Insight,

Themes emerging from recent crypto attacks

AU | EN
Current site :    AU   |   EN
Australia
China
China Hong Kong SAR
Japan
Singapore
United States
Global

We are barely finished with the first quarter of the calendar year and already we have seen multiple “hacks” in the crypto space that have resulted in the losses of over US$1 billion. 

These attacks represent a significant systemic risk for investors and consumers alike and it’s worth paying attention to the key themes that are emerging and what they might mean for crypto and web3 generally.

The blockchain is (somewhat) immutable, but the crypto community is not

A blockchain is only as strong as its weakest link.  This weakest link can come in many forms, be it the cost of securing a network, the smart contracts that underpin systems (such as bridges), or the community itself.  A fundamental feature of blockchains (and one of their strongest selling points) is immutability. Immutability at its core means that one cannot alter, falsify or reverse a transaction that has been verified and recorded onto the blockchain.  This leads to the often misguided claim that a blockchain cannot be hacked.  But this is not strictly true, or rather it is true only in a very limited sense.  From a technological perspective, the effectiveness of a blockchain’s immutability is proportional to the cost of securing the network, meaning that, if the cost of securing the network (for example, with hashing power or accumulation of a majority stake) is low, then an attack that changes the settled record is economically possible.  Beyond the technology, blockchains are ultimately operated by individuals – people in the natural world – who can be tricked into giving away important information (such as passwords and private keys), inadvertently authorising malicious transactions or colluding to alter the record of a blockchain.

Social engineering, or the practice of manipulating users into behaving in a certain predictable way, is becoming a central pillar of many attacks.  Users are increasingly subjected to so-called phishing attacks and are duped into giving away their private keys; listing their NFTs on fraudulent sites that masquerade as legitimate marketplaces; authorising malicious code to interact with their wallets; or allowing the installation of malware onto their systems which then siphons off crypto-assets into another wallet or otherwise records and transmits data back to the bad actor.

We can expect these types of attacks to continue and they may escalate, both in their frequency and their sophistication as crypto becomes more mainstream and more “retail”-type investors are attracted to the space.

The largest hack to date also centred on human exploitation of another kind. The pay to earn game, Axie Infinity, lost approximately US$624 million after an attacker took control of four of the nine validators securing the network, and tricked a fifth validator to authorise two separate transactions removing Ether (“ETH”) and USDC from a smart contract (known as the Ronin Bridge) which services the game.

Code is not law

In February 2022, Treasure DAO, an NFT trading platform, was exploited by an unknown attacker who took advantage of a flaw in the platform’s code to make off with more than 100 NFTs from unsuspecting users, according to bitcoin.com and Certik, a company that analysed the attack.  The logic bug allowed the attacker, in effect, to multiply the price of each NFT they were “buying” by “0”, such that the attacker paid nothing for the NFTs.

This illustrates the importance of having code properly (and regularly) tested and audited.  It also shows that there may be a role for independent arbiters (like courts) to play in resolving interpretational or application issues like the above.

The Treasure DAO hack follows the archetypal DAO hack in 2016, which threatened the future of the Ethereum blockchain.  An attacker took advantage of a feature, not a bug, in the DAO’s smart contract to continuously withdraw ETH stored in the DAO before the previous withdrawals took effect.  By the time that the attack became apparent, approximately 30% of all ETH held by the DAO (worth approximately US$50 million at that time, being approximately 5% of all ETH in existence) had been moved to a separate account, out of the control of the DAO’s members.  This resulted in the ‘hard fork’ of the Ethereum blockchain to reverse the effect of the withdrawal.  See our article on How to use humans to make “smart contracts” truly smart for further detail.

In both hacks, auditing the code would help, but may not be sufficient as each exploited a feature of the code, not a bug.  In each, the code clearly allowed the transactions to proceed when executed according to its strict terms, but none of the “sellers” in the Treasure DAO hack or the members in the DAO hack would have agreed to the transaction if they knew that they were receiving nothing for transferring their NFTs or would lose all the ETH in the DAO.

