3 Recent Crypto Hacks and the Case for Smart Contract Audits

Experts April 26, 2022
1 Comment
3 Recent Crypto Hacks - smart contract audits - dilip patairya - experts mouth

The Rise of Crypto Hacks

Crypto hacks continue to be a stumbling block to the growing crypto market, creating panic among existing and potential investors. Ari Redbord, head of legal and government affairs at TRM describes hacks as ‘bank robbery at the speed of the internet.’

Crypto hacks
Though public blockchains are practically unhackable, hackers can take advantage of loopholes in the code of smart contracts to steal funds.    

Evidently, most blockchain-related hacks are a result of cybercriminals exploiting flaws in a project’s code. In 2021, hackers reportedly stole $14 billion from the crypto market, a 79% increase from the previous year.

Recent data by Atlas VPN show that in Q1 2022, security breaches have led to nearly $1.3 billion stolen in 78 hack events. Notably, most of these attacks were conducted on Ethereum and Solana blockchains.

3 Recent Crypto Hacks

Here are some of the most recent crypto hacks:

Ronin network’s $615 million hack

Axie Infinity’s Ronin Network became the most recent victim of the growing cryptocurrency hacks when a security breach on its systems caused the loss of $615 million ($540 million at the time) worth of crypto. The event has since been marked as the largest crypto hack in the history of cryptocurrencies.

According to reports, Ronin suffered a huge loss on March 23, 2022 when an attacker hacked Ronin’s private keys to forge fake withdrawals from the Ronin bridge across two transactions. During the attack, the hacker got away with 173, 600 ether (ETH) and 25.5 million USDC tokens worth about $615 million.

DAOs
Decentralized autonomous organizations (DAOs) refers to a group of people who abide by certain rules to achieve a common purpose.    

By design, the Ronin sidechain has nine validators that require five signatures for withdrawals, offering protection against such hacks.

However, the hacker managed to find a backdoor through Ronin’s gas-free RPC node (remote procedure call) that allowed them to get the signature for the Axie DAO (refer box for explanation) validator to protect.

The Ronin team discovered the hack after one of their users unsuccessfully attempted to withdraw 5000 ETH, six days after the attack took place. Following the attack, Ronin promised to increase the validator threshold (from 5 to 8) required to approve transactions.

Poly Network’s 600 million security breach

Last year in August, Poly Network, a cross-chain DeFi (Decentralized Finance) site was hacked leading to the loss of about $600 million in crypto. According to the Poly Network team, the security breach allowed the attackers to steal from three addresses.

Poly Network acts as a cross-chain interoperability bridge allowing users to transfer tokens between two relatively independent blockchains. As such, one of the main Poly Network smart contracts is a bridge by itself. To execute the attack, hackers exploited the CrossChainManager smart contract and swapped the Poly Network’s keepers for a malicious keeper under their control.

An analysis by BlockSea, a China-based blockchain security firm, suggested that the hack could have been triggered by the leak of a private key that was used to sign the cross-chain message or a potential bug introduced during the signing in process.

A twist in the crypto steal

However, in a strange twist, Poly Network’s hackers returned the funds stolen. These hackers opened a dialog with the Poly network team and eventually gave back almost all the money except for $33 million USDT. The hackers trapped more than $200 million of assets in an account that requires a password from both Poly Network and the hackers. The hackers took their time in offering their password claiming that they would only do so once ‘everyone was ready’. Eventually, the hackers finally gave the Poly team access to the account.

Wormhole Network lost $325 million

Earlier in February, Wormhole, a DeFi (decentralized finance) platform lost $325 million in crypto when an attacker exploited a security flaw in its system. This makes the fifth largest crypto hack from a DeFi service.

According to the incident report, the attack resulted from Wormhole’s recent update to its GitHub repository. The update reportedly revealed a fix to a bug that had not yet been deployed to the project itself. The attacker managed to forge a valid signature for a transaction that allowed them to freely mint 120 wrapped Ethereum (wETH).

