This image has an empty alt attribute; its file name is attacksafe-software-logo-1024x213.png
This image has an empty alt attribute; its file name is attacksafe-software-logo-1024x213.png

Serious bugs and vulnerabilities in the XChange library

XChange is a popular open source Java library for interacting with cryptocurrency exchanges.

Despite its usefulness, some serious bugs and vulnerabilities were discovered in it:

  1. Incorrect exception handling vulnerability (2017) : In older versions of XChange, improper exception handling could lead to leakage of sensitive data such as API keys. If an exception was thrown while processing an exchange response, an error message containing sensitive data could be logged and made available to attackers. The problem was fixed in later versions.
  2. Potential Insecure HTTP Vulnerability (2017) : Previously, XChange used insecure HTTP instead of HTTPS by default to communicate with exchanges. This could potentially allow attackers to intercept sensitive data. The library currently uses HTTPS by default.
  3. Bugs that cause balances to be displayed incorrectly (2018) : Due to errors in the XChange code, account balances could be displayed incorrectly in certain situations. For example, sometimes the balance was displayed as zero when in fact it was non-zero. Such errors could mislead users about the real status of their accounts.
  4. Problems with handling API errors and network errors (2019) : XChange has identified problems with correctly handling errors returned by exchange APIs, as well as network errors. This sometimes led to issues being “tacitly” ignored instead of being informed to the user, which could have negative consequences.
  5. Signature Verification Bypass Vulnerability (2021) : Researchers discovered that by using the library, it was possible to bypass request signature verification in exchange transactions, potentially opening up attack surfaces. The vulnerability was quickly fixed by the developers after it was reported.

Although active development of XChange continues and many issues have been fixed, these examples show that even popular open source libraries can contain serious bugs and vulnerabilities. Therefore, it is important to regularly update libraries to the latest versions and closely monitor reports of detected security issues. Developers should also carefully review the code of the libraries they use and add their own additional security checks to their applications.

XChange is one of the most popular libraries for working with trading platforms such as exchanges in the world of cryptocurrencies. Developed by the Knowm team, it provides universal interaction with various APIs, giving developers access to a wide range of financial transactions. However, like any technology system, XChange is also subject to the risk of errors and vulnerabilities. In this article we will look at potential serious problems that may have arisen or may arise in the library.

  1. Common errors and miscalculations in the code
  • Several “null pointer exception” errors can occur if the user does not configure their dependencies correctly or does not validate the input data in advance, which can result in operations performing incorrectly.
  • Improperly implemented authorization or configuration code can result in access to illegal operations or even leakage of sensitive information.
  1. Security and attacks
  • A vulnerability in the processing of JSON data could lead to cross-site scripting (XSS) or cross-site request forgery (CSRF) attacks if the library does not apply sufficient protection measures.
  • Unencrypted data exchanges without encryption can lead to leakage of clients’ personal information, especially when storing passwords or private keys.
  1. Compatibility and falling dependencies
  • New versions of exchange APIs may cause unexpected errors if XChange does not always support real-time updates. This may result in performance or functionality exceeding exchange requirements.
  • Library dependencies can also become a problem if they are not updated or contain known vulnerabilities, which can threaten the stability of applications.
  1. Addressless security
  • Some calls to library methods or functions that do not validate input or handle errors correctly can result in possible arbitrary operations (afferent code).
  • Failure to check data types before using them can lead to type mutations or errors when incorrect data is used in important operations.


Unfortunately, any software, including XChange, can have bugs and vulnerabilities. However, it is important to note that the Knowm library developers and their community are actively monitoring and fixing issues found. It is important for the user to monitor updates, configure correctly and apply additional security measures such as code reviews and protective mechanisms when integrating XChange into their projects.

If you discover a problem or vulnerability in XChange, it is recommended to immediately report it to the developers through their official channels to ensure the protection of other users and improve the overall reliability of the library.

This image has an empty alt attribute; its file name is attacksafe-software-logo-1024x213.png
This image has an empty alt attribute; its file name is attacksafe-software-logo-1024x213.png