Security of centralized exchanges

Centralized Exchange Security – What Your Crypto Exchange May Not Be Telling You

During the last five years, hackers have stolen around $5 billion in cryptocurrencies from centralized exchanges despite the security assurances offered by these exchanges.

Hackers stole some $1.5 billion worth of digital assets in the latest – and largest – hack to date, the 2025 Bybit hack.

Cryptocurrency exchanges, including some of the largest and most frequently utilized in the industry, show systemic weaknesses, and this is only one example. It’s not just the rise of the machines and sophisticated hacking techniques that create vulnerabilities.  Human error from phishing attacks plays a large role in centralized exchanges’ securities woes.  Often the exchanges’ insurance coverage for breaches is inadequate. 

This article discusses security vulnerabilities in centralized exchanges, their operational security flaws, and regulatory developments addressing exchange security.

Hot Wallet Exposure and Custodial Design Flaws

Centralized exchanges often rely on “hot” wallets to support user trading, creating a host of security risks. A hot wallet connects to the internet, allowing users to deposit and transact quickly. This design prioritizes the user’s trading experience over the long-term security of those assets, and presents a single point of failure.

Exchanges that rely on hot wallet implementations have vulnerabilities, three of which are explained below:

• Desktop Wallets: These wallets are connected directly to the exchange’s server and therefore can be exposed to malware infections or direct breaches to the server.
• Mobile Wallets: While providing convenient capabilities to manage your crypto via smartphone, such phones are often subject to a wide range of compromises, malware, hacking, and plain old theft, creating a risk for anyone using their phones to conduct crypto transactions;
• Web Wallets: A browser or web wallet or web-based solution that is integrated with the exchange presents the most risk simply because it is persistently online. 

Perhaps the greatest risk to centralized exchange security comes from their control of users’ private keys. As they say, “not your keys, not your coins”.  Exchanges are responsible for their customers’ private keys, as opposed to self-custody, in which users hold their own keys. Centralization introduces a classic single point of failure (SPOF) risk, whereby compromising any one point can compromise the entire system.

Multi-Signature Wallet Misconfigurations

In practice, multi-signature (“multisig”) wallets promised an end to the security weaknesses associated with traditional exchange architecture, but misconfigurations and other weaknesses can compromise the promise of greater security. Multi-signature wallets require multiple signers to execute a transaction, reducing single points of failure. However, misconfigurations can still create exploitable vulnerabilities.

Case Study: WazirX 2024 Multi-sig Bypass

The July 2024 WazirX hack showed attackers could bypass what was believed to be a secure multi-signature setup. WazirX employed a four-out-of-six signature requirement for transfers, requiring three signers from WazirX and one signature from their custody provider, Liminal. It seemed at first glance to be a robust security layer. 

Liminal claimed to have additional layers of security, such as an outbound firewall and checks that pre-approved addresses for transfers to Liminal maintained accounts. Attackers, however, gained three signatures from WazirX by convincing the key holders to approve transactions, which the key holders believed to be legitimate. Liminal then signed the transfer. The WazirX signers relied on the transaction details presented from Liminal without verifying the transaction details with their hardware wallets.

The attackers were able to take advantage of the “blind signing” vulnerability where hardware wallets don’t display all the transaction details, which also includes the tokens and the destination address. The attackers were able to steal about $230 million USD worth of assets.

Whitelisting Failures

“Whitelisting” an address means that a cryptocurrency address must be pre-approved in order to transfer funds to it.  In the WazirX case, however, the transfers were still permitted although whitelisting policies were in place.  The breach of the Bybit exchange in 2025 followed a similar path, with attackers stealing USD $1.5 billion in funds due to the CEO’s failure to validate the multi-sig destination address.

Some of these events are simply a result of failures in the implementation of multi-signature protocols, such as human susceptibility to social engineering attacks and multi-sig users’ inability to verify transaction details due to hardware device constraints. Just as centralized exchanges adopt multi-signature solutions to reduce theft, poor implementation can continue to leave users’ funds exposed. Without verification or truly distributed controls, whitelisting can provide a false sense of security rather than reasonable protection.

