Web3 Security — Lessons Learned

8 min read

Hackers and scammers have found Web3 to be an ideal arena for their nefarious plots of stealing cryptocurrencies and digital assets such as NFTs from unsuspecting users.

According to a recent report by the team at Chainalysis, digital thieves stole $3.2 billion worth of cryptocurrency in 2021. In addition, 2022 is perhaps playing out to be the biggest year for hackers as they have stolen $1.3 billion in cryptocurrencies in the first three months of the year alone.

Types of Attacks in the Crypto-verse and Lessons Learned

To note is that the Chainalysis report only accounts for hacks carried out on DeFi platforms. Therefore, combined losses by crypto users could be higher if additional attacks such as those highlighted below are included in the analysis.

1. Advanced Persistent Threats (APTs)

Advanced Persistent Threats (APTs) is a broad term used in cyber security to describe instances of stealthy malicious actors gaining unauthorized access to a computer network and remaining undetected for an extended period. In most instances, APTs are carried out by state-sponsored groups or individuals who live in countries without extradition treaties.

In the case of Web3, APTs are commonplace since Dapps and Defi protocols provide a potentially suitable environment for such hackers to carry out their heists. One good example is the Ronin Validator Attack, commonly known as the Axie Infinity Hack, carried out by the North Korean hacker group known as Lazarus.

In this instance, the Lazarus group found a back door through a gas-free RPC node which was then used to get the signature for the Axie DAO validator, thus kick-starting the heist of 173,600 Ethereum and 25.5 million USD Coin.

Lessons Learned from the Axie Infinity Hack

The Axie Infinity Hack will probably go down in history as one of the largest DeFi hacks of all time. The incident also provided the following valuable lessons.

• Decentralization matters through increasing the number of nodes and diversification of their location.
• Bug bounty programs are essential for identifying potential vulnerabilities.
• Constant security audits are also necessary to catch weaknesses ahead of time.
• Having open-source code allows for white-hat hacker community members to identify potential weaknesses.

2. Targeted Phishing Attacks

Phishing is a form of social engineering where an attacker sends fake messages meant to trick a person into revealing sensitive personal information that can financially benefit the attacker.

These types of phishing attacks in Web3 come in various forms. The most common are Twitter bots disguised as famous individuals such as Elon Musk or Michael Saylor. These bots Tweet enticing messages to lead unsuspecting crypto users to a site that asks for their wallet recovery phrase or requests funding for non-existent crypto projects.

Similarly, malicious actors can send legitimate-looking emails and messages, as was the case when Ledger’s user information leaked. These emails and messages have the end goal of enticing recipients to reveal their crypto wallet seed phrases.

Phishing attacks can also be carried out by hacking the social media page belonging to a famous individual or project, then posting fake links or giveaways. For example, in April 2022, the official Instagram account of the Bored Ape Yacht Club was hacked and used to post phishing links that tricked the BAYC community into parting with their valuable NFTs and digital assets to the tune of $1 million.

What Phishing Attacks Have Taught Us

The BAYC incident is one of many Web3 phishing attacks that have resulted in massive losses of digital assets. But all is not lost as such incidences have provided the following lessons.

• Phishing attacks have a specific pattern, such as the advertising of amazing offers only available by clicking a link and entering personal information.
• Random links on social media, emails, or text messages, should be treated with caution and avoided.
• Potential attackers use modified emails and usernames to trick you into believing that they are legitimate. For example, an attacker can create a @elonmusk_ account on Twitter, which is a modification of Elon’s actual username of @elonmusk.
• The installation and use of firewalls could reduce phishing attacks.

3. Supply chain vulnerabilities

Software engineering sometimes adapts processes seen in traditional manufacturing by outsourcing portions of code to third parties, then piecing everything together to create a final product. Like in manufacturing, a lack of proper auditing and monitoring of the imported code can lead to critical vulnerabilities.

