Vulnerability Warning: Analysis of “Shearing wool” in Exchange Vulnerabilities

Author: , Created: 2018-11-05 11:57:01, Updated: 2019-12-03 17:40:05

NO.1 Forward

In recent years, the digital currency industry based on blockchain technology and cryptography has experienced explosive growth. As one of the most important links in the digital currency industry chain, the blockchain asset exchange has undoubtedly played a pivotal role. It connects the first and second markets of blockchain investment, and also connects project parties and ordinary investors. img According to statistics, there are currently more than 2000 exchanges on https://coinmarketcap.com/ website (the largest cryptocurrency exchanges information site in the world) platforms, and there are even thousands of them that have not been included. Even so, the new comer are still entering.

In the context of everyone coming to the exchange to trade, almost every exchange has dozens or even hundreds of trading targets. In a market with limited stocks, small and medium blockchain assets and exchanges will face a lack of liquidity situation.

NO.2

Why is the market making strategy is so important?

The emergence of market making robots has changed this situation by participating in market making in the market, curbing excessive speculation in the market due to asymmetry of information and resources, and maintaining the good and smooth operation of the trading platform. img img And to reduce the traditional trading method, the so-called bookmaker secretly manipulates the price phenomenon to enhance market attractiveness, improve liquidity and volume, meet the trading needs of ordinary investors, and stabilize market confidence.

Today, in order to make new exchanges and new currencies better to establish connections with ordinary investors, and to solve many problems faced in the initial stage of listing, whether it is small and medium-sized exchanges or blockchain projects, they have to Rely on the market making robot.

NO.3

Principle of market strategy

The market making strategy keeps on providing two-way quotations for buying and selling through the market making system, tracking price changes. Through a large number of high-frequency buy and sell transactions, the price difference between each transaction price and the theoretical price is gradually accumulated, and the price difference is dynamically adjusted according to the characteristics of the position. img There are two common market making strategies for ordinary exchanges:

Passive market making: The market making strategy tracks the in-depth data and transaction data of the mainstream exchanges. Instead of making a large active choice, it passively follows the market, pursuing the most close tracking and complete replication, trying to reach the same level as the mainstream exchanges.

Free market making: This market-making model does not refer to other trading targets, but instead makes a market based on its own costs and set orders. This model is suitable for environments where the pricing power of the relevant currency is relatively concentrated, such as small blockchain assets or exchange-issued currencies.

NO.4

Market making Strategy Vulnerability

Whether it is passive market making or free market making, it is necessary not only to solve the price problem of the transaction target, but also to solve the liquidity problem. Therefore, in order to activate the market, it is necessary for the market making strategy to buy and sell itself; otherwise, it will be difficult to form a decent K-line.

A common method is to randomly specify a price to sell near the market, and immediately buy at the same price. Or, based on random prices, buy first and then sell.

Usually because the time between buying and selling is very short, the corresponding pending order is often not found in the depth data, but the transaction record can be left in the historical data. The K line is drawn by this market making method.

Please pay attention! The loopholes are like this.

In order to generate a continuous K-line, the market making strategy has bought a self-selling pending order near the market, but it has hidden a loophole. Although the strategy selling order is issued at the same time, but because the network problem and the speed of the match are not ideal (it will never be the ideal state), which results in the order of the market strategy have a certain chance of being executed by others.

Imagine if there is another high-frequency strategy in the market, it always sells the selling order of the market making strategy at a lower price, and also pays the bid for the market making strategy at a higher price, as long as this high-frequency strategy can make price difference and obtained profit by covering the commission fee. This will cause the market making strategy to sell low and buy high, which is extremely dangerous!

NO.5

Practical demonstration

After carefully observation, the ETHUSDT transaction of an exchange has a market-making phenomenon. The reference object may be the Binance’s ETHUSDT data. By observing the order book data of the market, it is found that there are lot of self-execution orders, and the buying and selling direction is random. The following picture shows the day. The K line generated by the market making strategy. img Usually, the high-frequency strategy is not randomly priced at the market, but is based on the random change of the last transaction price of the market making strategy. In this way, in fact, the transaction price is difficult to touch the low price and high price of the market, coupled with the limited success rate of obtaining market-making strategy orders, there is almost no profit margin.

Even the risk of unilateral positions. This may seem impeccable, but if we use the bug that the market order must be placed in the market, we can easily crack the exchange’s market making strategy and make huge profits.

NO.6

Specific steps are as follows:

When a low price transaction is expected, a certain price pending selling order is added on the basis of the latest buying price. For example, when the buying price is 200, the pending selling order of 200.1 is sent, and then the bid of 200.09 is continually sent and immediately revoked. When the transaction is completed, the reverse operation is immediately performed, and the sold coins are sold at a high price, thus completing a cycle.

Although there is not a large success rate, but through a large number of frequent withdrawals, the chances of capturing this will be greatly increased, and the profits will still be considerable. img Analysis of “Shearing Wool” in Exchange Vulnerabilities

As shown in the above figure, a high-frequency strategy was written on the FMZ quantitative trading platform (FMZ), and there was almost no retracement in the real-running operation. In just one night, I went from 1000USDT to the profit of 4000USDT.

This is still just a single gentle high-frequency strategy, if you use multiple accounts, multiple contracts and multi-threading will increase profits more considerable. After using this vulnerability, the high-frequency strategy steals huge amounts of money, leaving behind the ruined K-line, as shown below: img NO.7

High-frequency strategy based on exchange market making strategy vulnerabilities source code img The above strategy source code is based on the FMZ quantitative platform (FMZ — 发明者量化)

NO.8

Method of prevention

After we know the principle of this high-frequency strategy, in response to this market-making strategy loophole, it is simple to solve the problem. For example, when the self-execution price of the market-making strategy is low, it only sends the buying order first and then selling order, and vice versa, so that it will not be executed by others. Another way is to put all the transactions and pending orders within the range that can be hedged on other exchanges.

Postscript

Although the exchange is at the top of the blockchain industry, it is like a giant who is out of the way, revealing more attack surfaces and exploitable points.

Objectively speaking, the unreasonableness that can be pushed out through the order is likely to have more hidden bugs. For example, using the above obvious exchange market making strategy loopholes, attackers can skillfully design various hidden attack strategies, and they can be unknowingly.

Nowadays, digital currency has become a new target for investment, and the exchange has become an arena for many hackers. The hackers hiding in the dark are like hungry wolves. They wait for the opportunity to move, staring at the flaws of the exchange, preparing for a fatal blow. The blockchain centralization exchange can only strengthen its own defense deployment, so that customers can truly deal with worry-free transactions.


More