Blockchain hacks will continue as long as cybercriminals keep easily discovering security vulnerabilities. Here is what happens if security is lacking, says Sumit Siddharth, founder of the SecOps Group.
With the exponential growth of cryptocurrencies, NFTs and other blockchain implementations, there has never been a better time for a cybercriminal to convert a vulnerability into easy and big money.
Blockchain Hacks and Security Audits
We see two different types of attacks involving crypto currencies. One of these is centred around the end user (the victim). The attack technique relies on social engineering tricks such as convincing a victim to send cryptocurrency to an attacker’s wallet.
The other type of hack we see is a bit more complicated and requires a deep understanding of blockchain smart contracts and associated components, such as side-chain, cross-chain, wallets, understanding of various protocols, and more.
The SecOps Group have now launched a blockchain smart contract security audit, to help blockchain developers identify and patch security issues before they get exploited in the wild.
Blockchain Hacks – Where They Start
Blockchain is a transaction record database that is distributed, validated and maintained around the world by a network of computers. Instead of a single central authority such as a bank, a large community oversees the records in Blockchain. No individual person has control over these records. Blockchain is based on decentralized technologies. Together these technologies function as a Peer-to-Peer (P2P) network.
Blockchain technology is being used in many different industries. The annual blockchain spending by companies will reach $16B by 2023, according to recent research by CBInsights. The rate of adoption of the technology is increasing.
Nowadays, there are various blockchain platforms in the market. Each platform uses its own technology. For example, the Ethereum platform uses Solidity language. Hyperledger platform uses the Go language. EOS platform uses Node.js. Multichain platform uses C++. Corda platform uses Java/Kotlin language, etc. The most famous cryptocurrency Bitcoin (BTC) was developed on the Bitcoin platform. The Ether (ETH) cryptocurrency was developed on the Ethereum platform.
When any of the above is compromised, huge hacks can result.
Blockchain Hacks of Note
Solana Wallets Attack – $7 Million – August 03, 2022
Solana is a blockchain-based platform. Many Web3 applications are deployed on the Solana blockchain as it is cost-effective in terms of deployment. Recently a wallet-based hack was observed in the Solana blockchain.
The root cause of the breach is unclear, but it appears to be due to a flaw in the wallet software used, which resulted in the private key and/or seed phrase compromise. A private key is unique and links a user to their blockchain address. A seed phrase is a fingerprint of all of a user’s blockchain assets that is used as a backup if a crypto wallet is lost. More than 7,000 wallets have been drained of more than $7m worth of SOL tokens.
Axie Infinity Ronin Bridge – $625 Million – March 28, 2022
The largest-ever crypto hack measured in fiat dollars came after hackers gained control over a majority of the cryptographic keys securing the play-to-earn game’s cross-chain bridge. Four of the nine keys were stolen when an Axie developer clicked on a fake job offer PDF.
Wormhole Cross Chain bridge attack – $325 Million – February 2, 2022
Wormhole is a Ethereum- and Solana-combined blockchain-based Web3 bridge. It uses an intermediate bridge to transfer tokens between two different networks. A blockchain bridge is a protocol connecting two economically and technologically separate blockchains to enable interactions between them.
A hacker exploited smart contracts on the Solana-to-Ethereum bridge to mint and cash out wrapped ether without depositing collateral. This allowed hackers to steal a total of $320 million combining Ethereum and Solana tokens. Wormhole renamed its bridge portal and currently holds over $480 million, according to crypto data firm DeFi Llama.
Smart Contract Audits
A smart contract audit is an extensive methodical examination and analysis of a smart contract’s code which is used to interact with a cryptocurrency or blockchain. This process is conducted to discover errors, issues and security vulnerabilities in the code, and suggest improvements and ways to fix them. Generally, smart contract audits are necessary, because most of the contracts deal with financial assets and/or valuable items.
The security audit of smart contracts has become important today. Thousands of decentralized finance projects and NFT projects have been developed in blockchain technology aka web 3.0, so securing them is equally important as building them.
About the Author:
Sumit Siddharth is the founder of the SecOps Group. He is a serial cyber entrepreneur and a well-known security professional. He has been a speaker and trainer at many international conferences such as Black Hat, Defcon, HITB, Owasp Appsec etc. During his days as a pentester he authored a number of books, articles, exploits and whitepapers on various topics related to application security. Sid’s first business (NotSoSecure) was acquired in 2018 by the Claranet Group. He now runs a boutique security consultancy (pentesting) firm called The SecOps Group. He is also an advisor and angel investor in multiple niche cyber security start-ups such as Red Hunt Labs (Attack Surface Management), PureID (Passwordless Authentication), VulnMachines (free pentesting lab platform) and RankedRight (vulnerability triaging platform).
All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.