Such a scenario led to the $325 million hack of the Wormhole DeFi platform. The attack resulted from an update to the project’s GitHub repository, which revealed a fix to a vulnerability yet to be identified. In essence, the attacker was notified of the weakness through the submission of open-source code meant to fix it before it was deployed.

Lessons Learned from Supply Chain Vulnerabilities

Almost instantly, it can be identified that the Wormhole hack resulted from the project lacking proper processes for the disclosure of vulnerabilities. In addition, the event provided the following lessons.

• Periodic audits of code can identify vulnerabilities in advance.
• Bug bounty programs can incentivize would-be attackers into highlighting vulnerabilities rather than exploiting them.

4. Price oracle manipulation

All DeFi protocols rely on price oracles to provide accurate real-time data on the value of digital assets. These price oracles have various degrees of decentralization and security as they serve as a bridge between the real-world value of digital assets and the different DeFi protocols.

The utility of price oracles thus makes them the target of crafty individuals who manipulate them to their benefit. Such a case happened to Synthetix in June 2019 when one of the protocol’s price feed quoted a KRW price that was 1,000 times higher than the actual exchange rate. Its system accepted the price, and it was published on-chain. A trading bot took advantage of the discrepancy to quickly buy and sell using the inaccurately reported sKRW values.

What We Can Learn from the Manipulation of Price Oracles

Price oracle attacks such as the one witnessed on Synthetix can offer the following learning opportunities.

• DeFi developers should work towards the standardization of price oracles.
• On-chain decentralized oracles should have a mechanism to validate the values being returned.
• Price oracles should be designed to capture data from several sources, including DEXs and CEXs, with a circuit breaker type of design in the event of a massive price deviation from the sources.
• Increasing the use of Time-Weighted Average Price (TWAP) oracles which are resistant to oracle manipulation attacks.

5. Flash loan attacks

The decentralized manner of DeFi and its use of smart contracts has made it possible for the existence of flash loans. These loans occur when the attacker borrows and repays a loan in the same transaction without the use of collateral.

Flash Loans also take advantage of price oracles as the loan is taking place by manipulating the value of the borrowed token to a lower value, then allowing the attacker to buy it at the lower price. The attacker is then free to sell the tokens on other markets for the actual price and consequently pocketing massive profits.

In 2021, Cream Finance suffered three flash loan attacks netting the perpetrators $37.5 million in February, $18.8 million in August, and $130 million in October.

What Flash Loan Attacks Have Taught Us

The Cream Finance flash loan exploits bring us back to the issue of price oracle manipulation highlighted above. Therefore, similar lessons can be learned, such as the use of standardized oracles provided by Chainlink (LINK) and the Band Protocol (BAND).

6. Governance attacks

Many DeFi protocols are modeled around the decentralized autonomous organization model whereby native tokens are staked to facilitate voting of proposals that modify the respective platforms. Governance attacks are a form of rigging the democratic process on such DeFi protocols to achieve majority control of decisions and possibly steal funds.

Such an attack happened to Beanstalk farms resulting in the loss of $77 million in user assets. The perpetrator ‘used a flash loan to exploit the protocol’s governance mechanism and send the funds to a wallet they controlled.’

Lessons from Governance Attacks such as Beanstalk’s

Concerning lessons learned, the Beanstalk Farm exploit provided the following:

• A time delay mechanism for the execution of governance proposals could have delayed the exploit long enough to be identified.
• Flash loan probabilities should be considered when designing DeFi protocols.
• Changes to the protocol through governance proposals, no matter how small, should be audited by the development team before implementation.

7. Crypto exchange hacks

DeFi protocols are not the only type of platforms under constant attack from hackers. Centralized exchanges such as KuCoin, Binance, Mt. Gox, Bitfinex, Cryptopia, CoinBene, and Crypto.com, have been the target of successful attacks that have netted the perpetrators millions in digital assets.

