The Great Blockchain Robbery: Recent Hacks and Heists on Blockchain and DeFi

“What’s worth doing is worth doing for money.” – Gordon Gekko, Wall Street (1987)

The fictional, pathologically greenback-minded character Gordon Gekko from 1987’s Wall Street is nothing if not an exceptional role model for modern-day cybercriminals operating online. After all, albeit offering innumerable benefits for humankind, cyberspace is also an attractive breeding ground for the devious miscreants incentivised by one goal above all else - dollar dollar bills.

Cybersecurity Awareness Month

Blockchain applications, particularly those underpinning decentralised finance (DeFi) and cryptocurrencies, are attractive targets for cybercriminals, usually because of insecure code. This is somewhat ironic given the barrage of claims about immutability and unhackability that so often accompany fast-money blockchain apps. We’ll delve further into the intricacies of security in the blockchain and its technological accoutrements later on, but suffice it to say that blockchain-based applications are not a security panacea. Unscrupulous threat actors are exploiting coding vulnerabilities to perpetrate fraud or steal ridiculous sums.

In 2020, DeFi thefts resulted in losses of $1.5 billion. By the end of 2021, the figure had soared to $10.5 billion. The upward trajectory is likely to continue in 2022, with crypto losses of $670 million in Q2, up 52% from the same period in 2021. Gekko would be proud… and want a piece of the action, no doubt!

Blockchain and Decentralised Finance

“Show me the money!” – Jerry Maguire (1996)

A blockchain is an online ledger or database distributed among multiple nodes in a public internet network. The blockchain stores transaction records in an immutable, secure, and decentralised manner. These qualities account for the blockchain’s growing popularity in a range of applications, including cryptocurrencies, decentralised finance (DeFi) and non-fungible tokens (NFTs).

NFTs are cryptographic assets that can represent real-world items like artwork, music, or real estate. DeFi, often touted as the “next big thing in the world of finance”, eliminates traditional centralised finance models and is based on the idea of peer-to-peer (P2P) financial transactions.

In DeFi, two parties agree to a transaction via a decentralised finance application (dApp), either using cryptocurrencies or regular (fiat) currencies. The parties trust each other because the transaction is powered by a digital smart contract that establishes the immutable and transparent terms of the transaction.

Although DeFi is still a novel concept, few dispute its potential to reduce the speed and cost of financial transactions and enable greater financial inclusion. This explains why its total value locked (TVL) exceeds $27 billion (September 2022).

Security and Trustworthiness in Blockchain and DeFi

“You can rely on me, Fred.” – A Clockwork Orange (1971)

DeFi technology is based on blockchain’s distributed ledger technology (DLT), with strong cryptographic protocols securing its P2P network. Additionally, dApp users hold their money in a secure digital wallet. Since the information on one block of the blockchain cannot be modified without affecting the following blocks, there’s no way to compromise the dApp’s transactions - or show a criminal Jerry McGuire the money!

Unfortunately, smart hackers have found ways to break into DeFi apps by exploiting the insecure code in their smart contracts. For example, they can compromise admin keys or take advantage of business logic errors to make unchecked arbitrage opportunities work for them, and even find ways to tap into the dApp’s insecure third-party protocols or open-source components.

The result: a whole lot of cyberattacks and huge financial losses for companies and users. The rest of this article explores four of the most high-profile hacks of recent years.

Hack #1: The Attacks on The DAO (2016) and Agave Protocol (2022)

Vulnerability exploited: Reentrancy

In 2016, an unknown hacker stole Ethereum crypto tokens (ETH) worth $60 million from The Decentralized Autonomous Organization (The DAO) by exploiting a loophole in several smart contracts. The stolen ETH amounted to about 5% of all the ETH ever created and was equivalent to about $70 million at the time.

When the attack happened, The DAO was less than three months old. During its inception, it had an unexpectedly successful crowdfunding round where it managed to gather 12.7 million ETH, worth around $150 million.

The attack was the beginning of the end for The DAO, all because of unknown coding weaknesses like recursive call exploits within the application that the hacker happily exploited. Not just a flesh wound but a fatal blow!

The event sent shockwaves throughout the global crypto community and resulted in a major update of the Ethereum blockchain. It also showed that blockchains and DeFi are not as secure as previously assumed, increasing fears of future such attacks. Fear that came true all too soon.

