Can someone steal your funds via your Exchange API?

API is an acronym for Application Programming Interface, a way for external third-party applications to communicate with platforms (in this case a cryptocurrency exchange). Can hackers steal your funds if they have access to your API details?

API — The buzz around the crypto town

API has become a buzz word after the advent of Cryptocurrency trading. If you are still wondering what it is, you’ve come to the right place. Our team has taken some time to keep it in layman’s terms. We may not promise to explain like all those videos/blog posts with fancy titles “Explain Blah blah like I’m 5 years old” portray but we promise we will keep things simple and intuitive. Here’s our take on the API.

What’s an API?

API stands for Application Programming Interface. Okay! great, what does it do? As the name suggests, it is an interface for applications to interact programmatically. In layman’s terms, it’s a messaging system for two applications to interact.

How does it work?

So, an API is a combination of a couple of phrases which will be shared between the applications to make them interact securely. For instance, to view your information on Facebook, you need to log in. But, an external application can communicate with Facebook using secure phrases (if you provide them) and fetch the information allowed. This is a secure and legal way. Here you are allowing that application to communicate with Facebook to fetch your information by providing it with your secure phrases.

What are these phrases and how are they secure?

These phrases are either 2 or 3 depending on layers of security. They are generally called a key and secret. The additional 3rd phrase could be a passphrase. These are generally alphanumeric and contains 32–64 characters. They are keys for your account and generated using cryptographic algorithms. Security is ensured by the algorithm that’s followed by the application to generate those. Read more technical details on this here.

These API keys are created with a certain level of permissions embedded along with them. Whoever is creating them had to mention the permission level an application can get by having these phrases. This will ensure the privacy and security of your data.

Security in the Cryptocurrency world

In our case, we are dealing with API keys created on cryptocurrency exchanges to be shared with third-party applications which provide services around crypto-holdings, their trading, portfolio management, rebalancing, etc.,

Each of such applications needs a various level of access. Primarily, there are 3 levels of access permissions provided on exchanges.

1. Read or View Only permission
2. Write or Trade permission
3. Transfer of Funds permission

Read or View only access

Application using API keys with this permission can access your information but can only read it and present it on their platform, or use it to do some calculations or show it to you on a beautiful interface, etc.

This access is the safest amongst all, because it is only a Read access — though if this API detail falls into wrong hands, they can only see your information but cannot steal your funds or transfer.

Write or Trade access

This access is provided to applications that deal with automated trading, portfolio rebalancing, algorithmic trading, and third-party analyst firms which can execute trades on your behalf using their intelligence.

This is much needed to achieve efficiency and embed analytical knowledge processed by a computer to make profits, it’s also important to keep in mind that these API details has the power to place trades on your behalf. In wrong hands, they could be devastating as hackers can place orders against their insane orders and steal away your digital assets. Read more on this kind of attacks.

Transfer access

This is kind of ultimate access, which has its own needs like arbitrage trading and other automated transfer of funds based on smart contracts and other algorithms. Here, in this case, a third party application would need a transfer of funds access along with trading access (not mandatory).

Transfer of funds includes both deposit and withdrawal facility from user’s accounts. If the API details with such access get into bad hands, it could lead to permanent loss of funds as the hacker would withdraw your assets. A combination of trading and transfer access hack led to $40MM loss on Binance. More details about that here.

Given the above information, one should be careful about the access granted while creating an API key. One should evaluate the necessity of the API key and level of access that a third-party application needs and then select appropriate privileges.

A mistake in granting more privileges than needed would get you into unnecessary troubles.

Summary

Now, that you know very well about the API and its access mechanism, hackers can manipulate your data and steal your funds only if you grant them more power than needed. So, unless you know what you are doing and why you are granting the access — keep away from API usage.

1. If you are aware of an application needing your API access like a portfolio app or a tax calculation app to read your transactions — grant Read-Only access and nothing more.
2. If you are a sophisticated trader and have learned well about the algorithmic trading practices and other rebalancing strategies — then you can use certain platforms and grant them trading access. There is still a chance of these platforms getting hacked and your keys being misused by hackers, so it’s your decision to take that risk depending on your trust of that platform and their security.

Always, ask questions and discuss with the team/support asking why certain privileges are necessary. Most of the times, applications will have an answer in their FAQ section.

This article has been first published here on BearTax blog, as educational content to make users aware of API usage and precautions around its usage.

Note: Tax tools like BearTax would only need to read your transaction history and calculate capital gains or losses based on those numbers. There is absolutely no necessity for such applications to have trade access or transfer access. Thus we ask you to grant READ or VIEW only access while creating an API key.