Can they be prevented with smart contract revisions?

Blockchain hacks will continue as long as cybercriminals easily discover security vulnerabilities. Here’s what happens if security is lacking, says Sumit Siddharth, founder of SecOps Group.

With the exponential growth of cryptocurrencies, NFTs and other blockchain implementations, there has never been a better time for a cybercriminal to convert a vulnerability into easy and big money.

Blockchain Hack and Security Audit

We see two different types of attacks involving cryptocurrencies. One of these is centered around the end user (the victim). The attack technique relies on social engineering tricks such as convincing a victim to send cryptocurrency to an attacker’s wallet.

The second type of hack we see is a little more complicated and requires a deep understanding of blockchain smart contracts and related components, such as sidechain, crosschain, wallets, understanding of various protocols and more.

SecOps Group has now launched a blockchain smart contract security audit, to help blockchain developers identify and patch security issues before they are exploited in the wild.

Blockchain Hacks – Where They Start

Blockchain is a transaction record database that is distributed, validated and maintained worldwide by a network of computers. Instead of a single central authority like a bank, a large community oversees the records in the Blockchain. No individual has control over these records. Blockchain is based on decentralized technologies. Together, these technologies work as a Peer-to-Peer (P2P) network.

Blockchain technology is used in many different industries. Annual blockchain spending by companies will reach $16 billion by 2023, according to recent research from CBInsights. The speed of adopting the technology is increasing.

Today, there are various blockchain platforms on the market. Each platform uses its own technology. For example, the Ethereum platform uses the Solidity language. The Hyperledger platform uses the Go language. The EOS platform uses Node.js. The Multichain platform uses C++. The Corda platform uses Java/Kotlin language etc. The most famous cryptocurrency Bitcoin (BTC) was developed on the Bitcoin platform. Ether (ETH) cryptocurrency was developed on the Ethereum platform.

When any of the above is compromised, major hacks can occur.

Blockchain Hacks of Note

Solana Wallets Attack – $7 Million – August 3, 2022

Solana is a blockchain-based platform. Many Web3 applications are deployed on the Solana blockchain as it is cost effective in terms of deployment. Recently, a wallet-based hack was observed in the Solana blockchain.

The root cause of the breach is unclear, but it appears to be due to a bug in the wallet software used, which resulted in the compromise of the private key and/or seed phrase. A private key is unique and links a user to their blockchain address. A seed phrase is a fingerprint of all of a user’s blockchain resources that is used as a backup if a crypto wallet is lost. More than 7,000 wallets have been tapped for more than $7 million worth of SOL tokens.

Axie Infinity Ronin Bridge – $625 million – March 28, 2022

The largest ever crypto hack in fiat dollar terms came after hackers gained control of a majority of the cryptographic keys securing the play-to-earn game’s cross-chain bridge. Four of the nine keys were stolen when an Axie developer clicked on a fake job offer PDF.

Wormhole Cross Chain Bridge Attack – $325M – February 2, 2022

Wormhole is an Ethereum and Solana combined blockchain-based Web3 bridge. It uses an intermediate bridge to transfer tokens between two different networks. A blockchain bridge is a protocol that connects two economically and technologically separate blockchains to enable interactions between them.

A hacker exploited smart contracts on the Solana-to-Ethereum bridge to create and pay out wrapped ether without posting collateral. This allowed hackers to steal a total of $320 million by combining Ethereum and Solana tokens. Wormhole renamed its bridge portal and currently has over $480 million, according to crypto data firm DeFi Llama.

Blockchain hacks

Smart contract audit

A smart contract audit is a comprehensive methodical examination and analysis of a smart contract’s code used to interact with a cryptocurrency or blockchain. This process is performed to detect errors, problems, and security vulnerabilities in the code, and to suggest improvements and ways to fix them. In general, smart contract audits are necessary, because most contracts deal with financial assets and/or valuable objects.

The security audit of smart contracts has become important today. Thousands of decentralized finance projects and NFT projects are developed in blockchain technology aka web 3.0, so securing them is as important as building them.

About the author:

Sumit Siddharth is the founder of SecOps Group. He is a serial cyber entrepreneur and a well-known security expert. He has been a speaker and trainer at many international conferences such as Black Hat, Defcon, HITB, Owasp Appsec etc. During his days as a pentester, he wrote a number of books, articles, exploits and whitepapers on various topics related to application security. Sid’s first business (NotSoSecure) was acquired in 2018 by Claranet Group. He now runs a boutique security consulting (pentesting) firm called The SecOps Group. He is also an advisor and angel investor in several niche cyber security startups such as Red Hunt Labs (Attack Surface Management), PureID (Passwordless Authentication), VulnMachines (free pentesting lab platform) and RankingRight (vulnerability triaging platform).

Got something to say about blockchain hacks or something else? Write to us or join the discussion in our Telegram channel. You can also catch us on Tik Tok, Facebook or Twitter.

Disclaimer

All information on our website is published in good faith and for general information purposes only. Any action the reader takes on the information contained on our website is strictly at their own risk.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *