Crypto, Blockchain and DeFi Security

The biggest crypto heist in history at the time it occurred in 2018 was an eye-opener for many reasons, not least of which for the way the stolen assets were being stored.  Seasoned crypto enthusiasts and early adopters of the disruptive new technology know now that safely storing your digital assets is half the battle, but it wasn’t always so. Insufficiently secured storage was the norm for almost a decade after Bitcoin’s creation, with many people simply keeping their crypto on centralized exchanges, hot wallets, or even just USB sticks without any password protection. With the $534M Coincheck hack in January...

Wallet Attacks: A Deep-dive Wallets are a logical target for cyber-attacks, along with the emerging institutions that hold custody of them on users’ behalf. While secured with technically unbreakable code, hackers have found numerous ways to gain illicit access to user wallets, whether by deception, theft, or ingenuity. In responding to this threat, the crypto-industry must consider whether to opt for traditional KYC-based measures or to seek crypto-native solutions to this perennial issue. If the industry fails to agree, it could lead to a two-tier system of ‘pure’ crypto institutions and players that embrace centralized and a certain necessary degree...

Axie Infinity’s Ronin Bridge Hack for $551M worth of crypto assets could paradoxically lead to higher rates of blockchain adoption by showing that it’s a lot easier to track stolen cryptocurrency than people think. The popular misconception that cryptocurrencies are private and untraceable fuels the equally popular misconception that it’s impossible to track and recover stolen crypto assets. In fact, even some of the most high-profile and sophisticated crypto theft operations have been exposed through the use of blockchain forensics and crypto investigations. The infiltration of Sky Mavis leading to the Axie Infinity Ronin bridge exploit and the subsequent postmortem is a...

Consensus Attacks: A Deep-dive Where centralized systems operate on the basis of centralized permission, blockchain protocols proceed on the basis of decentralized consensus. While this is more secure in theory, the system is not flawless. All blockchains are susceptible to consensus hacking, thanks to the ability to simulate, force, or circumvent majority consent for a nefarious aim. Solutions can be found for some of these attacks, but ultimately, the only solution to the consensus problem may be scale. Introduction The democratic nature of blockchain technology relies on the fact that it is permissionless. This refers to the fact that anyone can take...

Network Attacks: A Deep-dive Network attacks are a class of exploits that focus on the isolation and manipulation of individual nodes or groups of nodes. While blockchain networks are theoretically robust against such attempts, both hackers and academics have found loopholes that can be used not only to defraud and damage individuals, but also scale up to take down entire exchanges. While easily overlooked, the list of network attacks is likely to grow in the years ahead, and is worth preparing for. Introduction A blockchain network is powered by the exchange of information between nodes. These are the individual ‘worker ants’ whose...

Smart Contract Risk and How to Mitigate It: A Deep-dive The strengths of smart contracts are also the source of its weaknesses, and will always present opportunities for hackers to exploit. So far, the pace of innovation in counter-measures is struggling to keep pace with innovation in the methods of attack. It’s reasonable to assume that as the Web3 environment stabilizes, an equilibrium will be achieved. However, the threat cannot be eliminated, and vigilance will always be a necessity. Introduction In her seminal book on Web3 fundamentals, The Token Economy, Shermin Voshmgir defines a smart contract as ‘a self-enforcing agreement, formalized as...

The full story behind the exploit that led to the fraudulent minting of 120,000 wETH and threatened to crash Solana. Early February of 2022 was a low-point for the cryptocurrency asset class; one of many more to come throughout the year. The price of BTC was on a relentless downtrend from a high of $69,044.77 on Nov 10, 2021, to under $40,000 by February 02, 2022. This is the market atmosphere in which the $320M Wormhole bridge exploit occurred. The Wormhole bridge exists to help users move their assets from one blockchain to another – most often from Ethereum to Solana. The...

The utopian view of the blockchain as an unhackable alternative to the status quo is a pipedream. Many traditional cyberattacks are effective in a blockchain-based setting, and even cryptographically-secured processes are prone to errors and exploits. Understanding the potential attack vectors is a prerequisite to building a stable blockchain-based alternative to today’s centralized networks. Introduction The capacity for blockchain to alter the modern-day economy and society is immense. This potential goes well beyond the creation of cryptocurrencies and trustless payment systems. While still early in their evolution, blockchain networks have been shown to enable new means of exchanging value (tokenization), making agreements...

