Bitcoin btc
$ usd

How Hackers Exploit Vulnerabilities in Centralized Exchanges With False Deposit Attacks

2 mins
Updated by Geraint Price
Join our Trading Community on Telegram

In Brief

  • Blockchain security firm SlowMist reveals vulnerabilities in centralized exchanges used for false deposit attacks.
  • Hackers exploit these vulnerabilities to send counterfeit transactions, which exchanges often mistake for genuine deposits.
  • SlowMist suggests best practices to avoid false deposit attacks, including multi-confirmation mechanisms and regular security updates.
  • promo

The blockchain security firm SlowMist has shed light on certain security vulnerabilities with centralized exchanges and how hackers use them to conduct false deposit attacks.

While blockchain technology is in its early stages, hackers are developing sophisticated techniques to steal funds from projects and users.

How Exchanges Deposit Funds to Users’ Wallet

When a deposit is made to a centralized crypto exchange, there are various steps before the amount is credited to the users’ address. The infographic below shows those steps, starting with a request for a deposit and the generation of a unique wallet for the user.

SlowMist's infographic shows the steps during deposits in centralized exchanges.
SlowMist’s infographic shows the steps during deposits in centralized exchanges.

However, hackers are tricking the process by sending counterfeit transactions that the exchange identifies as genuine deposits. SlowMist shared an example of the “TON Bounce-back False Top-up.”

Case Study of False Deposit Attack in TON

Hackers have exploited the vulnerabilities in the transaction for depositing Toncoin (TON), a project from the messaging platform Telegram. 

The screenshot below shows a transaction using the RPC interface. Generally, the centralized exchanges will verify if the users’ deposit address is mentioned in the “destination” of the “in_msg” property.

However, if the exchanges fail to notice the “out_msgs” property, they might credit the users’ accounts with funds without receiving the deposit. In layman’s terms, the “out_msg” property would refund the funds to its origin account.

Screenshot of the malicious transaction for false deposit attack. Source: SlowMist
Screenshot of the malicious transaction for false deposit attack. Source: SlowMist

SlowMist has also shared best practices to avoid false deposit attacks:

  • Multi-confirmation mechanism to avoid falling trap to false deposit attack   
  • Rigorous transaction matching to ensure the transaction matches with normal transaction pattern
  • A risk control system that could detect malicious transactions.
  • Manual review for larger deposits and to decrease the system reliability.
  • Enhancing API security to stop bad actors from accessing the system 
  • Temporary withdrawal restrictions after a user’s wallet receives a deposit. 
  • Regular security updates to fix the vulnerabilities, if any.

Got something to say about the false deposit attack or anything else? Write to us or join the discussion on our Telegram channel. You can also catch us on TikTok, Facebook, or X (Twitter).

For BeInCrypto’s latest Bitcoin (BTC) analysis, click here.


In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content.

Harsh Notariya
Harsh started investing in crypto during the 2021 bull market. He took the opportunity of the market crash in May to learn more about Bitcoin and blockchain technology. Since...