Waves’ Decentralized Exchange Had a $6 Million Debut. Then It Got Hacked

bank-vault-e1532572351661
26 July 2018

When a decentralized cryptocurrency exchange supports fiat tokens and courts banks, yet makes customer identification optional, all bets are off.

According to data provided to CoinDesk by the blockchain project Waves, the company’s new decentralized exchange (DEX) was facilitating $6 million of crypto transactions a day at the end of its beta testing last month. That’s six times the daily volume that a rival DEX, AirSwap, boasted at its debut in April.

Waves, which is incorporated in Switzerland but headquartered in Russia, also told CoinDesk its DEX had 90,000 traders using 330,000 wallets ahead of its full launch this week – dwarfing the comparable figures for other DEXs.

There are a few reasons for this impressive performance coming out of the gate. One is speed, courtesy of the platform’s centralized matchmaking service – highlighting the contradictions inherent in so-called DEXs, which have a way to go before they live up to their name.

Another factor is that almost any trader can issue a token on Waves’ unique blockchain, even one that represents an IOU in fiat currency, and instantly trade it for bitcoin on the exchange.

Not least of all among its attractions for traders, standard know-your-customer ID checks are optional in this marketplace except in certain circumstances.

But the rollout hasn’t been all rainbows.

On Tuesday, when Waves officially ended the year-and-a-half-long beta period and launched the full DEX, hackers hijacked both the exchange website and the company’s main site to phish for users’ personal wallet information. It took hours for Waves to get its site back online after restoring access to the DNS server.

“Someone just faked my passport and gave it to support [staff] at the domain company and they changed the password at his request. Then the attacker was able to change the main website,” Waves CEO Sasha Ivanov told CoinDesk.

Undaunted by the incident, or by criticisms of Waves’ security practices, Ivanov told CoinDesk he hopes that even banks will also start launching currencies on his DEX.

He said:

“We are looking for partnerships with major banks because we hope major banks will want to issue their own fiat tokens.”

How it works

In order to transact on the DEX, users need Waves tokens. The broader project raised $22 million by selling these native tokens in 2016. The tokens are also used to run smart contracts and incentivize node operators on the Waves blockchain, a model similar to ethereum.

The network has garnered more than 200 unique nodes, including two run by the Canadian mobile gaming company RewardMob, which sees the DEX as a key attraction.

“Now we don’t have to worry about currency control from different countries and players wanting to cash out in different currencies. It allows players to trade their tokens between other players…The decentralized exchange was a huge, key component in our decision to go with Waves,” RewardMob CEO Todd Koch told CoinDesk.

His company launched its own Waves-based token and is preparing for an ICO. It operates tokenized rewards for multiple video games, such as a beer pong app, and maintains back-end wallets for more than 100,000 users.

“We want to integrate the DEX right into our app so that [when] a player earns our currency, they could easily exchange it for Waves or bitcoin or any other cryptocurrency,” Koch said.

Since the Waves DEX matchmaking software is open source, numerous nodes could run their own matchmakers and almost act like cryptocurrency miners earning fees (in Waves tokens) for processing trades.

But most of the trades are going through Waves’ own central matchmaker.

Dean Eigenmann, co-founder of blockchain governance startup Harbour and of the DEX project Dexy, found this approach dubious, saying it defeats the purpose of a DEX if service can be denied by a central authority.

Ivanov acknowledged that the current state of affairs is out of step with the decentralized ethos and will have to change. He said:

“A centralized matcher can just say ‘I don’t accept the trade,’ for now, so it’s important for us to make it more trustless.”

Compliance

The Waves DEX generally requires identity checks in two instances: when users opt for fiat cash out, through the Czech Republic-based payment processor Coinomat, a separate company Ivanov launched in 2013; or when they issue a token on the Waves platform and then list it publically on the DEX.

Private token issuance traded through private listing options, according to Ivanov, does not require identity checks for compliance. And neither does trading of bitcoin for other tokens.

“For now, you can do crypto-to-crypto trading without any type of KYC,” Ivanov told CoinDesk.

But Drew Hinkes, chief legal counsel and co-founder of the crypto advisory firm Athena Blockchain, told CoinDesk that exception probably doesn’t apply to users in the U.S.

“We know from the 2013 guidance issued by FinCEN [Financial Crimes Enforcement Network] that a lot of people in the crypto ecosystem need to have a BSA, the Bank Secrecy Act, and AML, which is anti-money laundering, compliance programs,” Hinkes said. “Those programs are required to include customer identification programs.”

According to this guidance, if an exchanger accepts or transmits a virtual currency, or if the exchanger buys or sells virtual currency for any reason, they are a money transmitter under FinCEN’s jurisdiction, and thus required to check ID.

“The guidance says that, when defining a money transmitter, they don’t care whether you use real currencies or convertible virtual currencies,” said Hinkes, who is also an adjunct professor at New York University’s School of Law and Stern School of Business.

Meanwhile, Waves node operator RewardMob requires users to hand over personal information such as their full names and addresses, according to Koch, who cited requirements of Canadian sweepstakes law.

Security

This week’s phishing attack not only put a damper on the DEX launch, it also prompted criticism of Waves’ practice of having users enter their recovery seeds – strings of words that act like passwords for crypto wallets – into a website to use its software wallet.

Drawing a different lesson from the hijacking, Ivanov said, “We and the whole industry need to work on decentralized domain name systems.”

A spokeswoman for Waves added that “the DNS servers of the Waves website are maintained by the registrar, and in this case, their security is beyond our control. Nevertheless, the security levels of the registrar are, indeed, in question, and so we are currently considering further action … to make sure that this one-time breach will never occur again.”

The incident was not the company’s first brush with security flaws, though.

In 2017, an audit by the cybersecurity firm Kudelski Security pointed out that despite overall “good security engineering,” Waves’ unique blockchain was susceptible to several types of attack and that users’ wallet passwords were stored in a cleartext database that was “readable to anyone accessing the file system.”

When asked about this, Ivanov said:

“Most of the recommendations were carried out. As for the passwords, all the critical moments have been fixed. They are still stored in a clear config file.”

Eigenmann said he was unimpressed with Waves’ infrastructure or ICO.

“It’s just embarrassing the level of software development skills which goes into some of these projects,” he told CoinDesk. “I don’t see any real value in tokens for exchanges.”

Regardless of the controversy, Waves’ volume is staggering for a new exchange with self-custody options.

According to Waves’ internal data, on June 23rd alone DEX traders swapped Waves tokens for $1.59 million worth of bitcoin and $251,697 worth of monero, just to name a few.

Ivanov said he was grateful to the community for supporting their ICO and is eager to deliver real value to global businesses.

“Our blockchain is quite fast,” he said, claiming Waves can process 500 transactions per second. “We have a very active Brazilian and Turkish community, you can even trade a token Lira on our exchange.”

Bank vault via Shutterstock