– Open Zeppelin, a cybersecurity company that provides tools for developing and securing decentralized applications(dApps).
– The company revealed that the biggest threat posed to dApps is not the blockchain technology but evil intent from hackers worldwide.
Blockchain hacking has become a problem and threatens the cryptocurrency ecosystem. Hackers can breach blockchain security to steal cryptocurrency and digital assets. This is why companies are working on innovative ways to secure their systems from cyber-attacks. Open Zeppelin has released a report summarizing the top ten blockchain hacking techniques.
How do Hackers Pose Threats to Blockchain Security?
51% Attacks
This attack occurs when a hacker gains control of at least 51% or more of the computing power on a blockchain network. This will give them the power to control the network’s consensus algorithm and be able to manipulate transactions. This will result in double spending, where the hacker can repeat the same transaction. For example, Binance is a major investor in memecoin Dogecoin and stablecoin Zilliqa, and can easily manipulate the crypto market.
Smart Contract Risks
Smart contracts are self-executing programs that are built on underlying blockchain technology. Hackers can hack into the code of smart contracts and manipulate them to steal information or funds, or digital assets.
Sybil Attacks
Such an attack occurs when a hacker has created multiple fake identities or nodes on a blockchain network. This allows them to gain control over a major portion of the network’s computing power. They can manipulate transactions on the network to help in terrorist financing or other illicit activities.
Malware Attacks
Hackers can deploy malware to get access to a user’s encryption keys or private information, allowing them to steal from wallets. Hackers can trick users into revealing their private keys, which can be used to gain unauthorized access to their digital assets.
What Are The Top 10 Blockchain Hacking Techniques By Open Zeppelin?
Compound TUSD Integration Issue Retrospective
Compound is a decentralized finance protocol that helps users earn interest on their digital assets by borrowing and lending them on the Ethereum blockchain. TrueUSD is a stablecoin pegged to the USD. One of the main integration issues with TUSD was related to asset transferability.
To use TUSD on a Compound, it had to be transferable between Ethereum addresses. However, a bug was found in TUSD’s smart contract, and some transfers were blocked or delayed. This meant the customers could not withdraw or deposit TUSD from the Compound. Thereby leading to liquidity issues and users lost opportunities to earn interest or borrow TUSD.
6.2 L2 DAI allows stealing issues in code assessments
At the end of February 2021, an issue was discovered in the code assessment of the StarkNet DAI Bridge smart contracts, which could have allowed any attacker to loot funds from the Layer 2 or L2 DAI system. This issue was found during an audit by Certora, a blockchain security organization.
The issue in the code assessment involved a vulnerable deposit function of the contract, which a hacker could have used to deposit DAI coins into the L2 system of DAI; without actually sending the coins. This could allow a hacker to mint an unlimited amount of DAI coins. They can sell it to the market to earn huge profits. The StarkNet system has lost over $200 M worth of coins locked in it at the time of discovery.
The issue was resolved by the StarkNet team, who teamed with Certora to deploy a new version of the defective smart contract. The new version was then audited by the company and deemed safe.
Avalanche’s $350 M Risk Report
This risk refers to a cyber attack that happened in November 2021, which resulted in the loss of around $350 M worth of tokens. This attack targeted the Poly Network, a DeFi platform that allows users to exchange cryptocurrencies. The attacker exploited a vulnerability in the platform’s smart contract code, allowing the hacker to control the platform’s digital wallets.
Upon discovering the attack, Poly Network pleaded to the hacker to return the stolen assets, stating that the attack had affected the platform and its users. The attacker surprisingly agreed to return the stolen assets. He also claimed that he intended to expose the vulnerabilities rather than profit from them. The attacks highlight the importance of security audits and testing of smart contracts to identify vulnerabilities before they can be exploited.
How to steal $100 M from flawless smart contracts?
On 29th June 2022, a noble individual protected Moonbeam Network by disclosing a critical flaw in the design of digital assets, which were worth $100 million. He was awarded the maximum amount of this bug bounty program by ImmuneF($1M) and a bonus (50K) from Moonwell.
Moonriver and Moonbeam are EVM-compatible platforms. There are some precompiled smart contracts between them. The developer did not take the advantage of the ‘delegate call’ in EVM into consideration. A malicious hacker can pass its precompiled contract to impersonate its caller. The smart contract will be unable to determine the actual caller. The attacker can transfer the available funds immediately from the contract.
How did PWNING save 7K ETH and win a $6 M bug bounty
PWNING is a hacking enthusiast who has recently joined the land of crypto. A few months before June 14th, 2022, he reported a critical bug in the Aurora Engine. At least 7K Eth were at risk of being stolen until he found the vulnerability and helped the Aurora team fix the issue. He also won a bug bounty of 6 million, the second highest in history.
Phantom Functions and Billion Dollar no-op
These are two concepts related to software development and engineering. Phantom functions are blocks of code present in a software system but never executed. On January 10, the Dedaub team disclosed vulnerability to the Multi Chain project, formerly AnySwap. Multichain has made a public announcement that focused on the impact on its clients. This announcement was followed by attacks and a flash bot war, resulting in a loss of 0.5% of funds.
Read-only Reentrancy- A vulnerability responsible for a risk of $100M in funds
This attack is a malicious contract that will be able to call itself repeatedly and drain funds from the targeted contract.
Could tokens like WETH be insolvent?
The WETH is a simple and fundamental contract in the Ethereum ecosystem. If depegging takes place, both ETH and WETH will lose value.
A vulnerability disclosed in Profanity
Profanity is an Ethereum vanity addressing vanity tool. Now if a user’s wallet address was generated by this tool, it might be unsafe for them to use. Profanity used a random 32-bit vector to generate the 256-bit private key, which is suspected to be unsafe.
Attacking on Ethereum L2
A critical security issue was reported, which could be used by any attacker to replicate money on the chain.
Source: https://www.thecoinrepublic.com/2023/03/17/the-top-10-blockchain-hacking-techniques-by-open-zeppelin/