Summary of Binance Deleting API Keys & Reverting Trades (July 3rd 2018)
On the 3rd July 2018 at around 8:18pm UTC, Binance experienced irregular trading for a number of users via their API. After this happened they made the decision to remove all existing API keys from their system, and to also rollback the irregular trades made via their API.
In this post we go through what happened with Binance, and how it effects things like cryptocurrency trackers like our own (which work using read-only exchange APIs).
What is a Binance API key?
When researching for this guide, it seems many readers aren't familiar with what an API key is, so we'll first give you a quick intro into API keys!
When you login to an exchange like Binance, you generally use a username and password. The username can be public, as the password is a secret only known to you. Without the combination of username & password no-one can log into your account.
An API key is similar, except instead of a username & password you have an 'API key' and an 'API secret'. The key is equivalent to your username, and the secret is equivalent to your password. You should be very skeptical any time you share your API secret.
The purpose of an API key is to allow things like trading bots & tracking systems to access an exchange account such as Binance without having to share your username & password. e.g. we have a crypto tracker which allows you to monitor your Binance balance & trade history. An important feature of Binance API keys is that you have control over what they can do (referred to as 'permissions'). You can limit an API key to be read-only, where it can't trade on your account or withdraw money. Below we discuss API key permissions in the context of this recent Binance announcement (where many users seem to have allowed their API keys trade access).
What led to this?
When you buy a cryptocurrency, it pushes the price of that coin up slightly; and when you sell it, it pushes the price down. As you buy/sell in higher quantities, the effect is more significant, where if you try selling millions of dollars of a coin it will significantly effect the price.
On the 3rd July 2018 it seems that a malicious person/group intentionally did this via API keys, where somehow they got their hands on many different API keys that had the 'Enable Trading' option selected. When you add an API key on Binance with this option ticked, it allows anyone with access to that API key to buy/sell any coin via the associated accoint.
At the time of writing this, we're unsure if these API keys were gained through Binance directly, or from various Binance users. It's possible that a website offering API trading could have been compromised leading to this, or even just that many individual users have had API keys stolen from them.
The coin effected in this scenario seems to have been Syscoin (SYS).
Can I still use the Binance API?
Binance posted a recap of the incident on Reddit here, and posted about the API key removals on their website here. At the time of writing this we don't seem to haven't received an email about the incident. There's another Reddit discussion on the topic here.
Regards using the Binance API. So long as you only have the 'Read Info' option ticked, their API should be safe to use. Through a read-only API key (having only the 'Read Info' option ticked means it's read-only), if you give this to a third party and they're malicious or hacked, the malicious person/group can only read your data, they can't trade using your account.
A big concern is that when you create an API key on Binance, the 'Enabled Trading' option is ticked by default. To avoid scenarios like what happened with Syscoin, perhaps they should require users to toggle this on themselves. Many users may have created trade-access API keys by accident that may have worsened the Syscoin situation.
How do I create a Binance read-only API key?
Follow these steps to re-add a read-only API key:
- Go to the Account page on Binance (login if required).
- Click on 'Enable' in the 'API' box.
- Select a name for your API key. If using our Coin Tracker, perhaps name it 'Anything Crypto'.
- Enter 2-factor code if enabled (you may have to enable this).
- You'll be sent an email to verify creation of the API key, in this email there's a button titled 'Confirm Create'. Click this.
- This may prompt you to name your API key again, repeat from step 3 if this happens.
- You should now see an 'API Key' and 'Secret Key' in front of you. Before doing anything with these two things, make sure only 'Read Info' is ticked (untick the 'Enable Trading' option) and click 'Save'.
- Your API key is now read-only, a third party can't trade using this (although they can view things like your balance & trade history).
- Before you do the next step, make sure you have a copy of your 'Secret Key'. After you close/refresh the page this will be hidden, and you'll have to re-create the API key if you don't have it somewhere.
- Refresh the page & ensure that Enable Trading' is NOT ticked.
DISCLAIMER: This site cannot substitute for professional investment or financial advice, or independent factual verification. This guide is provided for general informational purposes only. Anything Crypto is UK-based and not regulated by the FCA (Financial Conduct Authority). The group of individuals writing these guides are cryptocurrency enthusiasts and investors, not financial advisors. The ideas presented are our analysis, learning & opinions on a range of cryptocurrency topics. Trading or mining any form of cryptocurrency is very high risk, so never invest money you can't afford to lose - you should be prepared to sustain a total loss of all invested money.
This website is monetised through affiliate links. Where used, we will disclose this and make no attempt to hide it. We don't endorse any affiliate services we use - and will not be liable for any damage, expense or other loss you may suffer from using any of these. Don't rush into anything, do your own research. As we write new content, we will update this disclaimer to encompass it.
September 6th, 2018
What Caused the September 2018 Bitcoin Price Crash?
August 3rd, 2018
CoinMarketCap price spike because of Tether (USDT)?
Never invest money you can't afford to lose.
All information on this website is for general informational purposes only, it is not intended to provide legal or financial advice. We encourage you to consult your own legal & financial advisors before making any cryptocurrency-related purchase.