Scan the QR Code to add me on WeChat

Find me on WeChat

To give you the best possible experience, this site uses cookies. Using this site means you agree to our use of cookies. More information is available in the INN4SCIENCE LLC Privacy Policy. Learn More



Cryptocurrency Exchange Security Testing: Why do You Need It? – Inn4Science blog

The crypto world is constantly developing and steadily changing. Each day more new exchanges and platforms are appearing on the market. When the choice is almost unlimited, trust becomes the most crucial thing. So why is testing that important? The answer pretty easy though, to ensure that hackers cannot reach sensitive data through loopholes and so to have a crypto security exchange. Our team often receives requests for testing exchanges. Moreover, this trend is growing! That’s why we have decided to create this article based on our experience of testing cryptocurrency exchanges.

If you don’t want to waste time and money, try to learn on someone others failures. For example Italian exchange BitGrail. In February 2018 was involved in the loss of more than $170 million in Nano XRB tokens. That happened due to vulnerabilities in the cryptocurrency exchange security. Subsequently, the exchange needed to declare bankruptcy. That wouldn’t happen if only BitGrail had done thorough testing. Accordingly, the main goal of the testing team is to give a full guarantee to users. If you are planning to open a new crypto exchange or you are the owner of a small size exchange platform we recommend you reconsider your policy and conduct deep testing of your product. You need testing if:

  • you have just created a new crypto exchange platform;
  • you have implemented a major update;
  • you have embedded a new cryptocurrency as a trading pair;
  • you have ordered outsource or outstaff development;
  • you have used rather questionably cheap developers;
  • you are not sure of your security system overall;
  • you need a third-party guarantee of your services.

Hacking loss on the cryptoexchanges

Types of crypto exchanges

More or less most of the exchanges on the crypto market have the same functionality and features. However, notwithstanding the type of governance or workflow of the cryptocurrency exchanges, they are united in a single idea, to provide high-quality exchange services for the crypto community.

Let’s have a small peek on the kinds of exchange platforms do we have on the market by the type of governance.

  1. Centralized exchanges. This is a type of platform when all transactions are maintained and operated by exchange owners. Accordingly, users do not have access to the private keys of their exchange’s wallets. Thus they put all trust in the hands of the exchange operators and central authority.
  2. Decentralized exchanges. The key difference from a centralized exchange is in the use of blockchain technology (distributed ledger). Therefore, such exchanges don’t possess any access to clients’ funds, wallets, but only hold serves for matching and routing orders.

However, some people may prefer to define trading platforms by the type of workflow:

  1. Fiat-Crypto Exchanges. Mostly used by beginners or people who want to withdraw their crypto into cash. Fiat currency is a currency issued by a certain government. So that here go any currency like EUR, USD, JPY, etc.
  2. Crypto-Crypto Exchanges. Well, this classification is pretty plain. Any exchange, that trades one crypto token to another goes under this definition.

And notwithstanding the type of an exchange, they still can be classified as:

  1. Peer-to-Peer (P2P). This type of exchange is not specified on exchanging cryptocurrencies but rather is created for trading between users. We also can call it a matching board, as it has a simple interface with sell/buy orders.
  2. Manual. It’s not a trading exchange in its classic way. However, this is a landing page, where a client can leave a request and an operator will manually conduct the exchange service.
  3. Automated. A competitive trading product usually has a large variety of features (futures trading, margin, leverage, analytics, trust management, etc.).

Though today’s research is connected with automated trading platforms mostly. You may find useful tips even if you intend to develop another type of exchange. As crypto exchange security overall has a lot of similar factors for each platform type.

Crypto exchange functionality

Typical features of a cryptocurrency exchange

When creating a product you may draw a tree of actions, where you describe each step your users will do. By the way, it also greatly help while creating the Minimum Viable Scope. Please be free to check other useful tips at our MVP development guide.

Where do we start? Of course with Authentication. Here we have Sign up/Sign in functionality. Also, Password recovery is a must-have as users usually forget their credentials. A good option and a common feature for the Authentication block is Session Management.

The next important step (part) of the project will be Verification. This one crucial feature for the entire project on the legal part. As a provider of financial services, you need to comply with several regulations. The minimum is anti-money laundering, where you need to conduct the KYC (know your customer) procedure. Therefore you need to have such parts as Documents Upload and Pass verification module.