Insider Threats / Misuse of Privileged Access

Human factors are arguably some of the most serious weaknesses that go unchecked. Internal personnel with privileged access can represent a significant threat vector. One notorious example is SIM swap attacks of internal employee accounts. SIM-swap manipulation occurs where the attacker convinces (or bribes) the mobile carrier to transfer a victim’s phone number to another SIM card. This has been particularly effective with respect to exchange personnel. Once the attacker has a victim employee’s phone number, they can intercept private calls and text messages without the institutional protections that are in place to pick up fraud attempts.

SIM swap attacks follow a simple process:

• Attackers harvesting personal identifiers related to exchanged employees from social engineering, online sources, or previous breaches;
• The attacker calls the employee’s mobile carrier, impersonating the employee;
• The attacker redirects the employee’s phone number to the attacker’s SIM card, hijacking any two-factor authentication codes that are sent via SMS;
• The attacker gains access to employee administration accounts and wallets.

A notable case occurred in 2024 when threat actors were able to exploit employee accounts of the FTX exchange via SIM-swapping, transferring millions in stolen cryptocurrency assets.

Deficient implementation of role-based access control (RBAC)

The centralized exchange model exacerbates insider threats as centralized exchanges often lack adequate role-based access control systems (“RBAC”). RBAC is specifically meant to limit access to the system based on clearly defined roles, yet exchanges may allocate more permissions than are necessary to employees. Exchange admins will often have unrestricted access across different systems, effectively defeating the principle of “least privilege”. This design creates situations where it is possible for an employee that needs 100 privileges to do their job has 30,000 of them. These risks are exacerbated where privilege escalation to administrative roles is not sufficiently segregated.

Each of these scenarios creates a combination of core vulnerabilities:

• privilege escalation to administrative roles, where malicious users gain unauthorized access and can modify system configurations;
• front-running non-public information relating to upcoming listings, exposing the exchange (and perhaps the employee) to legal risks for insider trading;
• intentional exfiltration of wallet keys
• manipulation of transaction data.

Implementing RBAC would greatly reduce risk immediately by ensuring each user has predefined permissions based on their role.

Proof-Of-Reserves

Proof-Of-Reserves (PoR) audits originated from several catastrophic exchange collapses, such as FTX, as a means of reclaiming some level of trust through transparency. In traditional financial systems, organizations are bound by rules and regulations to standardize reporting and auditing to ensure consistency across the industry. Cryptocurrency exchanges differ in that there is no consistent verification process, which leads to extreme variability in auditing schemes and reporting.

The greatest challenge is that most existing PoR audits only reflect assets but not liabilities. For example, an exchange could show that they own $1 billion in cryptocurrency while hiding $3 billion in liabilities. A second weakness is that PoR reports often only provide a snapshot at a given moment in time rather than ongoing verification. In other words, an exchange could potentially game the system by accumulating inflated reserves immediately before an audit, including by borrowing assets.

Verification process

Even the verification process creates further risks and problems. Exchanges often centralize verification processes, relying on a single third-party auditor to produce their reports. In the words of Vitalik Buterin, PoR is “more of a quick fix than a long-term solution”. Delayed or incomplete reporting by third-party auditors is a major red flag for users.

Regulators typically require the traditional financial sector to undergo regular external reviews for security and legal purposes at least once a year, and ideally whenever relevant, such as when new products are introduced. Cryptocurrency exchanges, however, often do not apply the same rigor, citing technical or operational challenges.

The quality of the independent auditors’ work product is another concern. Exchanges often do not share full audit reports, only the summary of the reports, with stakeholders and board members.  This opacity raises some concerns, especially in the crypto space since users often lack a standard way of understanding auditing credentials the auditors’ capabilities.

A lack of transparency creates a situation ripe for exploitation.  The absence of full disclosure about digital assets products and platforms makes the public susceptible to fraud and scams. Centralized exchanges often have little oversight and no way to verify user funds in the absence of consistent standards for audit frequency, methodology, or disclosure.

Analyzing Exchanges’ Security Posture

A thorough security review uses standardized frameworks and blockchain analytics to identify weaknesses hidden behind platforms that seem secure. Security audit methodology leveraging OWASP Top 10 Effective security audits are the only real way to protect exchanges. Most exchange security ratings methods leverage the OWASP testing guide—a consensus document on web application security risk.

A few categories of OWASP seem particularly useful when assessing cryptocurrency platforms:

• A02:2021-Cryptographic Failures: Reviewing key management and poorly implemented/enforced encryption can lead to sensitive data exposure;
• A05:2021-Security Misconfiguration: Reviewing how exchanges are configured especially if using defaults or unpatched vulnerabilities;
• A07:2021-Identification and Authentication Failures: Reviewing access control mechanisms that may allow privilege escalation.

All major platform updates must be accompanied by a thorough audit of a large portion of the codebase. If an exchange implements a new feature or makes a change to its infrastructure without an audit, this can create a window for vulnerability exploitation. Analyzing wallet activity using blockchain forensics tools are also an essential component to assessing exchange security.

Forensic tools

Using forensic tools, investigators can trace the flow of funds across blockchains and assets, allowing them to find potentially malicious activities. Several of the more modern and updated forensic platforms can automatically detect potentially suspicious on-chain behavior, such as:

• Peeling chains (the values of sequential transactions decrease);
• Mixer-first funding patterns;
• Using crypto bridges to conduct cross-chain asset movements.

These tools help users visualize transaction pathways through entities, clusters, and addresses. Investigators can identify links to malicious actors. Then security analyst can then drill down from high-level insights on illicit entities and clusters into granular addresses or transactional activity and ultimately derive whether or not there was a breach of their security.

At the end of the day, the combination of OWASP security audit and forensic analysis tools offer a robust framework for auditing exchange security programs from both the infrastructure layer and transactional layer of the exchange.

Shortcomings of the Current Security Models for Exchanges

The cryptocurrency industry is facing difficult issues in developing security standards for centralized exchanges. In short, there is no standardized security framework applicable to all market participants. There is no standard for wallet segregation policies, where exchanges separate custodial assets from their own funds. Segregation ensures assets are traceable in the event of insolvency.

The client-custodian relationship and applicable law often determine what is segregated and how. Many exchanges assert that they are custodians of assets while leaving the actual ownership of the assets unclear. A disconnect often exists between legal relationships and the technical infrastructure storing users’ crypto. This creates uncertainty about ownership and creditor priority.

Exchanges that claim to segregate customer funds often still group customers’ tokens together in an omnibus account, moving and pooling multiple users’ funds into a shared wallet.

These arrangements can introduce an unreasonable amount of risk in the form of:

• Reduced transparency in the accurate tracking individual user assets;
• Increased opportunity for illicit activity;
• Increased counterparty risk if the custodian declares bankruptcy.

The FTX collapse highlights this issue, as the exchange held assets in omnibus accounts, commingling them with other entities. This led to substantial client fund losses.

Inconsistent thresholds for cold storage of assets

Unlike financial services, custodians in centralized exchanges lack a consistent standard for cold storage. This creates inconsistency. The Cryptocurrency Security Standard (CCSS) was established in 2014 as a guideline for security techniques and methodologies.

The standard supports ISO 27001 and PCI DSS to protect cryptocurrency data. However, it’s inconsistently followed in practice.  Many businesses, especially startups, do not follow security best practices. They also lack a minimum standard of security.

Exchanges may unilaterally allocate user funds to cold storage without oversight. Startups are often reluctant to invest in security best practices.

Without formal verification standards and regular penetration testing, centralized exchanges become more vulnerable. This increases the risk of cyber breaches.

Conclusion

The systemic security issues concerning centralized cryptocurrency exchanges pose risks to users that trust these exchanges with their digital assets. Clearly, the marketing of security protocols diverges widely from actual implementations. Hot wallet architectures create single points of failure. Multi-signature solutions often suffer from poor configuration and operational security. Insider threats also remain a constant danger, worsened by poor privileged access control and inadequate authentication.

Most disturbingly, proof of reserves – intended to enhance transparency – are of limited utility in depicting a complete picture of an exchange’s solvency.

For the cryptocurrency industry to mature, it must adopt well-vetted security protocols. Traditional financial institutions have used these for years

There needs to be consistency over wallet segregation, cold storage limits and oversight of auditing and risk management best practices. Credible independent parties will need to verify the security practices and protocols that exchanges use for the industry to thrive.

Until these changes occur, users should be cautious when using centralized exchanges. Self-custody, sufficient due diligence on exchange security, and spreading assets across platforms is an essential part of risk mitigation.