gm đź‘‹
Thank you for being a part of the Cypherock family. It’s been an unpredictable ride getting to this point. We’re excited for you to see the end result!
We intend to cover all the major hacks carried out across the world to keep you guys informed and secure.
Team Cypherock
Security Digest
2 DeFi Protocols hacked - Agave & Hundred Finance
Two decentralized finance (DeFi) protocols, Agave and Hundred Finance got exploited in a fresh case of a “re-entrancy” attack. A hacker allegedly managed to siphon funds worth $11 million in Wrapped ETH, Wrapped BTC, Chainlink, USDC, Gnosis, and Wrapped XDAI on both DeFi protocols on the Gnosis chain using a flash loan exploit.
What went down?
From the data available on Tenderly, it was found that the hackers were able to exploit vulnerabilities in both protocols.
In Solidity, a language used to program Smart Contracts, re-entrancy is an exploit enabling a third party to put malicious code into contracts used in Ethereum blockchains. A hacker can then make external calls from the contract to other contracts, draining resources and funds at will.
The re-entrancy attacks become more staggering since “the code executes interactions before applying the effects.” On the other hand, Aave tries to follow the aforementioned checks-effects-interactions pattern. However, there exists a path via liquidations using which the attacker “broke the pattern” in the recent attack.
Cryptocurrency security researcher and programmer, Mudit Gupta, revealed that the official bridged tokens on Gnosis are the main culprit in the re-entrancy attack he described and stated that they are “non-standard .” He added that this is what allows attacks to occur.
The Agave platform was forked from the DeFi lending platform Aave, and the Hundred Finance project was forked from Compound. Gupta also stated that there are many security risks in Compound that must be addressed through fixes.
The re-entrancy attacks become more staggering since “the code executes interactions before applying the effects.” On the other hand, Aave tries to follow the aforementioned checks-effects-interactions pattern.
However, there exists a path via liquidations using which the attacker “broke the pattern” in the recent attack. He went on to add, “The agave and hundred protocol teams messed up by listing a token that can reenter. Aave and compound governance actively check for reentrancy before listing tokens on the mainnet to avoid similar attacks.”
How to prevent:
1. Do your due diligence before investing in any protocol. Check out the team and whether the protocol has gone through a security audit before investing in it.
2. Avoid petty forks of the larger protocols to get more yield. You should never trade security risks for more yield. More often than not, there is a high possibility of the protocol getting hacked and you losing your funds.
Why Crypto Hackers Always End Up Getting Caught Out
The earliest days of crypto were not always safe from malicious attacks. As the market continued to grow, cyber-security became one of the most significant sources of unease for investors. Following several high-profile hacks on exchanges like Bitfinex and Mt.Gox, one of the popular wisdom was that you should store your coins in a wallet that you can access yourself. But even they aren’t necessarily going to be safe in all cases because if white hat hackers can break past secure technologies to restore lost funds and if black hat hackers were able to take advantage of the same weaknesses, then this just illustrates how important it is to have expert advice so that you know what it takes to stay ahead of everyone else when it comes to crypto and investment management today!
In some cases, funds are restored quickly. For example, an attack like the recent Wormhole bridge attack had generous bug bounties reverse related losses within 24 hours. Project operators quickly realized that a generous bounty is often a more attractive option than sitting on illicit funds. This is ideal from a user perspective. If authorities get involved in such circumstances, victims can wait months or years to restore stolen crypto. After the DoJ recently arrested two people concerning the laundering of funds stolen from Bitfinex, it seems those affected could face a legal wrangle to recover their losses.
Despite this, transactions that occur on the blockchain are different from any other kind of online transaction. Since the information exists on a distributed network and has been agreed upon by everyone in the chain, once a transaction has been made it cannot be manipulated or tampered with. Specialized companies like Chainalysis have even developed analytical tools to use for this type of service. To ensure cryptocurrency crime does not occur, blockchain forensics is beginning to become an important field from which your company can benefit.
What about security threats to private investors?
Kurt Nielsen, President, and Co-Founder at Patricia Blockchain explain that the leading factor when it comes to blockchain security is not the technology itself but rather people. He affirms:
“A well-designed blockchain provides much better cybersecurity thanks to its decentralized consensus and encryption. However, hackers gaining access to your private keys through social engineering attacks like phishing are likely to be a bigger threat than someone “hacking” your blockchain wallet itself. That said, smart contracts are written in code by humans, which introduces vulnerabilities to the system, of which private investors may not be aware.”
