As far as DeFi hacks go, January 2023 was a pretty calm beginning to the year. A few significant attacks on DeFi protocols did occur, although the majority of the most important hackers targeted specific people.
Media attention is typically drawn to attacks on important DeFi projects. However, people were the main targets of the majority of the most serious attacks in 2023 rather than projects. The following people working in the cryptocurrency sector were targeted in January 2023:
- NFT God
- CryptoNovo
- Luke Dashjr
- Nikhil Gopalani
- Kevin Rose
Major DeFi hacks were less common in January 2023, but they were still there. When a deprecated IBSC token contract was replaced, it was not disabled, which led to two versions of the token being operational at once. This vulnerability was exploited by an attack against LendHub. The attacker stole around $6 million from the project by taking advantage of inconsistencies in the liability calculations of the two tokens.
Smart contract weaknesses are frequently used in the most common DeFi attacks. But every notable attack that occurred in January 2023 either went after the privacy and security of a user’s digital wallet or exploited weak security measures when upgrading smart contracts.
An effective cybersecurity strategy is one that considers all potential areas of risk to a project and its users. If you’re planning to release or upgrade a DeFi project, reach out to our Web3 security experts at [email protected] for help with ensuring a secure rollout.
Why Are Smart Contracts Prey to Cyberattacks?
Transparent, autonomous, distributed, immutable, and trustless are among the key characteristics of smart contracts. Ironically, it’s because of these characteristics that hackers are so interested in hacking smart contracts.
Smart contracts with flaws are like low-hanging fruit that are just waiting to be picked since they can carry so much value at any given moment. Hackers have recently focused their attention on cross-chain bridges, which are protocols that let users exchange tokens from other blockchains. In just 2022, these cross-bridge attacks cost hackers over $1 billion in revenue.
Upgradability
There are numerous methods for attaining “upgradability” even though smart contracts are immutable. A new smart contract is deployed, and dependents are directed to the newly deployed contract, which is how it operates. Numerous smart contracts, the bulk of which may be modified, make up a standard DeFi protocol.
This type of decentralized protocol is vulnerable to a number of threats because it has the capacity to be upgraded, which hackers may use against it. In the event that a hacker succeeds in attacking one of the protocol contracts, they may be able to modify the protocol code in some way, either entirely or partially, to meet their requirements. And as long as there is money to be gained, hackers will keep developing new strategies to take advantage of smart contract loopholes.
Bugs
The existence of defects in the codes of smart contracts creates a vulnerability that can be exploited even in the absence of intentional attacks. Additionally, because the majority of these protocols are open source, it is easier for an attacker to look through the source code for potential security holes. It won’t take long for someone to identify a flaw in the code that will allow them to gain access to the system.
Code: Garbage In, Garbage Out
Coding errors in smart contracts are one of the main reasons for hacking. Smart contract audits are frequently conducted quickly, and the audit teams may not even have a complete understanding of the source code at the outset. It does not offer any security guarantees, despite the fact that smart contracts must go through several rounds of auditing.
Incompetence
Hackers may also use team ineptitude, or egregiously careless use of secret keys, as an attack vector. Most likely, you’ve heard of private key hacks or breaches. But how, in the first place, can a private key be “hacked”?
It is recommended as good security practice to save private keys, access keys, passwords, and other sensitive information in a secrets manager rather than in environment variables if you’re talking about programmatically signing transactions using a private key. A poorly constructed application will willingly reveal all application secrets, even when a secrets manager is used. There have been costly breaches that could have been easily prevented if only “basic cybersecurity hygiene” had been followed.
The “principle of least privilege” should be followed when it comes to access in smart contracts, and RBAC (role-based access control) should be used to establish them. When using your signer key in a “hosted” environment that isn’t secure, make sure the wallet has very little access to your application.
All Comments