analyze hundreds of factors to assign scores to a cryptoechange’s server security, user security, compliance with ISO 27001, and availability of Funds insurance.
Top cryptoexchanges by security
More secure Cryptoexchanges
Each year, the number of secure cryptoexchanges is increasing because they are investing more in cybersecurity. Only 22 exchanges performed pentests in 2020. The number doubled in 2021. By now, there are 59 exchanges with pentests. Centralized exchanges have been especially good at protecting users’ assets.
According to the Chainalysis State of the Web Report, centralized exchanges have dramatically transformed their security over the past three years. In fact, Q2 2022 was the first quarter ever when no centralized exchange fell victim to a hack. Yet, we still have a long way to go, especially when it comes to decentralized exchanges.