Innovative ways to get rekt, why smart contract UX is dumb and much more!
gm 👋
Thank you for being a part of the Cypherock family. Come rain, hail or storm, we are heads-down building the best possible product to keep your digital assets safe!
Over the next 8-10 minutes, we will be talking about hacks that caught our eye, DApps that we found interesting and our picks from Twitter and Reddit that we enjoyed.
If you loved the newsletter, message us! If you hated the newsletter, message us! We’re always looking for fresh perspective on things to cover and feedback to make your experience better!
Have an awesome week ahead!
Team Cypherock
Security Digest
Hacks in the news - Clipper Attacks, DNS vulnerabilities and Harmony Protocol
There is nothing more unifying than the feeling of getting rekt in the web3 community. Don’t worry anon, we don’t judge you for your 50x leverage trades, apeing into an NFT derivative because you knew it was going to the moon or staking your crypto because you received 420% returns on your crypto. All we care about is keeping you and your funds safe, so here are some of the attacks that we thought were interesting to talk about, and share what happened at the core and how you can stay safe.
Let’s play a game. Tweet rekt for every time you copied an address to paste into your wallet to transfer funds. We’re going to guess the number is fairly high. Why does this matter? Clipper attacks are a method for attackers to replace the address that you have copied with their address. This is usually done through some form of malware - first discovered in 2018. As everything evolves, clipper malware designed for malware emerged in 2019 as an application that was disguising itself as Metamask. The app was reported and has since been taken down, but since this vector already exists, you can expect some new form of this attack to emerge.
Moving on, do you know what DNS is? DNS - an abbreviation for Domain Name System - is how we are able to map the names of websites to their numerical IP addresses. Instead of having to type in the numerical values of a website, DNS makes it easier for us to use the internet in a human readable format. Now, what are RPCs? RPC - an abbreviation for Remote Procedure Call - allows computers to communicate with servers and execution procedures remotely. Recently, Ankr faced an attacked on their DNS which compromised Polygon and Fantom RPCs. Ankr’s DNS was hosted on a web service called Gandi. The hacker posed as an Ankr employee and managed to change the email registered to Ankr to their own hotmail account. The Ankr team acted swiftly and no user funds were stolen. However, there does leave a lingering thought of how centralized services can have repercussions in the decentralized world.
Finally, in the burning inferno that is DeFi, Harmony Protocol suffered a $100M hack. The hack was similar to the one carried out on Axie Infinity. The hack was carried out on the Ethereum bridge. The bridge implemented a 2/5 multi-sig scheme, which was compromised by the attacker which allowed them to drain ~$100M. The two wallets that were compromised were most likely software wallets used to process legitimate transactions on the bridge. The attacker most likely gained access of the server that these hot wallets were running on, and were able to access the keys that were used for signing transactions.
All in all, there really are two lessons to be learned here: If you are a builder in web3, focusing purely on blockchain security leaves other opportunities open for attackers to compromise your product. There needs to be an equal amount of emphasis on traditional security tactics, as well as blockchain security tactics. We are still very much in the early phases of functionality in web3, given that a majority of users are not going to understand complexities of how protocols, wallets and other web3 infra works, there needs to be extra steps taken to ensure that users are kept safe and are continually educated.
Dapp News
Smart contracts, Dumb UI/UX: How Contractlens is making smart contracts understandable
This is yet another PSA about how revolutionary blockchain is, but how badly it is designed for user adoption. One of the core functionalities of web3 is smart contracts. At present, smart contracts can only be understood by those that are familiar with code. One can see why that’s a problem because not everyone on the planet is a software engineer. Smart contracts allow functionality from being able to mint NFTs, to manage large liquidity pools of crypto. Considering smart contracts are core infrastructure in web3, one would imagine that there would be leaps and bounds of innovation to make contracts more accessible to the general audience. Unfortunately, that’s not the case.
Besides targeting individuals as part of phishing scams, hackers have managed to exploit smart contracts to take over entire blockchain networks. To give you an idea of the scale of damage done here’s a leaderboard for how much money has been lost in hacks, smart contract vulnerabilities and company decision making. #50 on this list lost $10,000,000 of investor money. From an institutional standpoint, there will need to be security measures put in place to continuously audit smart contracts, but for retail investors to be safe while transacting, there would need to be a way for individuals to extract what functions are being executed in a readable format - rather than having to read code and follow what each function does.
Making smart contracts more accessible is the core goal of Contractlens. The mission here is to make smart contracts understandable for a wide range of individuals. Check out what founder Vandini Joshee has to say about the mission of Contractlens. The product has not launched yet, but we’re curious to see how this project pans out.
Twitter Tales
A lot has happened in the Ethereum network this past week. Luckily, we have @CryptoGucci around to summarize some of the highlights: Adding ETH/Polygon based NFTs into your Instagram Story, Ethereum addresses holding 100+ ETH hits 14 month high and more!
Reddit Reads
What if you bought the top 10 cryptocurrencies on January 1st, 2018. What would happen? Luckily you don’t have to wonder, u/Joe-M-4 already broke down their portfolio for you.
Top 10 cryptocurrency portfolio from Jan. 1, 2018 from r/CryptoCurrency
Updates from Cypherock
The road to self-custody is a long and arduous one, but we’re certainly one step closer to pushing the narrative forward. We expect to send some exciting updates for the pre-orders of our device and what to expect over the coming week, so please make sure to follow us on Twitter and other social media platforms.
Is Your Crypto Safe? Take the Cypherock Quiz and find out!
Will your crypto get hacked? Are you going to lose your crypto? Cypherock has come up with a detailed quiz that will help you understand the pros and cons of your security model. Upon completion, you will get a detailed analysis mailed to you. Take the quiz now!
Here’s some alpha 🚀
Security is our utmost concern. We want to keep your crypto safe and give you the best possible experience interacting with the web3 ecosystem. Because we like you, we want you to make money too!
Cypherock recently launched an affiliate program. You receive a unique code by either signing up on our website, or by purchasing a Cypherock X1. Through your code, your referrals receive 25% off on their purchase and you make $50 per sale!
Sign up to become a Cypherock Affiliate!
Have questions regarding our product, or the affiliate program? Our Growth Lead loves chatting with people, hit him up here.