Six years on since the infamous Mt. Gox hack, the security of cryptocurrencies remains a hot topic.
Security incidents of cryptocurrency trading platforms happened almost every month, and users suffered from asymmetric information occurrences from trading platforms. Thus, security concerns and its subsequent negative media coverage were often the center of attention.
According to statistics derived from the hacked archives of the SlowMist blockchain, over 130 security related events were reported in the blockchain industry in 2019, causing an accumulated loss of more than USD 5 billion. Exchanges, wallets and DApps all saw significant hacking events. In terms of the events with the highest losses, first place goes to PlusToken’s embezzlement of about USD 2 billion cryptocurrency. In second place was the theft of Binance’s 7,074 bitcoins. In third place was the theft of Bithumb’s 3 million EOS and 20 million XRP.
“When we talk about the security of cryptocurrency trading platforms, it is actually a very broad topic, where it’s commonly known as risk prevention and security mechanisms. That includes trading platform policy risks (no forced shut-down), credit and performance risks (no embezzlement), market risks (no manipulation), operational risks (no bankruptcy due to poor management) and technical risks (no theft via hacking). As the world’s leading crypto derivatives trading platform, we have the obligation to apply and keep transparency in risk control and security.” said Ben, CEO of Bybit, in an internal speech in 2020.
Given the string of security breaches, security has naturally become a key concern and the operation’s focus for Bybit in 2020. Here are the strategies that we have been employing to safeguard the security of our users’ crypto assets.
Focus on Derivatives and Choose the Right Path
Bybit currently serves more than 400,000 users from 117 countries. As a derivative trading platform, it is naturally immune from fiat-crypto exchange risks and ICO/IEO related securities policy risks.
Although we have had the opportunity to expand the business beyond our existing scope, and even entering the ICO/IEO space, we did not do that and will never do. This is because of our persistent belief that cryptocurrency trading platforms are created to meet the basic demand for transactions, which Bybit was formed to perform. Our mission is to focus on derivative trading. Fortunately, that persistence means we are naturally isolated from fiat and ICO related risks. It is widely known that global cryptocurrency regulations still have room for improvement. However, policy risks are always the biggest systemic risks faced by cryptocurrency trading platforms in every country. On this basis, it is the view of Bybit that leading professional derivative trading platforms are more reliable than all-rounded and comprehensive trading platforms.
Pursue Sustainable Development
On top of debt-free operations, Bybit has achieved sustainable profitability, making it possible to avoid counterparty and performance risks.
Generally, a debt-free operation is a good indicator of the risk control of traditional financial exchanges. Margins must be cleared on a daily basis between exchanges and clearing members so as to ensure debt-free operations. Clearance of margins between exchanges and members is interconnected and integrated. Clearing members which fail to pay margins increases counterparty risks and may even lead to bankruptcies of the exchanges.
Since this industry is on the cusp of exponential development, most cryptocurrency trading platforms undertake order matching, asset custody and the clearance and broker-dealer business at the same time. To achieve debt-free operations, it requires instant settlements, clearing and reconciliation at the operational level, a well-structured and maintained data and asset management system. Bybit has carried strong operational diligence and internal control since establishment, as learned in the traditional financial markets for years. Besides clearance and reconciliation, independent on-chain and off-chain reconciliation is also a must to ensure the data accuracy and completeness of our clearance.
With operational techniques and internal control, we still need to focus on our core profit model.
If a trading platform can’t survive on trading commission, it’s hard to imagine how it can build and maintain a high-performance technology platform, how it improves on products and services and how it can ensure investment on security. We’d suspect that platforms declaring extremely low or even zero transaction fees, or high discount and rebate are actually targeting users’ principle assets. Only by pursuing sustainable profitability can a trading platform achieves sustainable development in the long run.
Fair Rules Promote Fair Trade
Common market risks include radical market price movement, price manipulation, and dysfunction of the price quoting system, all of which have the potential to severely disrupt the market. Such problems are more prominent in the cryptocurrency field than in traditional financial markets.
Cryptocurrency trading platforms will inevitably follow the “three-step” evolution of most industries, namely, exponential growth at the primary stage, self-regulation at the developing stage, and compliance at the mature stage. As we are still at the primary-to-developing stage, Bybit adopts more measures to protect ordinary traders, such as restricting the maximum order and position size. Dual price mechanism is also well accepted among most crypto derivatives trading platforms. It protects traders from wrong liquidations caused by market manipulation and ensures a fair trading environment.
A Transparent and Self-regulated Platform
Operational risk management is a core function for most financial institutions. Prior to proper industry wide regulation, Bybit believes that transparency and self-discipline are essential for operational risk management.
The “Exchange Transparent Assets” program by BitUniverse allows any user to review Bybit’s platform assets. Instead of obtaining the data directly from our platform, an independent third party obtains it from a public blockchain and manages the disclosure. Bybit will keep improving our data transparency; more transactions and operation data will be published on an ongoing basis.
Besides transparency, Bybit timely reconciles and monitors users’ assets. Any on-chain or off-chain fund movements are monitored by an independent internal control business line to ensure immediate response. Bybit has also adopted the integrated risk management framework for internal and external anti-fraud and anti-laundering practice.
Security Risk Control
The extent of security investment reflects the security commitment and capability of a company. The security Investment/IT Investment ratio is a good benchmark for comparison within an industry. For example, the ratio is approximately 10% in the internet industry, 5% to 8% in the financial industry and below 4% in other industries. Among crypto trading platforms, a lot of the major players spend around 15%. Bybit is spending about 20% currently and this is expected to increase to 25% to 30% in the future.
Crypto wallet security has always been one of the major security concerns. Most victims of crypto theft cases were using “hot wallets”. To combat this issue, Bybit has built an industry-leading cold wallet system that comes with an in-built solutions hierarchy. All the deposit addresses provided to users are cold wallet address. Asset consolidation and withdrawals are completed by offline signatures. The security of our users’ assets is of paramount importance, even coming before efficiency.
Withdrawal requests are subject to manual reviews three times a day and users can withdraw once every eight hours. Bybit would rather sacrifice some user experience to ensure asset security. As for internal control, withdrawals are subject to at least three layers of risk-control verifications. Crypto asset consolidation among cold wallets follows the strictest policy, including physical environment security, system security, encryption techniques, operation authentication, monitoring and audit.
To combat against hacking threats, Bybit has a security system for penetration testing. We have an internal system for software lifecycle management, and hire well-known security consultants for penetration testing. We also run bounty programs in the white hat community to engage security experts for vulnerability testing, and work with a reputable security audit institution to carry out security audits.
Zero-trust architecture is also an important investment within Bybit. It’s not an easy task and requires continued development. Nonetheless, we believe it is worthy of our efforts.
Our security system also covers privacy and information security. Bybit’s security team protects user’s data and information throughout the entire process from account registration, login, trading, to any information exchange with the platform.
Finally, every employee of Bybit is subject to stringent background checks, compulsory security training and assessment for internal security control. We adopt the best practices of financial industry’s segregation of duties (SOD) in our office environment, system privileges and business processes.
Bybit protects users’ cryptocurrency by relying on our professional security system and strict risk-control processes.
Given our significant investment in security and stringent risk management, Bybit is confident to commit to the promise that any form of security related loss not caused by user’s operations or negligence will be fully compensated.