Skip to main content

Security in a trustless and decentralized world - Chapter 1

This is the first article in the “crypto attacks” series. Subsequent articles deep dive into the attack vectors and types of attack.

———————————-

The rise of blockchains

Year 2021 was a crucial year for the blockchain ecosystem as we saw a significant rise in the adoption of DeFi protocols, NFT, play-to-earn (gaming) and other crypto assets. The Total Locked Value (TVL) saw a massive increase followed by introduction of newer block chains, other than Bitcoin and Ethereum, such as Binance Smart Chain, Terra, Polygon, Avalanche, Solana, Fantom, etc.

As of this date, the TVL on all these chains is $200 billion with Ethereum commanding the highest share with $111 billion of TVL. Total decentralized applications (Dapps) available on all chains are more than 10,000 and growing.

No alt text provided for this image

Source: defillama.com

The Threat

While blockchain technology holds a great potential, there’s still a lot of work to be done to ensure that blockchain security has evolved enough to support broader adoption. Although blockchain produces an immutable and distributed ledger of transactions, blockchain networks and the protocols built atop are not immune to cyberattacks and fraud. Those with ill-intent can manipulate known vulnerabilities and steal the stored assets, in the form of tokens.

As the source code of blockchain and the smart contracts deployed on it are open-source and difficult to change once deployed, the likelihood of a cybercriminal attempting an exploit is quite high. There are numerous examples in which such bad actors have succeeded in defrauding people either by exploiting a vulnerability / bug in the source code, or by doing a social engineering attack and tricking the victim into disclosing sensitive information, such as private keys of their wallet.

Very recently in March 2022, Ronin Bridge, a popular cross-chain bridge protocol which enables users to pass funds between the Ronin network and Ethereum, lost $624 million in what is known as the biggest crypto hack ever.

The Ronin attacker pulled off the exploit by obtaining five of the nine validator keys that are responsible for securing the Ronin network. By holding a majority of the keys (also known as 51% or majority attack), the attacker was able to maliciously withdraw piles of cryptocurrency straight from the Ronin Bridge into a rogue Ethereum wallet.

No alt text provided for this image

Sky Mavis, the company behind the wildly popular play-to-earn game Axie Infinity, created Ronin in 2020 after realizing Ethereum’s base layer was too slow and expensive to handle all the transactions required to power such a game. This incident underscores the risks of sacrificing decentralization for achieving scale.

Earlier, in August 2021 a similar cross-chain bridge protocol, Poly Network, suffered a hack of $600 million worth of crypto coins. The hacker apparently exploited a vulnerability in the way Poly Network verified smart contracts, to change a list of public keys to match the hacker’s private keys. Once those keys were changed and the hacker was able to reroute funds to personal wallets. Poly Network pleaded with the hacker to return the funds and promised to grant the person a $500,000 bounty for helping it identify a flaw in its systems, and even offered them a job as “chief security advisor.” The hacker, being a white-hat hacker, eventually returned most of the money they stole. However, everyone cannot hope to be that lucky.

According to Chainalysis, the level of cryptocurrency theft reached $3.2 billion in 2021, +516% vs 2020. 72% of 2021 total were stolen from DeFi protocols vs 31% a year before. 49% of all crypto hacks were attributable to code exploits and flash loan attacks. According to Immunefi, there were almost 150 hacks recorded in 2021 (123 in 2020) which means roughly 70 projects were compromised due to vulnerabilities or mistakes in smart contracts. In DeFi, 69% of all hacks were attributable to vulnerabilities in smart contracts. In Q1 2022 alone the total losses are upwards of $1.3 billion. Two of three biggest crypto hacks: Wormhole bridge (~$300M) and Ronin network (~$600M) took place in Q1 2022. With more users participating in DeFi and TVL growing exponentially, the chances of such exploits will increase in future. Unless we solve this aspect of blockchains systematically through formal methods, it may become an uncontrollable menace and a major hurdle in the mainstream adoption of blockchains and its innovative use cases.

The Solution

The first step to protect crypto assets is to get the smart contract audited by a reputable audit firm which can identify vulnerabilities in the code by using industry leading tools, review process and a mathematical approach called formal verification to ensure that the program is written as intended. This can be followed by penetration testing, which is a security assessment process done by ethical hackers or security professionals to test the security strength of the blockchain-based solution or application. It is seen that the majority of DeFi platforms exploited in 2021 were unaudited. This highlights the amount of work to be done before DeFi is seen as a secure place to invest and innovate in.

It is not necessary that the vulnerability in the smart contract code need to be exploited by an individual or group of hackers. Sometimes even a small bug inadvertently introduced in the code could result in a huge loss. In October 2021, a popular DeFi staking protocol Compound encountered a “free money” bug and about $90.1 million were mistakenly issued to users after a code upgrade went horribly wrong. It’s COMP token suddenly dropped in value by 13%. Protocol users began reporting massive windfalls; $29 million worth of COMP tokens were claimed in a single transaction. Such fatal gaps can lead to irrecoverable damages and loss of trust in the DeFi at large.

Any changes to a platform’s code should be reviewed and audited, no matter how small the initial modification is. Even a byte-sized piece of code can have multimillion dollar ramifications.

Attack Vectors

Centralization issues were the most common attack vector exploited in the DeFi hacks of 2021. One such example is the Ronin bridge attack which we have discussed. For your reference, an attack vector is a pathway or method used by a hacker to illegally access a network or computer in an attempt to exploit system vulnerabilities.

There are various types of attacks which pose a threat to blockchain security. These can be categorized under the following five attack vectors:

  1. Blockchain network attacks
  2. User wallet attacks
  3. Smart contract attacks
  4. Transaction verification or consensus mechanism attacks
  5. Mining pool attacks

In subsequent articles of this series we will discuss each of these attack vectors and types of attacks in greater detail.

———————————-

References:

Leave a Reply