An Introduction to the Security Behind ExCraft

ExCraft Exchange
ExCraftExchange
Published in
3 min readSep 5, 2018

When outlining the development plan and design for ExCraft, special considerations were made to protect our users. Centralized exchanges have been deemed a “security risk” since 2012 due to their contradictory nature to the chief principals behind distributed digital asset systems like Bitcoin. Perceived as having a “single-point of failure”, Centralized exchanges — or CEXs — are hotly discouraged against by veterans within blockchain communities. This is more than a valid concern. For the last 6 years, CEXs have been breached and funds have been stolen. Before we continue with how ExCraft manages external and internal hazards, let us recap some of the more notable recent CEX mishaps.

Assessment of centralized exchange hacks 2012–2018

From this list of CEX hacks, the unadjusted gross amount of absconded funds exceeds $1 billion dollars. If these figures were adjusted, they would be valued near $8 trillion dollars!

Reviewing these attacks, we can pinpoint common themes amongst them:

  • Hot wallets store more than 5% of an exchange’s funds
  • Deposits were sent to hot wallets rather than cold wallets
  • Cold wallets are either not present or lack sufficient security measures, such as multiple signatures for withdrawal and physical locking measures
  • Attackers were able to disguise withdrawals to appear as a normal customer action
  • Manual upgrade, patch, and deployment processes due to outdated architectures
  • Monolithic exchange code causes a small vulnerability to compromise the entire exchange
  • Lack of segregation between administration and exchange networks
  • Staff is unprepared for recognizing phishing attacks
  • Staff has too much access to critical systems without checks
  • Exchange evades, and in some cases does not invite, external authorities or third party audits

What does ExCraft do differently?

ExCraft utilizes services within the Google Cloud Platform. Google’s datacenters are updated with the latest compliance standards including: ISO 27001, ISO 27017, ISO27018, SOC 2&3. ExCraft deploys a virtual private cloud on Google’s platform to handle specific exchange functions. This separates our internal network from the core exchange platform. Multistage load balancers, firewalls, intrusion detection, and prevention protocols are able to block, route and distribute load to support our exchange; this enhances our ability to scale.

ExCraft’s most remarkable feature is that we use microservices to harness cutting edge technologies such as Kubernetes, Docker, and Itsio. In addition to these, we have included custom coded solutions in Go, Python, C++ and C--, which provides new functionality with limited-to-zero expected downtime or disruptions in trading.

In a follow up article we will discuss more about the structure of our microservices and continue to expand on the external and internal risk management that makes ExCraft the premiere trading platform.

Please reach out and follow us on our official social media accounts to stay connected to your fellow Crafters!

ExCraft Exchange (Website):https://www.excraft.com

ExCraft Telegram (English):https://t.me/ExCraftExchangeENG

ExCraft Telegram (Chinese):https://t.me/ExCraftExchangeCN

ExCraft Telegram (Korean):https://t.me/ExCraftExchangeKR

Twitter|Facebook|Steemit|Reddit|Mastodon|Naver

--

--

ExCraft Exchange
ExCraftExchange

ExCraft is a cloud-native cryptocurrency exchange based in Hong Kong that implements microservices to achieve a highly secure and high-performance architecture.