Cyber-Attack Strategies in the Blockchain Era - A Framework for Categorizing the Emerging Threats to the Crypto Economy Market attacks Rely on the mass-manipulation of investors through asymmetric information Pump-and-dump Parties conspire to artificially inflate (pump) the price of an asset using various manipulation tactics (spoofing, wash selling, layering), in advance of selling (dumping) their stake. The reverse technique can be used to acquire an asset below fair value in a short-selling strategy. Exit scam A project such as an ICO or DAO raises substantial capital from investors, before unexpectedly terminating all operations. Rather than returning the capital to investors, the founders disappear with all...

Many believe total anonymity is possible using privacy enhanced cryptocurrencies. It might not always be the case. Are popular cryptocurrencies like Bitcoin and Ethereum private? Absolutely not. There are privacy enhancing tools and techniques that can be used to obscure crypto transactions, but in general most cryptocurrencies leave a very convenient trail to trace for investigators and law enforcement. But not all cryptocurrencies are made the same. This article will provide a brief overview of the most private cryptocurrencies, how they’re used for user privacy and sometimes to avoid detection of fraud or other cybercrimes, and how they can still be traced by professional...

The DeFi revolution presents new risks and challenges for innovators, regulators, cybersecurity experts and early adopters of the powerful technology. These are the top 5. "Where money goes, crime is never far behind." In our new digital world this age-old saying still rings true, especially in regard to the emergent cryptocurrency and NFT landscapes. According to a recent report by blockchain analytics firm Elliptic, cybercriminals have laundered $4B through DEXs, bridges, and coin swaps since 2020. Much of that was related to the top 10 crypto hacks of all time, half of which have occurred since 2020, but much of it also...

In November 2021, a popular Twitter user and cryptocurrency enthusiast @Oxflim tweeted about a particularly nasty incident that happened to him. He lost his NFT collection, worth over 300 ETH, in the blink of an eye. "My primary wallets were compromised last night -- you never want to wake up to something like this. Down bad. I ended up losing somewhere between 300 - 500 ETH altogether. Mostly my prized collection of NFTs was taken and sold….. The perpetrator had access to 2 wallets. I had both of them in metamask. I had these wallets on multiple machines, some of which...

When attacked, some crypto projects and exchanges buckle and fold under pressure; KuCoin set the standard in 2020 for how to react to crypto hacks, even on the largest scale. KuCoin is a Singapore-based crypto exchange that consistently ranks among the top 5 exchanges in terms of daily volume serving the crypto markets in Asia. As of November 2022, they offer over 900 trading pairs of 700+ different cryptocurrencies, putting them firmly in the top 10 among both centralized and decentralized exchanges in terms of sheer amount of coins offered. On September 25, 2020, KuCoin suffered one of the biggest incidents...

The full story behind the first major crypto hack and how much really was lost. MtGox was one of the very first platforms on which people could buy, sell, and trade bitcoin. Launched in July 2010, by 2014 the Tokyo-based company was handling over 70% of all BTC transactions globally. It was on a trajectory that could have put it alongside or even in place of the major exchanges we know today, such as Coinbase, Kraken, Binance, etc. In fact, the domain name ‘mtgox.com’ was initially purchased in 2007 by the MtGox founder, Jed McCaleb, with the intention of building a...

Around $170M worth of cryptocurrency was allegedly stolen from an obscure Italian crypto exchange called BitGrail in 2018; it’s still unclear exactly how or by whom. Just weeks after Japanese crypto exchange Coincheck was hacked – an event dubbed “the biggest theft in the history of the world” at the time – the Italian crypto exchange BitGrail announced they were unable to account for millions of Nano (XNO), valued around $170M. Similar to the Coincheck hack, this incident involved BitGrail’s hot wallet allegedly being compromised. However, that’s where the similarities end. Coincheck was praised for taking full responsibility and returning 90%...