- An overlook caused Ronnins crypto cyber security attack in a previous transaction
- Poly network harboured a significant crypto risk within their blockchain security that went undetected till it was too late
- These crypto security issues should serve as an example that the constant auditing and maintenance of a network’s backend is as essential as keeping the network running
Web3 has brought multiple new possibilities that have led to new inventions on a global scale. Blockchain, cryptocurrency and NFTs are some of the popular features Web3 has brought. However, as some wish to advance and improve cryptocurrency systems, others have opted to break down the system.
Crypto hacks are no new concept to those who have dealt with cryptocurrency. Crypto cybersecurity has been a significant concern to organizations and individual crypto miners. Most crypto exchange platforms have incorporated blockchain security measures, but there can never be a perfect security system.
Crypto security issues will arise, eventually claiming the hard-earned money of crypto miners and traders. Most individuals often look at the profits gained from cryptocurrency and are still in the dark about significant crypto risks when using specific exchange platforms.
Both large and small exchange platforms suffer from various crypto vulnerabilities hence are required to take the necessary measures to mitigate these flaws.
This will be slightly technical documentation that will dive into cryptocurrency and cyber security to highlight existing crypto vulnerabilities that tech enthusiasts have heard of.
Crypto hacks use case.
Numerous crypto hacks and scams have plaques the blockchain security of multiple exchange platforms. Big leagues such as Binance to underdogs such as Kucoin have suffered the plague of crypto vulnerabilities.
Despite this, have you ever asked how these attackers can get away with such a large sum of money? Blockchain security developers have boasted that their mechanisms can fully reinforce the crypto cybersecurity of various companies, but somehow there was a slight issue, An error. That has led to significant crypto security issues known today.
Ronin Network Hack
The Ronin network hack has been considered one of the most incredible crypto hacks in history. A more than $600 million loss resulted from negligence within their blockchain security.Most news and articles wouldn’t highlight the backend story of this heist, but that won’t be the case here.
An overlook caused Ronnins crypto cyber security attack in a previous transaction. Months before the incident Sky Mavis, the developer behind a popular play-to-earn game Axie Infinity, requested the Axie DAO to help distribute free transactions.
The amount was huge; hence Axie whitelisted Sky Mavis, allowing them to sign various transactions on its behalf. As stated, the operations stopped in December of the same year, yet Axie DAO never revoked access to the allowlist. A clear sign of negligence and human error is why cybersecurity will never reach perfection.
Negligence placed the crypto vulnerability on the Axie DAO, and the attacker was able to exploit it once they gained access to the Sky Mavis system.
From there, the attacker laced a backdoor into the Sky Mavis system and, with it still whitelisted, gained access to five out of nine private keys required for node verification. They included four Ronin validators and a third-party validator run by Axie DAO. Armed with these tools, they swiped all they could and made their merry way.
Poly Network Hack
Poly network harboured a significant crypto risk within their blockchain security that went undetected till it was too late. Its crypto vulnerability lies within its smart contracts, EthCrossChainManager and EthCrossChainData.
The EthCrossChainManager was a high-privilege smart contract with the right to trigger messages from another chain to the Poly chain. This means anyone could perform cross-chain even if they had access to its smart contract. Because of this ability, Poly Network placed various blockchain security on it to ensure it did not have full access to call any chain or function. This crypto security issue was unforeseen.
The latter, EthCrossChainData, was also a crucial component within its ecosystem. This smart contract set and managed a list of public keys of authenticator nodes that have full management privileges over the wallets in the underlying liquidity chains. This is a potent tool since it essentially decides who has the right to move large amounts of funds within their wallets. Only owners could access it.
Somehow the attacker detected an error within both smart contracts and ‘made haste with the pickings’.
How the attacker did it
The first crypto risk is that the EthCrossChainManager was listed as an owner within the EthCrossChainData and could not only access but also deliver such functionalities to the main chain, Polychain. The second crypto vulnerability was an error within the EthCrossChainData code; the _method was user-defined.
This meant it could be changed or set at the leisure of anyone with authorization. To exploit this, the attacker conducted a brute-force attack on the user-defined field. Once the attacker gained access to the EthCrossChainManager, he performed a cross-chain transaction from the Ethereum network to the Poly Network, accessing an Ethereum wallet.
This prompted the crypto cybersecurity features to activate and request verification that the attacker was a valid authenticator. Most developers often think such a feature could deter the attacker, but this crypto security issue also imploded itself.
Because EthCrossChainManger is an owner in EtherCrossChainData, the attacker walked right through while EthCrossChainData verified its authenticity. The attacker was granted the status of a Keeper on the Ethereum blockchain and proceeded to use a previously acquired secret key to siphon tokens out of Poly’s Ethereum wallet into their own.
Having transferred millions of tokens without a ‘tweet’, they proceeded to repeat the same process in other Poly Liquidity Wallets; Binance, Neo and Tether. The attacker fully utilized this crypto risk.
Nomad Crypto Vulnerability
Although this heist does not rank within the top crypto hack, it deserves a place in this article as its crypto vulnerability revolves around a fundamental blockchain security flaw. The Nomad attack was one of the most highlighted crypto security issues in this decade.
Its source code contained a zero-day flaw, allowing the attacker to bypass its regular crypto cybersecurity features. This enabled even non-professional hackers to take advantage of this crypto risk. Essentially the attacker discovered the flaw after an unaudited upgrade to Nomad’s protocol that created a significant weakness within their smart contract.
The attacker could drain tokens from smart contracts without needing a native consensus mechanism, a major crypto risk. They accomplished this feat by manipulating a functionality within Nomad’s source code; the ‘process()’. By calling it directly without the proof functionality, ‘prove()’, it allowed them to withdraw the amount that didn’t match the amount they deposited.
“Jackpot!!” is the term many used since the attackers did not stop there. The instigator went further and made this flaw and how to exploit it public. The rush was incontrollable; many hackers and even script kiddies ran to the idea. By the time the Nomad enterprise could control its smart contract’s outburst, the crypto vulnerability did the damage.
Similarities within the crypto security issues
Using the scenarios above, it is evident that crypto cybersecurity faces one core problem. Despite it branching into different vulnerabilities, blockchain is relatively new. Something new presents new possibilities, broadens the world scope even further, and increases the likelihood of sabotage.
Blockchain security is a new concept. This means it suffers from critical cryptocurrency security issues such as human error and zero-day error. Currently, with the revolving world, Advanced Persistent Threats are viewed as the ‘new viruses’ of the century. It exploits vulnerabilities that even the developers haven’t noticed; zero-day attacks.
Crypto hacks are now a different variation of APTs. It capitalizes on human errors in the development lifecycle of most cryptocurrencies. Hackers can locate minor human errors within the same source codes of blockchain networks.
They would have realized this flaw if Poly Network had done a proper system audit within their smart contracts. The same applies to the Nomad hack. Had they audited their update, they would have discovered the entanglement within their code and avoided its crypto risk.
Although they are partly responsible for their flaws, the blame does not solely lie on their shoulders. Blockchain is relatively new, and perfecting something new takes time; Web3 was a concept that has been in the making for a few years. Web2 has been around for years and has still suffered substantial blows from hackers.
These crypto security issues should serve as an example that the constant auditing and maintenance of a network’s backend is as essential as keeping the network running. Crypto cybersecurity is still a form of security and is in a constant tug of war with crypto hackers. With every good, there must be an equivalent evil.
This article is the beginning of a series that hopes to dive into blockchain security to analyze and assess its compatibility with efficiency and safety.