Binance, the world’s largest crypto exchange, has launched an initial version of its highly anticipated decentralized trading service (dex), which is available now at testnet.binance.org.
The launch — which is initially a testnet as the URL suggests — has been a long time coming and is designed to complement the main Binance exchange, which does around $1 billion in daily trading volumes, according to data from CoinMarketCap.com.
That core service is centralized, like most others, meaning that the exchange manages its customers’ fiat or cryptocurrency balance for them. Centralized exchanges also set the price, pick the selection of assets on offer and make money from transaction fees. Some see that as necessary, but others disagree. Ethereum creator Vitalik Buterin went so far as to say that centralized exchanges should “burn in hell” for their controlling position.
That, as seasoned crypto traders will tell you, leaves customers open to losses from hacks, shutdowns or other kinds of unexpected issues. Common advice is for users to take control of their own cryptocurrency and manage it via a wallet. That’s where a dex comes into play, because it allows users to trade directly from their wallet, as opposed to the cumbersome exercise of transferring tokens into an exchange to trade and then withdrawing them afterward. So the Binance dex is a direct complement to its centralized exchange and it gives customers more options.
Binance also claims that it offers speed.
“Binance Chain has near-instant transaction finality, with one-second block times. This is faster than other blockchains today,” said Binance CEO Changpeng “CZ” Zhao in a statement. “With the core Binance Chain technology, Binance DEX can handle the same trading volume as Binance.com is handling today. This solves the issues many other decentralized exchanges face with speed and power.”
Zhao has also touted the dex as a new revenue driver for the company because it sits on Binance’s own blockchain, with the company operating a number of nodes itself. Zhao previously told TechCrunch that when its nodes are used in transactions, the company will gain some of the network fee. Not that Binance needs help making money; a recent report from The Block suggested it made a profit of $446 million in 2018, a year that was most definitely a downer for the crypto industry across the board.
We do have one concern about the Binance dex, however, and that is that it includes an option to unlock a wallet using a private key.
Pasting a private key into a browser is a major no-no in crypto circles, as it leaves users vulnerable to phishing attacks.
Users are encouraged to avoid this option for unlocking a wallet because there are a plethora of alternative options that include Metamask — a popular browser extension with more than a million users — hardware devices such as Ledger, Trezor or Yubikey and — more recently — authentication apps from the likes of MyEtherWallet or Parity Signer.
Of those secure options, the Binance dex currently supports Ledger (the hardware and app), but the other options are KeyStore file upload or the less-secure private key or mnemonic phrase.
While you can argue that the onus is on the user when it comes to private keys, service providers do have a responsibility.
Many, including Zhao, commonly claim that crypto adoption is in its early days, while terms like “education” and “democratization” are repeated often by many in the space. Removing the private key, and thus limiting potential phishing attacks, would seem to be a part of educating new users and helping make crypto safe for others who join.
It may seem far-fetched, but the phishing threat is very real. Leading wallet MyCrypto.com said it had been hit by attacks regularly, including a hijack on its Amazon DNS servers, while MyEtherWallet was hit at least twice last year as attackers went after its DNS and phished other users by compromising a free VPN service. More widely, research from Cisco suggests phishing attacks grabbed $50 million over three years while scammers were said to have stolen $2.3 million in Q2 2018 alone, according to Kaspersky data.
These threats led MyCrypto to drop the private key option from its primary web-based service.
“We’re removing support for private keys on the web version of MyCrypto because it’s not safe — and we encourage others to follow suit,” the company wrote in a Medium post.
But others haven’t followed.
MyEtherWallet, which competes directly with MyCrypto, has a strong warning around its private key entry option while Binance, to its credit, is warning dex users that using a private key or mnemonic phrase to unlock their wallet means there’s “a much higher chance [of losing them] due to phishing websites or applications.”
There is a positive. Binance said it plans to add the option to unlock a wallet on the dex using Trust Wallet, the mobile app it acquired last year.
“We’re working toward decentralized accessibility to cryptocurrency. We want users to have full control over their private keys, and easy access to decentralized applications, to maximize the potential and mainstream adoption of cryptocurrency. Binance DEX is one step further to realizing our vision for greater freedom of money,” Viktor Radchenko, the founder of Trust Wallet, said in a statement.
That would certainly be a major step forward for tightening security. Still, it is somewhat disappointing that Binance hasn’t taken a stand here. It certainly has the clout to send a major message out to the industry and cut down on potential phishing attacks.
Note: The original version of this article has been updated with more information about phishing attacks and attack data.
The author owns a small amount of cryptocurrency. Enough to gain an understanding, not enough to change a life.