How safe is this Gainium?
The question arise because I’m an 3Commas user and there were issues before where people lost money. I don’t know the story how this happened but it made me abandon 3Commas for awhile. I activated the 2fa so that is start…
I was one of the people who had their Binance accounts drained because of 3commas.
Someone at 3Commas sold lists of APIs to a group of hackers.
At the time 3commas and Binance had no way to limit API access by IP addresses, which mean’t the hackers only needed the API and they could spoof Binance into thinking the trades were coming from 3commas.
3commas have improved security, but as they did nothing to help those of us who lost money due to their system, I will no longer use their platform.
1 Like
I’ve talked about this many times in Discord and Telegram, but leaving it here for reference would be good.
First, let’s address the elephant in the room, the API leak from 3commas was either an internal job (an employee with access sold the information) or a severe security oversight on 3commas part (like inadvertently exposing unencrypted API keys). With the basic security measures most trading apps have today, is next to impossible for a hacker to extract, decrypt, and use those API keys. There are 3 layers of security here, and each needs to be breached for the hacker to use the keys successfully. Here are the layers:
- Extraction: Most people think about this when hearing the word “hacked.” This comprises using advanced techniques to penetrate a system and download the data. It is very difficult, especially with today’s standard firewall and safeguard systems in most web applications. However, it is not impossible. But even if the hacker succeeded here, two other layers exist to overcome.
- Decryption: This is the most difficult, and unless the hacker has a futuristic supercomputer, it is practically impossible. If the hacker managed to extract data, the data would be encrypted, as this is the standard practice for sensitive information. Decrypting the data with today’s computers would easily take several lifetimes.
- Usage: Also important to note that if the hacker extracted and decrypted (or, most realistically, the company failed to encrypt and the hacker obtained unencrypted data), he still needs to be able to use it. There is another safeguard for that, and that is the API IP whitelisting. In essence, the API can only be used with certain IPs, in this case, the IP of the bot platform, so the hacker not only has to go through the hurdle of obtaining usable information but also needs to take control of the company server to send orders to the exchange from there. And there is another safeguard in place, token whitelisting. Though admittedly, most people don’t use this. We still encourage people to do so because it will 100% render the API keys unusable for their hacking, even if they overcame all previous hurdles. I’ve explained that here: Enhancing security of your exchange API keys
So, in short, it is not as easy as people think for a hacker to obtain and use stolen API keys. I believe the 3commas hack was an internal job for the reasons explained above. Nevertheless, the FBI is conducting their investigation and will hopefully shed more light. I also don’t discard that the keys were somehow exposed and made easily accessible to a hacker, but that would have been a pretty serious mistake on their part and not to be confused with hackers being able to hack any company they want.
I should also add that the hacker managed to use those API keys because 3commas didn’t have IP whitelisting. For years, users have asked 3commas to enable IP whitelisting; they didn’t listen. The worst part is that it wasn’t technically complicated, as seen by the swift implementation after the attack. They just weren’t interested. At Gainium we implemented IP whitelisting even before the hack happened.
4 Likes
That is really less nice experience. I hope you was able to earn your lost money back. Thanks for sharing.
Thank you for the extensive explanation. It made things clear! This give me a good feeling about to use Gainium. 
Thank you Marcel, unfortunately I’ve not had any money to trade so I haven’t made any back yet.