Fintech Crypto Platform

Robbing crypto wallets through business logic and race conditions

A Fintech startup is developing a crypto exchange. As part of the product development, they wanted to ensure they implemented the system securely with the proper mechanisms and best practices. 

Case Study Fintech Crypto Platform

Overview

What is a race condition?

A race condition in software is an undesirable event that occurs when multiple attempts to access or modify a shared resource are performed at the same time. Usually, when an application behaves correctly, different entities share resources as expected.

However, in uncontrollable network delays, multi-threading, or specific business logic, the sequence of operations may change due to the relative timing of events. This change can result in an undesigned state for the application and hence fail. In this case, the “race” depends on which entity or operation gains access to the shared resource first.

An example of a race condition can be seen even in simple codes that add or subtract a variable:

race-condition.png

Due to thread A and thread B sending the requests simultaneously, Thread A and B both access the variable with the value 10. While thread A increments it to 11, thread B overwrites the value to 9 due to using the old value of 10 before thread A returned the new value.

The tested system

The fintech platform assessed was a financial B2B platform that allows bank users to trade between crypto funds and Fiat currencies.

Business logic/flow

The following flow-chart shows the coin exchange process on the platform:

current-balance.png

Explanation of the flowchart:

  1. Checking current balance.

  2. Removing the exchanged amount.

  3. Verifying that there is enough cryptocurrency in the wallet for the exchange.
     

    • The request is denied, and a refund is provided if there isn't enough balance in the organization's crypto wallet.

    • The request is approved if there is enough balance in the organization's crypto wallet and the private cryptocurrency balance increments with the amount bought.

The exploitation process

During an assessment made by Komodo's team on the fintech platform, we uncovered a race condition that allowed us  to increase our assets in our wallet, with the only limit being the amount in the organization’s crypto wallet.

The team found that by sending multiple simultaneous requests to the platform and abusing the race condition every three requests, on average, were sent together and abused the race condition. So, for example, making 30 requests to exchange 10 USD to BTC (Bitcoin) would decrease the USD in the account by approximately 100, and give around 300 USD worth in BTC.

We achieved the exploitation by abusing the race condition. During the transfer, the application checked our total balance and subtracted or incremented the value. Due to the usage of multiple simultaneous requests, three requests saw the balance as “100” and then lowered the value to “90.” Because the balance was 100 for all three requests, it was written and overwritten as 90 three times. After decreasing the amount in our balance, the system waited for a successful response from the database to see that there was enough BTC in the wallet, and then after a successful reply, made the transfer. Due to the delay, while waiting for a positive response from the application’s server regarding the BTC wallet, all requests to increment the BTC wallet were accepted, thus increasing the amount for each request, totaling requests worth 300 USD.

Summary

By using 100 USD, we stole 300 USD worth of BTC in one exploitation cycle from the platform. Performing the same operation in a recurring manner allowed us to steal all funds from the crypto exchange account to our private account.

A Fintech startup is developing a crypto exchange. As part of the product development, they wanted to ensure they implemented the system securely with the proper mechanisms and best practices. Therefore, they asked the Komodo team to perform a Design Review, a Cloud Security review, and Penetration Testing.

As this was an extensive and lengthy activity spanning four months, we will not go into the entire assessment in depth. That said, we will highlight a specific vulnerability in financial systems, whether traditional banking systems or high-end sophisticated crypto and Fintech companies.  The precursor to this vulnerability is called a race condition.

Exploiting this race condition allowed us to “rob” the fintech startup of its crypto funds and get these into our account.