Beyond Code: Why Protocols Fall to Hackers in Crypto Heists
Behind the sleek designs of user interfaces of decentralised finance or DeFi protocols, which enable digital assets transactions, are smart contracts which are made up of computer code. An exploitation of the security flaws in these codes by hackers could crash a DeFi projects’ rise, leaving in its wake a colossal and sometimes irrecoverable loss to customers and founders. At the heart of the security breach is the question: could it have been averted?
Attacks on DeFi protocols including cryptocurrency exchanges and cross-chain bridges have been on the increase since 2012. There have been more than 46 security breaches in 10 years. In 2021 hackers stole a total of $4.25 billion worth of cryptocurrency, almost tripling the 2020 figure which was about $1.49 billion, according to Crystal Blockchain. As of the time of writing, almost half a billion dollars have been stolen from the ecosystem one month into 2022; one of the breaches resulted in the fourth largest crypto heist in history.
As mind-boggling as the data on DeFi security breaches are, they reveal a disturbing pattern of recurrence of the causes of attacks, such as criminals illegally obtaining access to hot wallets, compromised codes and staff mistakes. Although the smart contracts of DeFi platforms vary, making the technicalities of each hack different, successive attacks on DeFi projects leave analysts bewildered about whether platforms learn from the misfortunes that befall others in the industry.
“Everyone, including the founders, is desperate to be a part of this gold rush. Unfortunately, no lesson has been learnt from the website hacks and attacks that have crippled various organisations as well as governments,” said Ritesh Bhatia, Cybercrime investigator and founder, V4WEB Cybersecurity.
When humans fail, smart contracts fail too
Like cryptocurrency exchanges, cross-chain bridges which enable the movement of crypto assets between blockchains are increasingly becoming victims of breaches including hacks and flash loan attacks. Three of the four attacks this year tell a story of how human failure caused a laxity in computing safeguards.
In the first cross-chain bridge exploit, Qubit Finance, an Ethereum and Binance Smart Chain (BSC) bridge lost a total value of $80 million when attackers took advantage of a logical error – often caused by bad programming – in the bridge’s code that allowed them to input malicious data and withdraw tokens on the BSC side of the bridge when none was deposited on Ethereum, Certik, a Blockchain security firm stated in a post-attack analysis.
Certik’s analysis suggests that $80 million worth of investor’s funds vanished because codes were manipulated. But a clearer view was given in a post-mortem by Theori, a cyber-security firm that audited Qubit Finance’s bridge code in December 2021. The report revealed that the bridge became vulnerable to attacks because Qubit added an invalid token address as a valid resource after it had audited the codes.
Qubit modified the codes “presumably under the belief that this change would not affect security, we were not consulted about these changes and we were not given the opportunity to review these changes,” Theori wrote adding that “while we cannot prevent our customers from modifying the code after our audit or changing parameters in a way that makes their code vulnerable, additional mitigations could have been suggested by our team that would have reduced risk in this scenario.”
The hacker has moved part of the stolen funds to Tornado, a protocol which allows users to hide their digital trail. Unable to carry on its operation, Qubit said it would be scaling back to its original team and letting go of new development team members and it would be operated by a community in a decentralized autonomous organisation arrangement.
This plan has raised more controversies among some investors who claimed that operators of Qubit Finance and its parent company, Mound Inc., were complicit in the hack.
Qubit Finance did not respond to Arweave News’ multiple requests for comment on why it modified its code after an audit without seeking guidance or informing the auditing firm.
Barely a week after the Qubit Finance hack, Wormhole, a Solana and Ethereum cross-chain was exploited in a single transaction where 93,750 Ethers with an estimated value of $320 million were stolen. As if testing the vulnerability of Wormhole’s bridge’s security, the attackers deposited 0.1 Wormhole-wrapped Ether before minting – without corresponding deposit – 120,000 Wormhole-wrapped Ether which they used to claim original Ethereum token on the bridge. Wrapped Ethereum tokens are pegged to the value of the original coin but are interoperable with other blockchains.
In a muddled twist to the incident, social media reports including this one, citing a commit on Wormhole’s Github repository, claimed that the firm knew about the security flaw 21 days before the breach, fixed it but delayed in deploying it to its system. Wormhole in a post-attack report attributed the exploit to a bug or error in its smart contract on Solana and denied it knew about the flaw but did not act.