In March 2022, criminals successfully stole $11 million from Agave and Hundred Finance DeFi protocols in a flash loan reentrancy attack. They took advantage of a reentrancy vulnerability in the xDAI token to gain entry to the contract via an external call. They then used flash loans as initial collateral to:

  • Nest additional borrow functions inside one another
  • Increase the borrowed amount before the protocol could update the debt balance
  • Repeat the process to borrow assets worth more than the supplied collateral

A reentrancy vulnerability in smart contracts is often associated with the Ethereum blockchain and exists in several DeFi protocols. A reentrancy attack occurs when an attacker exploits the code in a vulnerable smart contract by calling the withdraw function and draining it of its funds. The hack works because the call happens before the vulnerable contract can update its balance, thus creating a window of time for the attacking contract to steal money.

Play SecureFlag Play one of our Labs on Reentrancy Vulnerability!

Hack #2: The Theft of NFTs from Treasure DAO (2022)

Vulnerability exploited: Logic error

Treasure DAO is an NFT token market platform built on Arbitrum technology for Ethereum. In March 2022, hackers exploited a logic bug in Treasure’s buyItem function to steal 100+ NFTs worth a cool $1.4 million.

Not your run-of-the-mill liquor store robbery by any stretch of the imagination! The hack reiterates what many DeFi and NFT experts have suspected for a while: a security gap in a single line of code can have severe ramifications in terms of millions of stolen funds and thousands of cheated users.

Play SecureFlag Click here to Play our Lab inspired by this hack!

Hack #3: AnySwap Hack (2021)

Vulnerability exploited: Insecure Randomness

AnySwap, a decentralised cross-chain protocol, was hacked in July 2022. The criminals exploited a vulnerability in the protocol’s V3 multichain router prototype that allowed them to deduce the private key of a multi-party computation account on the Binance Smart Chain (BSC) to steal USDC and MIM crypto coins worth almost $8 million.

Although V1/V2 funds were safe, the hack once again showed that: i) crypto security is not guaranteed, and ii) a DeFi protocol is only as secure as its code. The problem of “insecure randomness” in smart contracts increases their vulnerability to attack. It’s not always easy to employ a secure source of randomness. The result is randomness vulnerabilities that allow hackers to affect unexpected behaviours on the blockchain and perpetrate these thefts in DeFi.

Play SecureFlag Play one of our Labs on Insecure Randomness in Smart Contracts!

Hack #4: ThorChain Hack (2021)

Vulnerability exploited: Poor Access Control

ThorChain is a blockchain protocol that enables the decentralised trading of non-native crypto assets. As the hammer-wielding God of Thunder, Thor would be surprised by the hammering his namesake took in mid-2021. First, ThorChain was hit by a breach that resulted in the theft of 4K ETH. A week later, it was hit by another exploit, this time costing around $8 million.

In these hacks, the criminals deployed custom smart contracts that tricked ThorChain’s Bifrost Protocol into receiving a deposit of fake assets. The network then created a fake deposit event with a malicious memo and processed a refund of real assets to the hacker - in this case - to the tune of $8 million.

The ThorChain hammering (pun intended!) highlights the importance of access control in blockchain smart contracts. Nonetheless, it’s dangerous to implement this control by checking the variable tx.origin because the Solidity variable would traverse the entire call stack and return the address of the account where the transaction originated. This would allow a rogue contract to forward the call to a vulnerable contract and enable attackers to perform unauthorised actions like stealing money or real assets.

Play SecureFlag Play one of our Labs on Poor Access Control in Smart Contracts!

The Best Way to Learn About Crypto Hacks (Hint: Not Classroom Training)

The number of real-world blockchain and DeFi applications is constantly growing - and so is the number of exploitable vulnerabilities. Cybercriminals take advantage of vulnerable code to steal crypto tokens and massive amounts of money. The only way to keep these bad apples out is to follow secure coding practices throughout the SDLC. Blockchain, DeFi, and dApp developers must understand the various vulnerabilities that can open the doors to devastation. But for this, they need more than old-fashioned classroom training. What they need is hands-on practice to identify security issues and remediate them. Enter SecureFlag.

SecureFlag is a 100% hands-on secure coding training platform that empowers developers to learn - and retain - defensive programming through real-world vulnerabilities and practice. Adaptive Learning, tailored content, individualised training, and real-time feedback - SecureFlag provides all this and more to help developers fight back against the Gordon Gekkos of the blockchain world. Contact us to learn more about the SecureFlag platform.