OpenLedger Security Risks

Introduction (skip if you are familiar with DEX gateways)

--

“What is a gateway?”: OpenLedger (abbreviated OL) is the biggest company operating continuously on the Bitshares platform. OL is a gateway that performs the function of custodian for non-bts-native assets. They issue certificate tokens with rights of withdrawal in exchange for custody of the original asset. The user may then trade this token for another asset. Even if the certificate has changed hands 10 times the gateway stands by a promise to redeem the original asset to the ultimate certificate holder upon demand.

--
This is an update to a review of the OpenLedger exchange platform by Hive account@murda-ra written almost one year ago – (https://steemit.com/cryptocurrency/@murda-ra/review-of-a-cryptocurrency-exchange-openledger-info). Here is the ranking from that review -

Ease of use -
GRADE 8/10
Account/Transactions Security -
GRADE 10/10
Hosting/Brand Security/Reputation -
GRADE 3/10

The overall review was positive and recognized OpenLedger as the premier gateway on the bitshares decentralized exchange. The lowest grade on hosting/brand security was a result of lacking DNS for the IP (a security no-no when dealing with value as large as transacts on the Dex).

The review ends with this chilling passage:
“We strongly suggest use of this exchange. Except few hosting security leaks and ownership/domain validation that are looking fishy a bit, this is probably best/most value for users Exchange interface available in CryptoCurrency Community. Let's hope they will show us stability, and prove me wrong for few things.”

With this background we will turn to recent events and the following announcement from OL CEO Ronny Boesing over the weekend.

“ATTENTION please: To anyone normally using openledger urls whether domains bitshares.openledger.info or OpenLedger.io to access the trading platform we would highly recommend to access your account via the bitshares domain https://wallet.bitshares.org/ until further notice. We have lost control of above mentioned domains, and are awaiting for domain provider to change access. Hackers have full access to domain and SSL, so it’s not secure to use openledger domain even if it’s url is highlighted as trusted. There are phishing activated. To anyone who Got hacked We advice to change password and/or bin file more details here: https://github.com/bitshares/bitshares-ui/wiki/Cloud-Wallet-Login-and-changing-password. Our team has started investigation. We will be back with news soonest possible. Yours sincerely OpenLedger Team.”

Recognizing that running a critical business at scale is a challenging proposition this author attributes a good-faith effort on behalf of the OL team to safeguard customers’ assets. However, the benefits of an immutable blockchain is that individuals can excavate ideas and warnings from long ago. It appears Hive account@murda-ra’s foresight was 20/20 on the risks of OL’s technical operations.

Has anyone here been affected by the OL domain being compromised? I would like to hear your thoughts and experiences in the comments below.