Due to the rise in decentralized finance (DeFi) trade volume and its under-regulated and pseudo-anonymous (or private) nature, many criminals have turned their attention towards this space, where profits are lucrative, and chances of detection are slim.
DeFi and the wider Web3 arena are still relatively new innovations that the market is coming to terms with.
But there is an increased urge for developers to create more robust code, in line with regulatory standards, to prevent cybercrime from taking place.
There are many ways to detect vulnerabilities and prevent DeFi hacks from taking place, but most developers are unaware and don’t make this a priority in their code.
Which Blockchains Are Targeted?
According to a 2023 DeFi hacks & scams research report from Crystal Blockchain, a blockchain analytics firm, DeFi attacks accounted for nearly $2 billion USD in 2022 alone.
The report highlighted that Ethereum (ETH) is the most commonly attacked chain, with hacks reaching $2.696 billion.
Binance Smart Chain (BSC, now BNB) comes in second, at $1.195 billion, followed by Solana (SOL) at $519 million. This also shows that Solana is more commonly targeted, as there are more DeFi hacks as a total proportion of trade volume on Solana.
ETH also has 10 times more trade volume but less than three times the DeFi hacking volume than BNB.
On the other hand, the chances of larger value hacks occurring resulting in the loss of funds, rather than a frequency of attack, is not necessarily a correlated value.
To mitigate against and react to the risks of DeFi hacks, the report advised businesses with exposure to crypto assets to have:
Proper insurance for special cases.
An in-house security team.
Blockchain analytics software.
Backup reserves in cold storage equivalent to online storage.
In a separate 2023 report relating to trends in crypto crime, the firm also outlined how AI can facilitate deep crime through audio and visual manipulation.
ChatGPT can be used to create fake documents and assist in social engineering, which is a serious threat combined with vulnerabilities in decentralized networks.
Most hacks take place through the social engineering of private keys.
What Makes Chains Vulnerable?
There are several well-known blockchain vulnerabilities, which although technically feasible, are generally hard to execute. Traditionally, chains were vulnerable to consensus mechanism manipulation.
But these were mainly theoretical claims, such as the 51% attack, i.e., a single entity gained more than 51% of the hashing power.
In reality, this is highly unlikely on high-volume blockchains, due to the immense cost and expertise involved. Blockchains are also susceptible to denial-of-service attacks.
Blockchains can also be vulnerable because of improper transaction nonce validation or improper blockchain magic validation. Nonce validation refers to the uniqueness of a given transaction on a specific blockchain.
Magic validation refers to the correct identification of a transaction on a blockchain, where the blockchain has a hard fork or sub-chain/side-chain.
It should be stated that the predominant volume of DeFi hacks are not vulnerabilities inherent to the technology of blockchain, but instead the result of user error or social engineering.
Some social engineering hacks are very sophisticated, though they can also be quite simple (such as giving somebody a phishing link to a fake website, where they input their username and password to be collected by the cybercriminal).
The amounts stolen can be huge. The $650 million Ronin blockchain hack was due to the social engineering of private keys on validator nodes.
While hacks are sophisticated, it is user error and a failure to perform due diligence that ultimately allows hackers unauthorized access.
Smart Contract Vulnerabilities in Blockchains
Though social exploitation remains a prime means for accessing user funds, blockchain vulnerabilities are often caused by poor technical development.
Exploits become known by the cybercrime community and are continually exploited until a fix is applied.
Smart contract vulnerabilities are a serious concern, with the proliferation of Decentralized Autonomous Organizations (DAOs) and decentralized applications (dApps), primarily on the Ethereum blockchain, using Solidity or Viper. Typical vulnerabilities include:
Reentrancy - This vulnerability occurs when a smart contract used to withdraw funds calls another (malicious) smart contract. If the balance is not updated in time, the funds will be withdrawn twice.
This extremely common reentrancy vulnerability led to a hard fork in the Ethereum blockchain (resulting in Ethereum Classic) in 2016 after a hacker siphoned 3.6 million ETH.
Visibility - This occurs when a developer fails to explicitly mark a piece of code (a ‘function’) as public.
Other developers might call that functioning assuming it to be private, when it is public, allowing hackers to take advantage and call private functions.
Arithmetic Issues - The Solidity smart contract language does not catch integer overflows by default. If uncaught, then overflows can lead to unexpected behavior.
One solution to this problem is to use secure functions provided by an external smart contract library or to use a language that has built-in protection against overflows like Vyper.
How to Detect Vulnerabilities in Blockchains?
Large Web3 firms should ensure they have a compliance team at hand and that networks are regularly stress tested for vulnerabilities.
Side chains can be very useful for testing new features before full implementation on the real network.
Operating from a secure development environment that only connects with trustworthy third-party applications is also essential.
Detecting chain vulnerabilities can be done through a code review, which will inevitably take care of some of the technical points outlined above.
How does it handle integers, are functions clearly marked, and is reentrancy possible? A smart contract audit is highly recommended, and running contests is also a great way to test for blockchain vulnerabilities.
Of course, if a blockchain is not continued by the developers, it’s going to be tested by cybercriminals, and that could turn out to be extremely expensive.