Hacks call for better defense mechanisms

Please fol­low and like us:
Pin Share

2022 has been a lucra­tive year for hack­ers prey­ing on the nascent Web3 and decen­tral­ized finance (DeFi) spaces, with more than $2 bil­lion worth of cryp­tocur­ren­cy fleeced in sev­er­al high-pro­file hacks to date. Cross-chain pro­to­cols have been par­tic­u­lar­ly hard hit, with Axie Infinity’s $650 mil­lion Ronin Bridge hack account­ing for a sig­nif­i­cant por­tion of stolen funds this year.

The pil­lag­ing con­tin­ued into the sec­ond half of 2022 as cross-chain plat­form Nomad saw $190 mil­lion drained from wal­lets. The Solana ecosys­tem was the next tar­get, with hack­ers gain­ing access to the pri­vate keys of some 8000 wal­lets that result­ed in $5 mil­lion worth of Solana (SOL) and Solana Pro­gram Library (SPL) tokens being pil­fered.

deBridge Finance man­aged to side­step an attempt­ed phish­ing attack on Mon­day, Aug. 8, unpack­ing the meth­ods used by what the firm sus­pects are a wide-rang­ing attack vec­tor used by North Kore­an Lazarus Group hack­ers. Just a few days lat­er, Curve Finance suf­fered an exploit that saw hack­ers reroute users to a coun­ter­feit web­page that result­ed in the theft of $600,000 worth of USD Coin (USDC).

Multiple points of failure

The team at deBridge Finance offered some per­ti­nent insights into the preva­lence of these attacks in cor­re­spon­dence with Coin­tele­graph, giv­en that a num­ber of their team mem­bers have pre­vi­ous­ly worked for a promi­nent anti-virus company.

Co-founder Alex Smirnov high­light­ed the dri­ving fac­tor behind the tar­get­ing of cross-chain pro­to­cols, giv­en their role as liq­uid­i­ty aggre­ga­tors that ful­fill cross-chain val­ue trans­fer requests. Most of these pro­to­cols look to aggre­gate as much liq­uid­i­ty as pos­si­ble through liq­uid­i­ty min­ing and oth­er incen­tives, which has inevitably become a hon­ey-pot for nefar­i­ous actors:

“By lock­ing a large amount of liq­uid­i­ty and inad­ver­tent­ly pro­vid­ing a diverse set of avail­able attack meth­ods, bridges are mak­ing them­selves a tar­get for hackers.”

Smirnov added that bridg­ing pro­to­cols are mid­dle­ware that relies on the secu­ri­ty mod­els of all the sup­port­ed blockchains from which they aggre­gate, which dras­ti­cal­ly increas­es the poten­tial attack sur­face. This amakes it pos­si­ble to per­form an attack in one chain to draw liq­uid­i­ty from others.

Relat­ed: Is there a secure future for cross-chain bridges? 

Smirnov added that the Web3 and cross-chain space is in a peri­od of nascence, with an iter­a­tive process of devel­op­ment see­ing teams learn from oth­ers’ mis­takes. Draw­ing par­al­lels to the first two years in the DeFi space where exploits were rife, the deBridge co-founder con­ced­ed that this was a nat­ur­al teething process:

“The cross-chain space is extreme­ly young even with­in the con­text of Web3, so we’re see­ing this same process play out. Cross-chain has tremen­dous poten­tial and it is inevitable that more cap­i­tal flows in, and hack­ers allo­cate more time and resources to find­ing attack vectors.”

The Curve Finance DNS hijack­ing inci­dent also illus­trates the vari­ety of attack meth­ods avail­able to nefar­i­ous actors. Bitfinex CTO Pao­lo Ardoino told Coin­tele­graph the indus­try needs to be on guard to all secu­ri­ty threats:

“This attack demon­strates once again that the inge­nu­ity of hack­ers presents a near and ever-present dan­ger to our indus­try. The fact that a hack­er is able to change the DNS entry for the pro­to­col, for­ward­ing users to a fake clone and approv­ing a mali­cious con­tract says a lot for the vig­i­lance that must be exercised.”

Stemming the tide

With exploits becom­ing rife, projects will no doubt be con­sid­er­ing ways to mit­i­gate these risks. The answer is far from clear-cut, giv­en the array of avenues attack­ers have at their dis­pos­al. Smirnov likes to use a ‘swiss cheese mod­el’ when con­cep­tu­al­iz­ing the secu­ri­ty of bridg­ing pro­to­cols, with the only way to exe­cute an attack is if a num­ber of “holes” momen­tar­i­ly line up.

“In order to make the lev­el of risk neg­li­gi­ble, the size of the hole on each lay­er should be aimed to be as min­i­mal as pos­si­ble, and the num­ber of lay­ers should be maximized.”

Again this is a com­pli­cat­ed task giv­en the mov­ing parts involved in cross-chain plat­forms. Build­ing reli­able mul­ti-lev­el secu­ri­ty mod­els requires under­stand­ing the diver­si­ty of risks asso­ci­at­ed with cross-chain pro­to­cols and risks of sup­port­ed chains.

Chief threats include vul­ner­a­bil­i­ties with the con­sen­sus algo­rithm and code­base of sup­port­ed chains, 51% attacks and blockchain reor­ga­ni­za­tions. Risks to the val­i­da­tion lay­ers could include col­lu­sion of val­ida­tors and com­pro­mised infrastructure. 

Soft­ware devel­op­ment risks are also anoth­er con­sid­er­a­tion with vul­ner­a­bil­i­ties or bugs in smart con­tracts and bridge val­i­da­tion nodes key areas of con­cern. Last­ly, deBridge notes pro­to­col man­age­ment risks such as com­pro­mised pro­to­col author­i­ty keys as anoth­er secu­ri­ty consideration.

“All these risks are quick­ly com­pound­ed. Projects should take a mul­ti-faceted approach, and in addi­tion to secu­ri­ty audits and bug boun­ty cam­paigns, lay var­i­ous secu­ri­ty mea­sures and val­i­da­tions into the pro­to­col design itself.”

Social engi­neer­ing, more com­mon­ly referred to as phish­ing attacks, is anoth­er point to con­sid­er. While the deBridge team man­aged to thwart this type of attack, it still remains one of the most preva­lent threats to the wider ecosys­tem. Edu­ca­tion and strict inter­nal secu­ri­ty poli­cies are vital to avoid falling prey to these cun­ning attempts to steal cre­den­tials and hijack systems.

Source link

Please fol­low and like us:
Pin Share

Leave a Reply

Your email address will not be published. Required fields are marked *