Mt. Gox is one of the most famous as almost 850,000 Bitcoin were stolen from the exchange in 2014. In 2016, Bitfinex suffered a similar fate when 119,754 Bitcoin were siphoned off the trading platform. The popular exchange of Binance has also been on the receiving end of similar attacks, having lost 7,000 Bitcoins to hackers back in 2019.

What Crypto Exchange Hacks Have Taught the Industry

The sheer magnitude of the losses by centralized crypto exchanges due to hackers can lead to the conclusion that no individual or organization is immune from such attacks. However, some of the stolen funds have been traced over the years, thus providing the following lessons.

• All transactions on the blockchain are traceable except for some privacy coins.
• Some crypto exchanges, such as Binance, have created a Secure Asset Fund for Users to serve as an insurance fund when attacks lead to losses.
• APTs such as the North Korean Lazarus group have been behind some crypto exchange hacks, e.g., KuCoin in 2020.
• Crypto exchanges can work together to freeze stolen funds transferred to their platforms.
• Increasing the security management of hot and cold wallets can assist in preventing such massive losses. The majority of digital assets should be stored in cold wallets, with a smaller percentage in several hot wallets with individual private keys.

8. Exit scams and Rug Pulls

As the names suggest, exit scams and rug pulls refer to a malicious individual or group profiting from early investors by literally disappearing with the funds raised.

The Squid token is a straightforward example of a rug pull. The token was marketed around the popular South Korean TV series Squid Game leading to unknowing investors rushing to buy the token, which skyrocketed to as high as $2,861. But there was a catch; investors could not sell the token. Its anonymous creators soon shut down the project running away with roughly $3.3 million in user funds.

Some red flags to watch out for to avoid Rug Pulls and Exit Scams

As with all scams, potential rug pulls, and exit scams have telltale signs that can provide red flags ahead of time. They include:

• The sudden appearance of an overhyped project on social media platforms.
• The project developers choosing to remain anonymous.
• A few wallets own a vast majority of the token supply.
• The project is relentlessly marketed and shilled, e.g., BitConnect
• The non-existence of a final product, e.g., The OneCoin scam.

9. Direct Criminal Extortion

This type of attack involves violence or kidnappings to force crypto users to transfer digital assets against their will. The victims are usually high-net-worth individuals known around the crypto social media spaces.

Such a kidnapping and extortion case happened to a 14-year-old in May 2021. The unnamed minor had made a reasonable amount of money trading crypto and went on to share his success on social media. Unbeknownst to him, four men saw him as an easy kidnapping target and demanded £10,000 from his mother.

However, extortion can occur due to a random act such as checking crypto balances in a public place such as a bar, restaurant, or a party. A would-be attacker can observe a potentially significant crypto balance and get motivated to hatch a plot to force the owner to transfer the funds to another wallet by using violence and verbal threats.

How to Avoid Being a Victim of Direct Extortion

Incidences of kidnapping and extortion to steal digital assets are unfortunate. They also provide the following lessons to the rest of the community.

• Broadcasting profits on social media can lead to unwanted attention that can result in scenarios of theft through violence.
• Staying silent on the ownership of substantial crypto and NFT holdings is recommended.
• Not everyone in the crypto community means well.

Conclusion

In a nutshell, Web3 faces an uphill challenge in terms of security, as highlighted through the above types of attacks that have also served as learning opportunities to improve the industry and educate the community.

The success of Web3 is hinged upon increased innovation geared towards solving the various security challenges that pop up as the industry evolves through the different designs of Dapps, DeFi protocols, smart contracts, and nodes.

At the same time, the security loopholes in Web3 could open the doors toward the standardization of key elements such as price oracles and how crypto exchanges relay information amongst themselves when attacks happen.

Regulation of Web 3 might also be an unintended consequence of security gaps within the industry. Governments might step in to protect their respective citizens from losing life savings due to unaudited code or even the proliferation of scams and rug pulls.

Nevertheless, one thing is certain, the adoption of Web3 is growing at an encouraging rate, with some analysts likening its uptake to the internet in the mid to late nineties. This, in turn, means that we are still very early in the game.