Sumit ‘Sid’ Siddharth, the founder of Cambridge-based IT security firm The SecOps Group, discusses how cybercriminals are exploiting the rise in crypto currency use and what can be done about it.
While cybercriminals have been speedily catching up to the latest security vulnerabilities and exploits, with the exponential growth of crypto currencies, NFTs and other blockchain implementations, there has never been a better time for a cybercriminal to convert a vulnerability into easy and big money.
We see two different types of attacks involving crypto currencies. One of these is centred around the end user (victim) and the attack technique relies on social engineering tricks such as convincing a victim to send crypto currency to an attacker’s wallet.
The other type of hack we see is a bit more complicated and requires a deep understanding of blockchain smart contracts and associated components, such as side-chain, cross-chain, wallets, understanding of various protocols, and more.
At the SecOps Group, which currently offers security consultancy services such as cloud security assessments, web and network pentests, we have now launched a blockchain smart contract security audit, to help blockchain developers identify and patch security issues before they get exploited in the wild.
To break this down in layman terms, I will first explain what blockchain is, then discuss applications of blockchain and some common problems.
Blockchain is a transaction record database that is distributed, validated and maintained around the world by a network of computers.
Instead of a single central authority such as a bank, a large community oversees the records in Blockchain, and no individual person has control over these records.
Blockchain is based on decentralised technologies. Together these technologies function as a Peer-to-Peer (P2P) network.
Blockchain technology is being used in many different industries. The annual blockchain spending will reach $16bn by 2023, according to a recent research by CBInsights. The rate of adoption of the technology is increasing.
Nowadays, there are various blockchain platforms in the market and each platform uses its own technology. For example, Ethereum platform uses Solidity language, Hyperledger platform uses Go language, EOS platform uses Node.js, Multichain platform uses C++, Corda platform uses Java/Kotlin language, etc.
The most famous crypto currency, Bitcoin (BTC), was developed on the Bitcoin platform. Ether (ETH) crypto currency was developed on the Ethereum platform. Major blockchain applications are built on the Ethereum platform, which uses solidity as a language for writing code called “smart contract”.
A smart contract audit is an extensive methodical examination and analysis of a smart contract’s code which is used to interact with a cryptocurrency or blockchain.
This process is conducted to discover errors, issues and security vulnerabilities in the code to suggest improvements and ways to fix them. Generally, smart contract audits are necessary, because most of the contracts deal with financial assets and/or valuable items.
Here are some of the major attacks this year:
$7m Solana wallets attack – August 03, 2022
Solana is a blockchain-based platform. Many web3 applications are deployed on the Solana blockchain as it is cost effective in terms of deployment. Recently, a wallet-based hack was observed in the Solana blockchain. The root cause of the breach is unclear but it appears to be due to a flaw in the wallet software used, which resulted in the private key and/or seed phrase compromise. A private key is unique and links a user to their blockchain address.
A seed phrase is a fingerprint of all of a user’s blockchain assets that is used as a backup if a crypto wallet is lost. More than 7,000 wallets have been drained of more than $7m of SOL tokens.
$625m Axie Infinity Ronin bridge attack – March 28, 2022
Ethereum is a blockchain-based platform. It is the first blockchain platform which uses smart contracts and it is the most trusted platform of all blockchain platforms.
The largest-ever crypto hack measured in fiat dollars came after hackers gained control over a majority of the cryptographic keys securing the play-to-earn game Axie Infinity’s cross-chain bridge. Four of the nine keys were stolen when an Axie developer clicked on a fake job offer PDF.
$325m Wormhole cross chain bridge attack — February 2, 2022
Wormhole is an Ethereum and Solana combined blockchain based web 3.0 bridge, which uses an intermediate bridge to transfer tokens between two different networks. A blockchain bridge is a protocol connecting two economically and technologically separate blockchains to enable interactions between them. A hacker exploited smart contracts on the Solana-to-Ethereum bridge to mint and cash out on wrapped ether without depositing collateral. The hack allowed hackers to steal a total of $320m in Ethereum and Solana tokens. Wormhole renamed its bridge portal and currently holds over $480m, according to crypto data firm DeFi Llama.
The security audit of smart contracts has become important today, because as we can see, thousands of decentralised finance projects and NFT projects have been developed in blockchain technology AKA web 3.0, so securing them is equally important as building them.