The Wormhole Network is a token bridge that allows users to transfer cryptocurrencies to and from different blockchains such as Ethereum, Polygon, Binance SmartChain (BSC), Oasis, Terra, and Avalanche. The hack took place on Solana’s side of the bridge with reports suggesting that the Wormholes bridge to Terra could be similarly vulnerable.

The solution lies with smart contract audits

Smart contracts refer to a set of programmed agreements that are automatically executed whenever a network tries to access it for a transaction requested by a user. They have become popular because of the clinical efficiency and trust they bring in. However, vulnerabilities in smart contracts enable hackers to sneak in.

Smart Contract Audit
A smart contract audit is an extensive analysis of a smart contract’s code which interacts with various components of the crypto ecosystem. The purpose is to discover security vulnerabilities in the code.

All the above crypto hacks, and many other incidents as well, share a few vulnerabilities. These weaknesses have aided unwanted third parties in their efforts to exploit blockchain systems leading to millions in losses.

Therefore, to prevent such events, there is a need to employ effective measures that help pinpoint the weaknesses and better understand smart contracts.

As the name suggests, smart contract audits are a detailed analysis of a project’s smart contracts. Smart contract audits are an effective measure for any DeFi project against hacks and other vulnerabilities.  The audits examine the code of the smart contract underneath a project. The process is aimed at helping make the necessary changes or improvements to plug the vulnerabilities of the smart contract. These security woes are largely due to human errors. 

The process is conducted before the deployment of the project, providing stakeholders a sort of guarantee regarding the project’s security. 

Smart contract auditing process

Smart contract audit processes entail conducting a series of tests and playing out different possible scenarios to point out any bugs. The study takes a close look at the code of the protocol. The auditors figure out if the pieces of code are actually producing the intended outcomes. They use the documentation to examine the purpose of the various pieces of code.

Both automatic and manual transmission is done to check the code against known vulnerabilities. Auditors can also conduct a live or pen test analysis in which they deploy the code of a smart contract on a local testnest. They then perform what is known as white hat hacking tests to check for any possible vulnerability. 

Auditors conduct a thorough code review, a process that establishes how much testing has been carried out to understand the security history of the code. Once auditors are satisfied with their findings, they then proceed to the finalization of the code. Developers should be careful about making changes to the code during an audit. Project owners need to ensure that the audited code version is the one released to the public. 

At the end, auditors give reports on their findings. The final report details all the findings as well as the recommendations.

Summing up

As the crypto market continues to grow, hackers continue to find sophisticated ways to access users’ funds. It is for the project owners and developers to take the steps needed to ensure their code is flawless. Projects should make it a point to conduct a thorough smart contract audit to tide over the vulnerabilities before it is too late.  

It is encouraging to note that more project owners are now recognizing the role of auditing. This brings us to another important question, how to find a good auditor or a team of them. Now this is something that needs to be discussed in detail and let’s keep some other day for it.

Note: The article presents the views and the facts researched by the author, and are not validated or endorsed by our team.

dilip kumar patairya blockchain content experts mouth - From The Experts Mouth
Dilip Kumar Patairya

About the author

Dilip Kumar Patairya is the Founder-Director of CDP Tech Tweeters, a blockchain content development and smart contract audit consultancy. Before setting up the venture, he worked as a B2B tech writer for 15+ years.

Regarding content development, he specializes in blockchain and fintech, and his published pieces can be found on CoinTeleGraph and Medium. In smart contract audit, he helps project owners pick the right professionals for their project.

Related Reads:

The One Technology - Soch 21 at IIT Kanpur with From The Experts Mouth
High impact technologies of the future
Fintech, Financial technology
The One Investment to decrypt the code of abundance
Investment with highest and risk free returns
Share this now
Categories: Biz Experts, Experts Mouth
Tagged: , , , , , , ,

Responses

Your email address will not be published. Required fields are marked *

  1. Rajiv April 26, 2022

    A must read for all, whether or not you are a part of the crypto community. These are common risks of the current times, and awareness is the first step to risk mitigation.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups

Please allow a few minutes for this process to complete.

Report

You have already reported this .