Whoever is tasked with resolving these sorts of disputes will need to grapple with a number of thorny legal issues, like identifying what part of a smart contract forms part of the contract in a legal sense or when to impose an interpretation onto an arrangement that is somewhat at odds with the express “terms” of the code.  But these challenges are not insurmountable and, if anything, demonstrate that crypto doesn’t operate in a completely trustless environment.  It also shows the importance of giving effect to the true intention of the parties.  This benefits from the intervention of centralised actors like courts, which play a fundamental role in ensuring that transactions proceed as intended.  It also shows that natural language governance (also known as traditional contracts) can augment smart contracts to facilitate the operation of protocols in all circumstances.

The race to scale is introducing risk to the system

Billions of dollars have been introduced into the defi space over the past 18 months, with a corresponding uptick in the number of transactions which the base-layer blockchains are required to process at any given point in time.  In an attempt to facilitate this scaling, many protocols are pushing the validation of transactions onto so-called side chains.  These side chains often process a greater size of blocks or process blocks at a higher frequency than the base-layer chains for lower gas fees.  This in turn often means that a smaller number of validators are securing the network or that the network is using a different, less costly consensus mechanism.

As the Bankless team has noted, “When you push your assets onto a sidechain, you are moving away from the trustless, decentralized form of security consensus on the underlying base Layer-1 chain.  Subsequently, you’re increasing trusted reliance on the reputation and security expertise of sidechains.  In short, you trade off security for costs and speed.

Additionally, the use of bridges to make protocols and sidechains interoperable with the base-layer chain increases the number of “attack surfaces” which are available to bad actors who wish to compromise transactions or exploit the chain.  A bridge allows users to transfer crypto-assets from one blockchain to another.  This requires an operating system to “lock up” the crypto-asset in question on the blockchain on which it was created (the primary blockchain), with a corresponding crypto-asset minted on the secondary blockchain.  No transactions can be processed in respect of the crypto-asset on the primary blockchain unless and until the asset is released from the secondary blockchain.

The attack surfaces are the points at which a bad actor could attempt to exploit the system (ie the primary blockchain, the secondary blockchain, the dApp or operating system controlling the whole process and any underlying smart contracts) to divert value.  This is what happened in both the Solana Wormhole hack in February this year and the Polygon hack in December 2021.  Each of these attack surfaces is a manifestation of code and it stands to reason that multiple codebases working across multiple environments are more likely to contain bugs that open up the possibility for attack or exploitation.  

Exchanges and marketplaces are compensating victims for loss at the moment

At the heart of the decentralisation thesis is a strong sense and spirit of community.  Most bodies developing products or providing services in crypto or web3 are aware that their goodwill is tied to the ‘stickiness’ of the community to the project in question.  As a result, DAOs and other corporations are making significant efforts to compensate victims of exploits or hacks, even where they are under no legal obligation to do so.  Brand reputation, especially in the face of a security failure (including a flaw in the code), seems to drive the decision-making and responses more than the terms of user agreements.

Conclusion

There is not always a clear dividing line between each of the themes mentioned above.  For example, the race to scale may contribute to the increased prevalence of bugs in code as developers are incentivised to roll out products quickly to meet rising demand from consumers who are susceptible to social engineering.

We, at KWM, have been actively monitoring these developments for over half a decade.  We will continue to pay careful attention to what is happening in this space so that we can keep you well advised.

LATEST THINKING
Insight
Australia’s competitive banking landscape, prudential settings and the accelerating challenge (and cost) of technology uplift are tipped to drive further consolidation in the sector in the coming decade.

16 January 2025

Insight
The Australian Securities and Investments Commission (ASIC) has reissued Regulatory Guide 133 Funds management and Custodial Services: Holding assets (RG 133).

15 January 2025

Insight
The MYEFO just released by the Treasurer shows that an end to the surpluses the Government has enjoyed over the last two year is fast approaching, with slowing revenues and the promise of new policies such as the Build to Rent tax incentives announced in the last Budget beginning to bite.

19 December 2024