Top 10 Blockchain Hacking Techniques by Open Zeppelin
– Open Zeppelin, a cybersecurity company that provides tools for developing and securing decentralized applications (dApps).
– The company revealed that the biggest threat to dApps is not the blockchain technology, but malicious intent from hackers around the world.
Blockchain hacking has become a problem and threatens the cryptocurrency ecosystem. Hackers can breach blockchain security to steal cryptocurrency and digital assets. This is why companies are working on innovative ways to secure their systems against cyber attacks. Open Zeppelin has released a report summarizing the top ten blockchain hacking techniques.
How do hackers pose threats to blockchain security?
51% attack
This attack occurs when a hacker gains control of at least 51% or more of the computing power on a blockchain network. This would give them the power to control the network’s consensus algorithm and be able to manipulate transactions. This will result in double spending, where the hacker can repeat the same transaction. For example, Binance is a major investor in memecoin Dogecoin and stablecoin Zilliqa, and can easily manipulate the crypto market.
Smart contract risk
Smart contracts are self-executing programs that are built on underlying blockchain technology. Hackers can hack into the code of smart contracts and manipulate them to steal information or funds, or digital assets.
Sybil attacked
Such an attack occurs when a hacker has created multiple fake identities or nodes on a blockchain network. This allows them to gain control over a large part of the network’s computing power. They can manipulate transactions on the network to aid terrorist financing or other illegal activities.
Malware attack
Hackers can distribute malware to gain access to a user’s encryption keys or private information, allowing them to steal from wallets. Hackers can trick users into revealing their private keys, which can be used to gain unauthorized access to their digital assets.
What are the Top 10 Blockchain Hacking Techniques by Open Zeppelin?
Compiled TUSD Integration Issue Retrospective
Compound is a decentralized financial protocol that helps users earn interest on their digital assets by borrowing and lending them on the Ethereum blockchain. TrueUSD is a stable coin pegged to the USD. One of the main integration issues with TUSD was related to transferability of assets.
To use TUSD on a connection, it had to be transferable between Ethereum addresses. However, a bug was found in TUSD’s smart contract and some transfers were blocked or delayed. This meant that customers could not withdraw or deposit TUSD from Compound. This leads to liquidity problems and users lost opportunities to earn interest or borrow TUSD.
6.2 L2 DAI allows stealing issues in code reviews
In late February 2021, an issue was discovered in the code evaluation of StarkNet DAI Bridge smart contracts, which could have allowed any attacker to loot funds from the Layer 2 or L2 DAI system. This issue was found during an audit by Certora, a blockchain security organization.
The problem in the code review involved a vulnerable deposit feature in the contract, which a hacker could have used to deposit DAI coins into DAI’s L2 system; without actually sending the coins. This could allow a hacker to mint an unlimited number of DAI coins. They can sell it to the market to earn huge profits. The StarkNet system has lost over $200 million worth of coins that were locked in it at the time of discovery.
The issue was resolved by the StarkNet team, who teamed up with Certora to deploy a new version of the flawed smart contract. The new version was then audited by the company and deemed safe.
Avalanche’s $350M Risk Report
This risk refers to a cyber attack that occurred in November 2021, which resulted in the loss of around $350 million worth of tokens. This attack targeted the Poly Network, a DeFi platform that allows users to exchange cryptocurrencies. The attacker exploited a vulnerability in the platform’s smart contract code, allowing the hacker to control the platform’s digital wallets.
After discovering the attack, Poly Network asked the hacker to return the stolen assets, stating that the attack had affected the platform and users. The attacker surprisingly agreed to return the stolen assets. He also claimed that he intended to expose the vulnerabilities rather than profit from them. The attacks highlight the importance of security audits and testing of smart contracts to identify vulnerabilities before they can be exploited.
How to steal $100 million from flawless smart contracts?
On June 29, 2022, a noble protected the Moonbeam Network by revealing a critical flaw in the design of digital assets, which was worth $100 million. He was awarded the maximum amount for this bug bounty program by ImmuneF ($1M) and a bonus (50K) from Moonwell.
Moonriver and Moonbeam are EVM compatible platforms. There are some precompiled smart contracts between them. The developer did not take into account the advantage of “delegate call” in EVM. A malicious hacker can send his precompiled contract to impersonate the caller. The smart contract will not be able to determine the actual caller. The attacker can transfer the available funds immediately from the contract.
How PWNING saved 7K ETH and won a $6 million bug bounty
PWNING is a hacking enthusiast who has recently joined the crypto land. A few months before June 14, 2022, he reported a critical failure in the Aurora engine. At least 7K Eth was at risk of being stolen until he found the vulnerability and helped the Aurora team fix the problem. He also won a bug bounty of 6 million, the second highest in history.
Phantom Functions and Billion Dollar no-op
These are two concepts related to software development and engineering. Phantom functions are blocks of code that exist in a software system but are never executed. On January 10, the Dedaub team disclosed vulnerability to the Multi Chain project, formerly AnySwap. Multichain has made a public announcement that focused on the impact on customers. This announcement was followed by attacks and a flash bot war, resulting in a loss of 0.5% of funds.
Read Only Reentrancy- A vulnerability responsible for risking $100 million in funds
This attack is a malicious contract that will be able to call itself repeatedly and drain money from the targeted contract.
Could tokens like WETH be insolvent?
WETH is a simple and fundamental contract in the Ethereum ecosystem. If depegging takes place, both ETH and WETH will lose value.
A vulnerability exposed in profanity
Banning is an Ethereum vanity tool. Now if a user’s wallet address was generated by this tool, it might be unsafe for them to use. Banning used a random 32-bit vector to generate the 256-bit private key, which is suspected to be insecure.
Attack on Ethereum L2
A critical security issue was reported, which can be used by any attacker to copy money on the chain.