You need to know your users, Account management or let’s call this part Account is another mandatory thing for a cryptocurrency trading platform. Here we will have everything related to the user’s account including Registration, Password change, Information Editing, and Account deleting.

Now we need to ensure our clients feel safe while working with the exchange. Therefore we create a Security Settings module. Security may be quite variable, you either may use 2 Factor Authentication (2FA) or you may integrate Multi-Factor Authentication. Also here you may include your Funds Withdrawal Policy.

Another necessary thing is Wallets. To this module, we include the features as Depositing, Withdrawals, and Assets Transfer. All the features that are included in operating with funds and assets.

You first may think that Wallets and Trading are the same thing and developed together. However, the situation is quite the opposite. The trading module includes features that work with orders, but not transactions itself. This part combines the functionality of Order placing, Order Cancelation, Analytics (market, order overview and more).

API. An application programming interface (API) is an interface or communication protocol between different parts of a computer program intended to simplify the implementation and maintenance of software. In simple third-party services may use API to connect with your software in order to use the strengths of your system. Moreover, API is a very customizable tool that can be easily monetized by implementing different service packages/accesses. What features do you need here? Those are the Creation of API keys, Editing of the keys and Authenticated interaction.

Basically, these are all key features, but of course, your exchange platform may not be limited to this list. It may include other third-party integrations or unique features.

Most common checkpoints and objectives for testing

So what needs to be checked and what are the most vulnerable places in the crypto exchange system?

User authentication

Here you need to be sure that the transmitted data in the form of a password or user email cannot be hacked. Including DDoS attacks, data transfer (information shouldn’t be transferred openly), login token(the token shouldn’t be saved after user logs out).

This part including next checks:

  • Registration
  • Login
  • Password recovery
  • Session management

User authorization

This part of the checks is aimed at ensuring that a user has access only to a specific set of actions/pages and that the data is reliably protected during transmission.

For the authorization checks at first:

  • Upload documents
  • Pass verification
  • Access the main part of the application

Editing of a user profile

Tests are aimed at how securely the user can change his data: email, phone number, restore password or change attached KYC documents. At this step, it is also important to verify the operation of 2FA or multi-factor security.

  • Login
  • Edit profile
  • Change password
  • Delete profile
  • Safety of private keys and mnemonics.

Security session

At this step, security tests are focused mostly on checking the traffic and how securely the data is transferred to the “outside world”: by email, to third-party services, etc.

Transaction and user wallet

Perhaps one of the most basic checks. This includes checking depositing and withdrawal of crypto assets, exchange of cryptocurrencies between wallets or inside user wallet/account. Often, withdrawal policies are associated with third party services and the most important is to be sure that the transferred data is securely encrypted and transmitted.

  • Deposit
  • Withdraw
  • Transfer or Exchanges


Based on our experience of testing several different crypto exchanges, we’ve developed a methodology based on the OWASP (Open Web Application Security Project) Testing Guide with customized checkups and business logic of cryptoсurrency exchanges. It takes into account commonly used assets, functions and pervasive vulnerabilities for this type of product.

  • Place an order
  • Cancel order
  • Market overview
  • Play with Buy/Sell prices and orders


On this part we try to check different algorithmic models on their own trading systems and want to receive live pricing and be able to execute trades — either manually or automatically through an algorithm — once their model generates a trading signal.

Other Non-exchange applications and Third-party applications

Sometimes platform uses third-party interfaces or APIs for communication. It is necessary to protect your own system from vulnerabilities. Therefore, you need to be sure that any extensions used are secure.

Those were the most important checkpoints for testing, though let’s have a more detailed view of the most important objectives!


First of all, a QA engineer should try to circumvent such parts of the project like authentication and authorization mechanisms, the business logic of the application and session management. Though these may seem like the most basic and easy parts but they are crucial to have a secure crypto exchange. However, practice shows that more sophisticated parts have fewer errors as engineers pay more attention to new or difficult parts with sometimes forgetting to double-check simple things.


Model the most used threats for the application. You should check that you can withstand DDos attack, SQL injection, and session stealing. Also, remember that developers never could foresee any action a user potentially may do. Therefore, try to overdo everything, escalate user privileges as much as possible. You should also check the trustworthiness of your users, some may alter data or data presentation.

Breaking the rules

There are three key points that we will list here. First of all, User accounts. Hijacking is a frequently used system breach. Be sure to check that account belonged to one user, cannot be hijacked by another. Secondly, performance and data integrity. Functionality and standard workflow may not be under risk of hacking but also are the most bug related parts. As a quality assurance engineer, you need to try corrupting each and every feature of the system. Thirdly, limitations. The administrator may limit access or functionality for different users. Therefore violation of access controls becomes an essential part of the testing.


We will define here two key aspects. While conducting QA you need to check implementation-based Blockchain vulnerabilities. As well as to shatter and analyze user-accessible components, that are based on cryptography.

Security testing tools

Useful testing tools

There are dozens of useful tools that can automate testing processes.

“If you are interested to get more details about a specific tool, be free to contact our development team via . ”

There are dozens of useful tools that can automate testing processes.

“If you are interested to get more details about a specific tool, be free to contact our development team via . ”

For automation, we recommend using Cypress or Jmeter.

Cypress has various interesting features. For example, Time Travel creates snapshots during your tests. To have a detailed overview you will have a Command Log. For increasing the speed of debugging Cypress provides Debuggability. Synchronize your plans with Automatic Waiting. To test the working flow of functions, timer and basically responses of server, it has Spies, Stubs, and Clocks. And more interesting tools like Network Traffic Control, Consistent Results, and even Screenshots and Videos.

JMeter or Apache JMeter is another good instrument for testing. It has many various features, but to shorten the list, let’s highlight the following functionality. JMeter has the ability to load and performance tests with many different applications/servers/protocol types. Test IDE, Command-line mode, Dynamic reports, Data extraction and more. The interesting fact that it has complete portability and full Java purity, as well as easy Integration with any 3d party open source libraries.

The above-mentioned applications are used only for automation testing, but for Security testing we recommend you to use BurpSuite.

Burp Suite has an extensive choice of features. Though please note, that it has 3 different packages Enterprise, Professional, Community. Even though we provide a full list of all its possibilities, the personal list of features will vary depending on the package.

Key features of Burp:

  • Web vulnerability scanner
  • Scheduled and repeat scans
  • Unlimited scalability
  • CI integration
  • Advanced manual tools
  • Essential manual tools

Crypto exchange test list

Your personal checklist and useful tips

Finally, what should we check? Here is a small checklist from our QA department.

Go throw simple user flows to see that everything going well:

  1. Test registration
  2. Test login
  3. Test forgot password
  4. Test request without login information
  5. Test creation and transaction on wallets: deposit, withdrawal or exchange
  6. Test trading such as create orders or trades, close them, make them market one
  7. Test change user information: email, phone number, name else
  8. Test KYC process: upload documents, change them or delete.
  9. Test third-party requests in API.

Try to use the test data for each system. NOTE: Test data should have different values that cover the scope of positive and negative tests. Test values should cover all ranges of possible values. It is also important to consider that when working with third-party services you can’t be sure until the end

Check security

  1. injections ( SQL, NoSQL)
  2. broken authentication
  3. sensitive data exposure
  4. broken access control
  5. security misconfiguration

Test loading. The system should be able to withstand high load. Using special tools give us information about the capabilities of the system.

Therefore, your scope of work for a cryptocurrency exchange will include:

  1. Grey-box security testing, when a tester has only some information about the application. And has restricted access to the system, for example, user access and app architecture.
  2. API checking. Both your internal API and any external APIs.
  3. And if you are creating a mobile responsive app, or even separate mobile apps. Mobile testing.

And don’t forget to provide several test accounts for testing/production environment: 1 unverified user and 2 KYC verified users with test balances. However, if there is a unique distribution on a role on the exchange, the customer must describe the access rights for each role, and provide 2 testing accounts for each role.

If you are a developer, we hope that our article will be helpful for you. And if you are the exchange owner, we recommend to show this article to your QA engineers or contact our team for a professional security assessment.



was this article helpful?

(No Ratings Yet)

Add Comment

Leave a Reply