DeFi is an important space, indeed. But it’s also attracting a lot of criminals who want to attack networks. We can mention the MonoX hack that resulted in losses of $31 million. However, there are also cases where hackers don’t necessarily seem too desperate to profit by launching this or that smart contract attack (but we can’t know for sure!). Last year, after the $600 million Poly Network hack, one of the biggest attacks of this kind in DeFi history, hackers surprisingly decided to return funds without giving a reason.
Can hackers avoid detection?
Well, according to Ian Huang, founder, and CEO of ParallelChain Lab:
“There are two concepts involved here: anonymity and traceability. They often get mixed, which feeds a false perception that crypto is anonymous and/or untraceable by design. In fact, crypto transactions “can” be anonymous in a way that it is possible to make your on-chain identity untraceable to your real-world identity by avoiding all KYC’d platforms.”
But he elaborates that “In a practical sense, it’s all but impossible. Unless the hackers don’t do anything with the stolen assets (which does not make much sense), they would eventually attempt to use the assets, and every transaction that they make with the stolen assets increases the chance of getting caught.”
As such, it’s possible to identify that it was Lazarus Group behind the attacks, even if it’s all but impossible to recover the funds once they vanish into North Korea.
Best measures to protect your funds:
Because the blockchain is a public ledger, it means that anyone can see information like transaction data so this data is traceable. While in many cases if someone wanted to keep their transaction private they could but ultimately traces of the transaction may very well exist.
Once the first-ever cryptocurrency was created in 2009 by Satoshi Nakamoto, the blockchain technology we all know so well became popular in a big way. However, cybersecurity is still considered to be a cat and mouse game now more than ever. This means that hackers from years ago should don’t assume that one day they would not get caught for their actions as hackers are still always under suspicion (and for good reason).
Dapp News
BAYC gets its’ own token - ApeCoin!
The brains behind the Bored Ape Yacht Club (BAYC) and the Mutant Ape Yacht Club (MAYC), Yuga Labs, have created their very own token – the ApeCoin. This will be used when shopping or playing games that involve cryptocurrencies within both of these yachting groups. The offices are planning to use this for everything from commerce to supporting various games played among its players.
Yuga Labs’ partners will also be employing the tokens in their collaborative projects.
For example, Animoca Brands – one of the largest blockchain game developers in the world – announced that it plans to adopt ApeCoin within its play-to-earn game called Benji Bananas.
Game developer nWayPlay is also slated to use ApeCoin in a new P2E game that it is working on with BAYC.
Though it’s still in a very early stage of development, the blockchain gaming industry is booming and growing rapidly. Yuga Labs’ non-fungible token (NFT) ecosystem already includes a growing number of CryptoPunks as well as Meebits. The recent acquisition of Larva Labs’ most successful NFT collection currently available means that Yuga Labs has just become the powerhouse behind three of the largest NFT collections active on the web right now.
The launch of ApeCoin will allow for a more solid strategic push by Yuga Lab into the cryptocurrency market. The new currency will be operated by its own DAO – a decentralized organization in which every token holder has a say in any upcoming changes as we continue to develop.
The Ape Foundation, acting as the legal representative of this community and its interests, will help the DAO thrive. The token has been listed on Binance and Coinbase.
Twitter Tales
A case study on the digital fashion landscape
1/ In 2020, 3 friends started an NFT project By 2021, they sold their company to Nike for millions THREAD: A case study on building a digital fashion empire (and why community is the secret to growth) — Greg Isenberg (@gregisenberg)
Reddit Reads
Using MetaMask? Watch out for this…
Beware This MetaMask Scam from r/CryptoCurrency
Is Your Crypto Safe?
Will your crypto get hacked? Are you going to lose your crypto? Cypherock has come up with a detailed quiz that will help you understand the pros and cons of your security model. Upon completion, you will get a detailed analysis mailed to you. Take the quiz now!
If you still wish to learn more about how you can secure your crypto better, you book a free consultation call here.
We will meet again next week. Till then, stay safe!