paint-brush
Not Your Keys, Not Your Coins, or Consequences of Using API Keys for Tradingby@dshishov
191 reads

Not Your Keys, Not Your Coins, or Consequences of Using API Keys for Trading

by Dmitry ShishovJanuary 24th, 2023
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Crypto trading can be a profitable activity but only if you use a trading bot. On the other hand, the case with 3Commas when the company leaked API keys of users and millions of dollars were stolen from users’ accounts on various exchanges, the question of security arises again. But this issue can be solved if security matters are addressed correctly.
featured image - Not Your Keys, Not Your Coins, or Consequences of Using API Keys for Trading
Dmitry Shishov HackerNoon profile picture

The recent scandal with 3Commans, an Alameda-backed crypto trading firm, made me think once more about how vulnerable crypto users are now. Security in the crypto space is still one of the main matters, and for now, it is difficult to address it because the technology is still very immature.

3Commas, a Look into the Matter

Just to refresh. 

In October last year, 3Commas users noticed that their accounts on such major platforms as Binance, OKX, and FTX were compromised. Over a dozen users reported that they received reports on suspicious activities in their crypto trading accounts. When they logged in, they saw plenty of strange trades. Somebody used their API keys to sell assets in low-value coins. 

3Commas didn’t accept that users’ API keys were leaked from the platform and used to steal over $6mln of user money. The platform claimed it was phishing. They even published a list of fraudulent websites that were mimicking 3Commas to steal users’ funds. These fraudulent resources were promoted by Google Ads, which increased the possibility of luring users into clicking the link and providing credentials. 

Source: 3Commas

But it didn’t look like phishing. Those guys were seasoned traders, and most of them would never share their credentials with anybody. 

Moreover, some of them even didn’t remember they’d shared their API keys with 3Commas, just like CoinMamba, a futures trader and investor. He announced in his tweet that his Binance account was hacked through an API. He created this API some years ago, and 3Commas was the only place he submitted the mentioned API.

Source: Twitter

And only when an anonymous Twitter user stated that over 100,000 API keys were stolen from 3Commas and published a list of 10,000 of them, the company admitted that the leak took place. 

Source: Twitter

Could the losses be minimized or prevented?

No, the losses couldn’t be prevented at that point. When users noticed that their accounts were compromised, the funds had already gone. However, the situation could be mitigated if 3Commas’ management weren’t denying the fact that it was their fault. 

If they had announced the leak of crucial data and warned users, the latter would probably be able to save some funds. However, as many Twitter users claim, the company launched an “investigation on insiders by insiders”. So, even if these trades were made by those who had insider information - access to users’ API keys, we will never know about it.

Whatever has happened, many users felt like this again.

Source: Twitter

What can be done to prevent us from feeling like this in the future? Again, I return to the matters of security not only in the crypto space but everywhere where people’s funds are involved.

Many crypto traders use API keys to simplify their trading operations. And indeed, why not? You rest and a bot places trades when conditions determined by you are met. But to do so, this bot needs access to your wallet and your account on an exchange. This access is provided via private API keys that users provide to this bot.

By trying to earn more money, we forget about the basic principle of crypto security:

Not your keys, not your coins.

So, the main thing you can do to protect your funds is to check carefully who you are entrusting them to. 

I understand that without using a bot, trading crypto cannot exist. That’s why I cannot say: hey guys, stop using bots. But at least check very well what their provider is and make sure you never forget about your API keys.

Are There Safety Guarantees?

But then, users shall check carefully whom they entrust with access to their funds - their private API keys. 

In most cases, we don’t know how the processes are organized within a company. But we can still check some details to ensure that at least the main security measures are taken to protect our confidential information.

Make your own research on whether the API keys used by the app don’t end up in a public GitHub repository or S3 buckets. It is the same as the first example.

Some users create API keys, connect them to their accounts, and forget about them. It is as if you were given access data to your bank account and forgot about it. Later, even if there is a security breach or data leak like it was in the case of 3Commas, you won’t be able to understand what is happening and react promptly to protect your funds.

Audits! Regular external audits are a must for any company that works with users’ money. As hard as I looked, I found data about one 3Commas audit performed in 2018. It is another major red flag even if we suppose that they don’t publish the results of audits in open access. 

However, if you provide a third-party app with full access to your funds, the only thing you can do is trust that this third party won’t trick you. That’s why it is crucial to check everything, and if this third party has had ANY issues in the past, it is better to look for another option.

And once more: are there any safety guarantees? 

I believe that for now, the only guarantee is regulation that will protect users when their data is leaked and funds are stolen. What if 3Commas is forced legally to reimburse all the stolen funds because the leak of API keys was the company’s fault? I believe it would be fair. Moreover, it would create a precedent that will make other companies think twice before ignoring the security measures required to protect user data.