Analysis & Opinions

CER.LIVE Report: Top 25 Decentralized Exchanges by Cybersecurity Score

Report Highlights

1. Only 2 crypto exchanges out of 25 gained “high” scores of 8 out of 10 points or higher — Uniswap and Synthetix.

2. 14 DEXs (56%of the total) have been deemed not safe after receiving a “low” score of 6 out of 10. These platforms have significant red flags that need to be worked on immediately from a cybersecurity standpoint. 

3. 24% of all the DEXs have not passed, or have not publicly mentioned passing, any cybersecurity audits carried out by third-party firms.

Abstract

Decentralized exchanges (DEX) did not start gaining popularity in 2020 until around July, at the start of the third quarter. This is confirmed by the fact that Uniswap liquidity grew from $50 million in the beginning of July to a staggering $2.8 billion by the end of October. According to a Similarweb statistic, the number of unique visits increased by 485x over the same period of time to a peak of 4.85 million.

Despite the fact that there haven’t been any significant hacks on decentralized exchanges in comparison to centralized platforms, DEX users are actually more susceptible to fraudulent attacks. Some exchanges do not offer any insurance or features that may protect their users from mistakes or loss of funds. These unique problems that DEX users face include:

  • Fake tokens. Users can buy a fake token with the same ticker as the real token and lose their funds.
  • High slippage. Large slippage can lead to a DEX user buying a token at a price significantly different from the market price.
  • Transaction delay. If the user has set a non-priority commission for the transaction, it might be confirmed in a few hours when market conditions have changed. As a result, the trade might be executed during unfavorable conditions.
  • Lack of trading pair data. It’s easy for a user to make a bad investment decision if there is no data on the liquidity locked in the trading pair and little history of previous transactions.

We at CER.live have created a comprehensive methodology to inform users which exchanges are most secure for trading. In short, we conduct a thorough assessment of the following areas for each decentralized exchange:

  • Security audit history;
  • Bug bounty program;
  • SSL/TLS. Cryptographic protocols that provide end-to-end security of data sent between applications over the internet;
  • Cold wallet direct support;
  • Liquidity score;
  • Data provision;
  • Token whitelists;
  • Transaction deadlines;
  • Slippage tolerance.

At the same time, these metrics can be considered differently for each type of decentralized exchange. It’s worth mentioning, however, that this rating system only includes DEXs where you can start trading by connecting a crypto wallet. Therefore, exchanges such as IDEX are not included in our rating due to the need for registration and verification.

Scoring Results

Table 1 provides the list of Top-25 DEX platforms by their respective cybersecurity score.

The cybersecurity scoring results from our research show that only two crypto exchanges out of 25 gained “high” scores of 8 points or higher Uniswap and Synthetix.

Fig. 1. Distribution of CSS results by total score

While a segment of the sample (nine crypto exchanges, 36%) scored a “good” (6 to 8 points), 14 crypto exchanges (56% of the total) scored poorly with less than 6 points.

Security Audits

It is important to note that 6 exchanges (24%) failed to pass a security audit or did not publicly announce that they have undergone an audit. It should be noted that an unaudited exchange cannot be considered safe. You can find links to all the latest audits and auditing companies in the “security audit” column on https://cer.live/defi.

From our findings, we found that most exchanges chose to work with different third-party auditors (see Fig. 2) which tells us there is currently no monopoly in the market. There are also two cases where the audit was conducted by individual researchers, which we strongly believe is not a good practice.

Fig. 2. Security auditors

We also noticed that a vast majority of DEXs did not perform re-audits after the latest code updates. Only four platforms under our assessment have kept up-to-date 100% with their audits, but this is mainly because there were no code updates after the latest audits were carried out. The fact is that even minor changes in the code and the implementation of new features can lead to the emergence of new vulnerabilities. Therefore, we reduce the score for those platforms whose audit was done not on the latest version of the code. 

Bug Bounties

Unlike centralized exchanges, most DEXs have an open bug bounty program. 16 platforms (64% of the total) run bug bounty programs (see Fig. 3). Only one of these platforms has a third-party hosted bug bounty program. We maintain that the most effective bug bounty programs are those run by third-party platforms, because engagement from the hacking community is typically higher, and as a result, they receive more reports. 

Bug bounty programs are a fantastic way to detect software and configuration errors that can slip past developers and security teams that may later lead to big problems. For example, the Balancer hack could have been prevented if the project team hadn’t ignored the third-party cybersecurity researcher’s report. Given the fact that most DEXs do not perform regular security audits, a bug bounty program is necessary to ensure the security of the platform, since hackers will constantly test it in the hope of receiving a reward for the discovered vulnerability.

Fig. 3. Bug bounty

Conclusion

In summary, the findings from our cybersecurity score results show only 8% of trading platforms scored “high” (8 points and higher) while a worrying 56% of them scored poorly (below 6 points).

Among the main problems that affected the score of the exchanges are:

  • Infrequent security audits; 
  • Lack of features to ensure trading security, including;
    • Token whitelists;
    • Transaction deadline;
    • Slippage tolerance;
    • Data provision;
  • Absence of bug bounty programs.

While decentralized exchanges are inherently more secure than their centralized counterparts, they still fail to provide a number of key features that offer vital protection to users when trading.

We firmly encourage all exchanges to follow existing industry best practices and provide their users with the necessary tools to make trading on their platforms safe.

Exchange representatives can get details about their exchange rating by submitting a request in our contact form.

About CER.live

CER provides fundamental analysis of the cryptocurrency exchange market. Through continued cyber-forensic investigations and in-depth ranking methodology, CER has already earned the trust of crypto traders as the only unbiased platform for crypto exchange reliability checks.

CER is a member of all major blockchain-focused transparency alliances including the Data Transparency and Accountability Alliance, run by CoinMarketCap. CER is also a part of Hacken Group, a leading cybersecurity firm in the digital finance space that works with major companies such as AirAsia, Binance, Gate.io, VeChain, Bithumb, 1Inch, One Ledger and FTX.

%d bloggers like this: