SlowMist: The latest safety monitoring report on Binance

SlowMist
5 min readSep 3, 2019

--

SlowMist has made progress in promoting the security of the blockchain world and countering the increasingly severe underground hacking attacks. The SlowMist Blockchain Threat Intelligence System (BTI) provides relevant information as a basis for this safety monitoring report. SlowMist will use Binance, the world’s top digital currency exchange, as a security monitoring target to briefly analyze the assessment conclusions.

Binance Safety Monitoring Analysis

SlowMist began formal contact with security matters in December 2018 and Binance. As of now, SlowMist has done a lot of security monitoring work for Binance. Therefore, we will formally make the necessary disclosures so that the industry can objectively understand Binance’s current security system.

According to the recent SlowMist security monitoring, Binance’s production environment architecture, server security, application security, wallet private key security, office environment security and other important security projects are currently in high quality. At the same time, Binance’s risk control system is perfect and equipped with a number of measures to ensure the safety of user assets. SlowMist’s overall evaluation of Binance’s current security system is: Excellent.

The following important points are about the Binance risk control system solution.

Front-end WAF (Web Application Firewall), Full-site HTTPS

Evaluation: Excellent

Details: The Binance core business-related domain names and IP have a comprehensive WAF strategy that is well protected against external direct attacks against Web services, while a full-site HTTPS policy prevents potential intermediaries Hijack the risk of attack. For users, accessing Binance’s services via the Web and App is secure and private.

Unclear transmission of critical sensitive information (such as passwords)

Evaluation: Excellent

Details: Relevant security tools and manual audits show that the data transmitted by users on Binance is protected by an additional layer of security encryption.

2FA is used for all kinds of sensitive operations, such as creation and modification of API, binding and modification of account address, transfer of funds, etc.

Evaluation: Excellent

Details: 2FA refers to two-factor authentication, which is the best security practice in security policy. Binance has a comprehensive 2FA strategy for sensitive user operations, especially involving the operation of funds, which can greatly reduce the risk of users being hacked or Credential Stuffing.Binance’s 2FA strategy also introduces the world’s leading YubiKey solution, and Binance is at the forefront of 2FA.

Users cannot withdraw token within 24 hours after retrieving the password

Evaluation: Excellent

Details: Retrieving a password is a normal business, but it can also be exploited by malicious people. Many underground hackers will obtain the user’s mailbox and other rights, and retrieve the password on the target service to achieve the purpose of modifying the password, so as to immediately steal the token.

The 24-hour strategy balances the normal business experience with such security risks and compensates for the relative time of users who encounter such security risks.

Email/official website has an anti-phishing reminder

Evaluation: Excellent

Details: Many user accounts are stolen due to attacks from phishing websites. Binance sets “anti-phishing reminders” to enhance users’ security awareness and reduce the probability of users being phishing.

First-time login with security education

Evaluation: Excellent

Details: The digital currency field is a strange field for many newcomers. New users are at high risk of being attacked. There is a safety education mechanism when using Binance’s service for the first time, which is a good security guide for users. Whether it is “anti-phishing reminder” or related “safety education”, Binance does its best.

Introduce more secure third-party links

Evaluation: Excellent

Details: The security of third-party resources is easily overlooked in the security system construction work. Binance carefully introduces third-party resources, which greatly reduces the risk of Binance’s security problems caused by third-party security issues.

Third-party links introduced at the front end of the Binance business are related services from Google, and Google’s security level is widely recognized in the industry.

Emergency response speed and comprehensive ability

Evaluation: Excellent

Details: The Binance security team responds promptly to third-party security agencies and external security threats, and relies on its own security system to provide comprehensive coverage of emergency response.

Binance “SAFU Fund” can cope well with the compensation work that may result in loss of user asset security under the Black Swan incident.

Capital security strategy

Evaluation: Excellent

Details: The security architecture of Binance user capital wallet adopts the hot and cold separation design, and strictly adopts the private key absolute ciphertext strategy in the generation, storage and use of private keys.

At the same time, a multi-layered security risk control mechanism is adopted in these steps, and the KYT strategy can achieve monitoring and abnormal discovery for each transaction.

Complete third party security agency audit

Evaluation: Excellent

Details: Binance passed the first security audit of SlowMist. Binance’s current security system construction work is progressing smoothly.

In addition to the audit conclusions related to these risk control systems, we also believe that Binance has made many efforts in other aspects of security, including timely and transparent disclosure attitude; continuous establishment of platform security team; relationship maintenance with security community; Safe sharing for the entire digital currency industry; Binance DEX is launched and running. We believe that Binance is a company with a “safety” as its lifeline.

According to the security interaction between SlowMist and Binance in the past year, the trading volume of the Binance platform is huge, and the security system can still be better. Although the security of its core modules has been excellent, security is holistic and a process of continuous dynamic development. Some security still has certain border dead zones. Some security work requires an internal security team to strengthen, but some security work can choose to cooperate with well-known security agencies in the industry, including: AML, blockchain threat intelligence, personnel security education, penetration testing, Red Teaming & Blue Teaming, external security monitoring, related security defense products, etc., and deepen the relationship between the global white-hat hackers, and take the security moat capacity to the next level.

About Safety Monitoring Report

With the written authorization of Binance, SlowMist continuously conducts safety monitoring for Binance’s target business security system construction and supplements it with on-site confirmation, striving to be the most objective and professional third-party security agency. Finally, objectively disclose the results of phased safety monitoring according to the wishes of both parties.

About Us

Xiamen SlowMist Technology Co., Ltd., headquartered in Xiamen and founded by the team with over ten years of front-line cybersecurity defensive experience, specializes in ecology security of blockchain industry. The team members have built a security engineering with world-class influence. As the first company in China to focus on blockchain ecosystem security, SlowMist has served many well-known digital currency exchanges, wallets, blockchains and smart contracts around the world. SlowMist security services include Security Audit, Security Consulting, Defense Deployment, Blockchain Threat Intelligence (BTI), Bug Bounty and other related security products. SlowMist has independently discovered many common high-risk security vulnerabilities in the industry, which has received widespread attention and recognition from the industry. SlowMist not only studies the world-famous public Blockchains such as Bitcoin, Monero, Ethereum, EOS, Cosmos, Ontology, VeChain, etc. but also deeply participates in Ethereum and EOS. And it publishes hundreds of well-known smart contract audit reports around DApp security offensive and defensive confrontation, security auditing, and defense. It is the direction of SlowMist’s efforts to bring a sense of security to the blockchain ecosystem.

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.