Dev Diary: October 2018

It’s been a busy month for everyone here at Dimensions Network. The team has been focusing their efforts to make improvements on the UI, Security and a host of other essential areas. Here’s a roundup of what we’ve been working on throughout October.

ALPHA UI

After the release of our Alpha platform in September, we took the opportunity to rebuild our UI from scratch to improve performance, modularity and maintainability. Improved modularity will enable additional features to be added without impacting the core exchange, and therefore maintaining rock solid security.

The new UI is being built in the recently released Angular 7, and uses a multiple page structure to better segregate features.

AUTO TRADING BOT

The auto trading bot is complete and will be integrated into the platform once the new UI is complete. This bot will simulate a large volume of trades on the platform, and keep prices in line with other major exchanges. This bot is for TESTNET purposes only, and not for use with live cryptocurrency.

Once integrated into the platform, we will spawn multiple trading bots to trade against each other, and use this to load test the platform in a "live" production environment.

SECURITY HARDENING

Security is always on our minds and all of our APIs need to be battle hardened to prevent abuse, and keep our platform up 24 hours a day, 365 days a year. Bad actors are always around the corner, looking to take advantage of any weakness they can find. The three largest attack vectors we are addressing are:

  • Brute force cracking
  • Denial of service
  • Phishing

Brute Force Cracking

Recent allegations were made against a well-known exchange that a bad actor was able to Brute Force a user's 2FA TOTP key. Once in the user's account the bad actor was free to do as they like.

We have taken a second look over our User Authentication, and reauthorisation protocols to ensure that there are no opportunities for a user’s password / TOTP key to be brute forced. Further to this, restrict a bad actor from abusing our "register" and "forgot password" APIs to make millions of repeated requests to find out which email addresses are already registered on our platform, then use this to attempt password resets.

Denial of service

We have seen a couple of Denial of service attacks on our token sale website in the past, and we are sure that these attacks will only intensify over time. During these attacks, a bad actor will attempt to overload our website with millions of requests for information, in the hopes that it will slow down our servers so much than genuine users are unable to connect. The bad actor will then demand money from us, or they will not stop their attack. You know what they say about never negotiating with terrorists, well the same applies here.

Some of the denial of service attack vectors we have been closing include:

  • Dust Deposit Attack: Every trader is different, some will deposit 0.1 ETH into their exchange account, others will deposit 1,000 ETH in one go. Our platform tracks every deposit and if a user deposits less than the minimum deposit then we would only credit this once they have sent enough to meet the minimum.

    A bad actor could use this knowledge to swamp our deposit facility by sending a million tiny deposits over the course of a few days, to try to make our deposit system grind to a halt. On the Ethereum (ETH) network, this could be done for less than 20 ETH, a small cost for a sophisticated attacker. This could be done for even less on other blockchains with cheaper gas / transaction fees. We have thought about all the angles and put in place measures to prevent abuse.

  • Websocket Flood: Websocket connections are an integral part of the trading interface of web based cryptocurrency exchanges. They are used to get "real-time" market and execution data to the user’s browser, enabling the user to visualise the market and make the most appropriate trading decisions. Some users will trade with only one browser tab, but others will keep multiple browser tabs open, across their desktop, laptop, tablet and mobile. With each open tab on each device, multiple websocket connections are made and take up resources on our platform servers.

    A bad actor can attempt to open tens or hundreds of millions of different websocket connections on our public and private user websockets. Their goal being to overwhelm our platform and prevent genuine users from accessing our site. We take a two pronged approach to protect against such attacks, firstly by using our Erlang infrastructure to spawn and maintain each websocket, the memory requirements are extremely small. Secondly we have been writing extensive restrictions aimed at limiting what a bad actor can do, whilst maintaining seamless and uninterrupted access to our users.

  • Phishing: is a fraudulent attempt to trick someone into revealing their login credentials or sensitive information to a malicious third party. The most common approaches seen in the cryptocurrency ecosystem have had at least one of the following elements: emails pretending to be an exchange/project, copycat Slack / Telegram profiles, and copycat malicious websites. During 2017, many people were tricked into revealing their private keys on fake versions of the popular MyEtherWallet website. Their Ethereum based cryptocurrency balances were then subsequently stolen.

    Two factor authentication is a great safeguard against Phishing attacks and we already have this in place. We have been working on some additional back-end protections to minimise the risk to a user's funds if their login credentials are stolen. Such as additional security checks if a user suddenly logs in from a different country.

MULTI-USER ACCOUNTS

Multi-user accounts are a critical requirement to onboard institutional funds, and private trading groups. We have been improving the capabilities and access levels on our multi-user accounts which allow teams of traders to work together in a safe and secure fashion.

Once the access levels between users has been thoroughly tested and the UI completed, we will bring this live on our Alpha platform.

The next stage for our multi-user accounts will be the creation of a request/approval structure. For example, a trader from XYZ company requests a withdrawal of 100 BTC, this is then sent to their manager for approval, once approved we send the withdrawal. Everything is tracked and recorded to ensure strict transparency from the users perspective.

DEPOSITS AND WITHDRAWALS

We have reworked our Ethereum deposit and withdrawal infrastructure to allow for fast addition of new ERC-20 tokens. The process to add a new ERC-20 token now takes less than a minute, which means that we can quickly add the latest and greatest projects onto our platform.

For those tokens which do not follow the ERC-20 standard functions, we have been working to standardise the basic functions and database schemas for the deposit and withdrawal module. The objective being to simplify the addition of non-ETH tokens, or blockchain tokens in their own right. Once we have completed our standardising process, the work required to add a brand new blockchain token should be reduced by around 90%, so we will only need to do the final 10% which interfaces with the blockchains node. This will save a lot of time down the line, and keep things fast and performant.

The next stage is to connect our Deposit and Withdrawals module into our Alpha platform. However, we have a couple of loose ends to tidy up first, including some load testing on the Ropsten testnet. You can see one of the made up tokens which we have been using on Ropsten for basic testing here.

KYC

We now have two implementations in place for KYC. The token sale KYC is live and is currently being used by our token sale participants. We have a secondary KYC implementation in place for the exchange platform, and have been working to set this up. The KYC process for our exchange platform will be streamlined and much simpler than the token sale KYC.

QUIZ QUESTIONS

We have a bank of approximately 500 knowledge based questions to certify our users to trade more complex trading instruments. The review process for these questions has often taken a back seat to more critical tasks, but we have been making some progress to review, update, and improve the questions. Approximately 20% of the questions have completed the review process and are ready to go.

We are slowly reviewing the remaining questions in the background, and we will let you know when they are complete.

SEED SALE

Our seed sale closed on the 29th of October and represents the completion of the first of our three stage token sale process. Please visit our token sale page for details about the three different token sale stages.

In total we have raised 1,076 ETH from our 2,000 ETH hardcap.

The Primary Sale is due to start around the end of 2018, and we will take this opportunity to raise additional funds to support our growth.

MORE GREAT THINGS TO COME

The dev team are continuing the development and testing of new features, and you will see these in the Alpha platform as each is ready for addition. Check back from time to time and see our progress.

Thanks for reading!

Dev Diary: October 2018
Share this