We are barely finished with the first quarter of the calendar year and already we have seen multiple “hacks” in the crypto space that have resulted in the losses of over US$1 billion.
These attacks represent a significant systemic risk for investors and consumers alike and it’s worth paying attention to the key themes that are emerging and what they might mean for crypto and web3 generally.
The blockchain is (somewhat) immutable, but the crypto community is not
A blockchain is only as strong as its weakest link. This weakest link can come in many forms, be it the cost of securing a network, the smart contracts that underpin systems (such as bridges), or the community itself. A fundamental feature of blockchains (and one of their strongest selling points) is immutability. Immutability at its core means that one cannot alter, falsify or reverse a transaction that has been verified and recorded onto the blockchain. This leads to the often misguided claim that a blockchain cannot be hacked. But this is not strictly true, or rather it is true only in a very limited sense. From a technological perspective, the effectiveness of a blockchain’s immutability is proportional to the cost of securing the network, meaning that, if the cost of securing the network (for example, with hashing power or accumulation of a majority stake) is low, then an attack that changes the settled record is economically possible. Beyond the technology, blockchains are ultimately operated by individuals – people in the natural world – who can be tricked into giving away important information (such as passwords and private keys), inadvertently authorising malicious transactions or colluding to alter the record of a blockchain.
Social engineering, or the practice of manipulating users into behaving in a certain predictable way, is becoming a central pillar of many attacks. Users are increasingly subjected to so-called phishing attacks and are duped into giving away their private keys; listing their NFTs on fraudulent sites that masquerade as legitimate marketplaces; authorising malicious code to interact with their wallets; or allowing the installation of malware onto their systems which then siphons off crypto-assets into another wallet or otherwise records and transmits data back to the bad actor.
We can expect these types of attacks to continue and they may escalate, both in their frequency and their sophistication as crypto becomes more mainstream and more “retail”-type investors are attracted to the space.
The largest hack to date also centred on human exploitation of another kind. The pay to earn game, Axie Infinity, lost approximately US$624 million after an attacker took control of four of the nine validators securing the network, and tricked a fifth validator to authorise two separate transactions removing Ether (“ETH”) and USDC from a smart contract (known as the Ronin Bridge) which services the game.
Code is not law
In February 2022, Treasure DAO, an NFT trading platform, was exploited by an unknown attacker who took advantage of a flaw in the platform’s code to make off with more than 100 NFTs from unsuspecting users, according to bitcoin.com and Certik, a company that analysed the attack. The logic bug allowed the attacker, in effect, to multiply the price of each NFT they were “buying” by “0”, such that the attacker paid nothing for the NFTs.
This illustrates the importance of having code properly (and regularly) tested and audited. It also shows that there may be a role for independent arbiters (like courts) to play in resolving interpretational or application issues like the above.
The Treasure DAO hack follows the archetypal DAO hack in 2016, which threatened the future of the Ethereum blockchain. An attacker took advantage of a feature, not a bug, in the DAO’s smart contract to continuously withdraw ETH stored in the DAO before the previous withdrawals took effect. By the time that the attack became apparent, approximately 30% of all ETH held by the DAO (worth approximately US$50 million at that time, being approximately 5% of all ETH in existence) had been moved to a separate account, out of the control of the DAO’s members. This resulted in the ‘hard fork’ of the Ethereum blockchain to reverse the effect of the withdrawal. See our article on How to use humans to make “smart contracts” truly smart for further detail.
In both hacks, auditing the code would help, but may not be sufficient as each exploited a feature of the code, not a bug. In each, the code clearly allowed the transactions to proceed when executed according to its strict terms, but none of the “sellers” in the Treasure DAO hack or the members in the DAO hack would have agreed to the transaction if they knew that they were receiving nothing for transferring their NFTs or would lose all the ETH in the DAO.
Whoever is tasked with resolving these sorts of disputes will need to grapple with a number of thorny legal issues, like identifying what part of a smart contract forms part of the contract in a legal sense or when to impose an interpretation onto an arrangement that is somewhat at odds with the express “terms” of the code. But these challenges are not insurmountable and, if anything, demonstrate that crypto doesn’t operate in a completely trustless environment. It also shows the importance of giving effect to the true intention of the parties. This benefits from the intervention of centralised actors like courts, which play a fundamental role in ensuring that transactions proceed as intended. It also shows that natural language governance (also known as traditional contracts) can augment smart contracts to facilitate the operation of protocols in all circumstances.
The race to scale is introducing risk to the system
Billions of dollars have been introduced into the defi space over the past 18 months, with a corresponding uptick in the number of transactions which the base-layer blockchains are required to process at any given point in time. In an attempt to facilitate this scaling, many protocols are pushing the validation of transactions onto so-called side chains. These side chains often process a greater size of blocks or process blocks at a higher frequency than the base-layer chains for lower gas fees. This in turn often means that a smaller number of validators are securing the network or that the network is using a different, less costly consensus mechanism.
As the Bankless team has noted, “When you push your assets onto a sidechain, you are moving away from the trustless, decentralized form of security consensus on the underlying base Layer-1 chain. Subsequently, you’re increasing trusted reliance on the reputation and security expertise of sidechains. In short, you trade off security for costs and speed.”
Additionally, the use of bridges to make protocols and sidechains interoperable with the base-layer chain increases the number of “attack surfaces” which are available to bad actors who wish to compromise transactions or exploit the chain. A bridge allows users to transfer crypto-assets from one blockchain to another. This requires an operating system to “lock up” the crypto-asset in question on the blockchain on which it was created (the primary blockchain), with a corresponding crypto-asset minted on the secondary blockchain. No transactions can be processed in respect of the crypto-asset on the primary blockchain unless and until the asset is released from the secondary blockchain.
The attack surfaces are the points at which a bad actor could attempt to exploit the system (ie the primary blockchain, the secondary blockchain, the dApp or operating system controlling the whole process and any underlying smart contracts) to divert value. This is what happened in both the Solana Wormhole hack in February this year and the Polygon hack in December 2021. Each of these attack surfaces is a manifestation of code and it stands to reason that multiple codebases working across multiple environments are more likely to contain bugs that open up the possibility for attack or exploitation.
Exchanges and marketplaces are compensating victims for loss at the moment
There is not always a clear dividing line between each of the themes mentioned above. For example, the race to scale may contribute to the increased prevalence of bugs in code as developers are incentivised to roll out products quickly to meet rising demand from consumers who are susceptible to social engineering.