“While the commit did fix the vulnerability, it was a coincidental by-product of the toolchain upgrade. While obvious in hindsight, the security implications were not apparent at the time,” Wormhole stated.
It added that the commit was on the Github repository awaiting an audit but noted that “the attacker may have noticed the vulnerability because this commit was public, or they may have felt forced to execute the attack once the fix was merged.”
Indeed, an error in Wormhole’s code poked a hole in its security, leaving its vulnerabilities in public view (although it claimed being unaware of its implication) was an invitation to a meticulous hacker to break into its security. For a company that processes huge cryptocurrency asset in an era where hackers are on the prowl, observers say Wormhole was reckless in its operations.
Another case of computer codes failing after being modified by human administrators is Meter’s attack days after Wormhole’s breach. An error in the extended code introduced by Meter’s team allowed a hacker to make away with about $4.4 million worth of cryptocurrency.
“Security by default and security by design is yet not being followed. As a result, cybersecurity still remains an afterthought. Unfortunately, this is simply neither affordable nor acceptable in the blockchain as once the currency is out of the blockchain, it is simply gone,” Bhatia told Arweave News.
The problem with open-source
All DeFi projects thrive on the open-source philosophy of promoting innovation, collaboration and transparency. With the entire codes that support DeFi protocols and applications available for anyone to review and copy to create projects, some people say that the open-source ideology allows hackers to have opportunities to scrutinise codes in order to spot vulnerabilities.
Scanning for flaws in the smart contracts of DeFi protocols that are in public view by a potential attacker “is quite elementary and in the checklist of any reasonably determined hacker: look at every function in the smart contract that is designated as public and only give it up as an entry point once you understand its logic and dependencies to other code, internal or external,” Nitesh Dhanjani, a cybersecurity researcher wrote.
Would it have been impossible or at least difficult for exploiters to spot security loopholes in smart contracts if the codes were not made public given the open source ideology? Could hacks against the DeFi ecosystem be effectively tackled if smart contracts were not made public?
“Get rid of transparent programmability,” Patrick McConnell, a doctor of Business Administration and expert on Technology Risk Management, told Arweave News in response to how DeFi projects could be protected.
If smart contracts are visible, experts looking for flaws in the codes could find it and use it to launch attacks, McConnell believes, worrying that central banks digital currencies that make their smart contracts public were at risk of problems being experienced by other digital assets.
However, a software engineer who asked that his identity should not be revealed does not agree that the open-source system is the problem. He believes that if smart contracts pass auditing and DeFi projects allocate large sums of money to white-hat bounties that could help spot flaws in codes before criminals exploit them, there would be no problem. But even these will not solve the challenges if DeFi protocols tamper with audited codes like Qubit did and smart contracts are made public for everyone including those with criminal intentions to view them.
Some deficiencies in the DeFi ecosystem could also be attributed to projects being hurriedly built due to the availability of a code to copy from but with security being given little consideration. Monies from venture capitals provide fast launch pads for such poorly-thought out projects.
“That is so true. In the Defi and NFT ecosystem, a lot of projects are launched in a few days. They are just forks, forks of forks and scam projects. They were forking other projects and claiming to be original,” the software engineer said.
“There is obviously insufficient due diligence,” said McConnell.
Ordinary investors suffer more in attacks on DeFi protocols where funds were stolen and never recovered and the platform does not cover the loss. There is not much ordinary investors can do because by design, DeFi projects remove third party authorisation from transactions and platforms operating in jurisdictions that do not have regulations makes it difficult to enforce diligence and investor protection laws.
There will not be cracks in the security of DeFi protocols if smart contracts’ functions or codes are not tampered with by humans and if errors in codes are quickly corrected before lurking exploiters detect them. Rather than wait for the next attack, collaboration among platforms in the DeFi ecosystem to address cybersecurity threats is essential before ‘the mother of all exploits’ that could crash the entire system occurs.
“It is high time a consortium was formed to regulate the blockchain. There needs to be a framework, guidelines and security standards drafted by this consortium,” Bhatia said. “Technology will always remain hackable. DeFi is reliable but the two main principles: security by design and security by default should be taken very seriously.”