Top Five Blockchain Breaches of 2022
And what caused them
Blockchain projects soared 700% in 2021. In the process, they've become extremely attractive targets for hackers across the globe.
In 2022 alone, researchers estimate that security breaches tied to just 33 smart contracts have cost the industry over $1.25 billion. That's almost $40 million per breach.
In this article, we've singled out 2022's top five offenders, breaking them down case-by-case.
1. Ronin
Who: Ronin is an Ethereum sidechain that was built for a popular NFT play-to-earn game, Axie Infinity. Developed by a Vietnamese studio, Sky Mavis, players collect and mint NFTs while playing video games. The Ronin bridge was created to enable users to transfer ETH assets to and from the gaming platform.
How: In March, hackers (since identified as the North Korean group, Lazarus) obtained access to private keys that controlled 5 out of 9 of the bridge's validator nodes. With a majority of the nodes under their control, the hackers were able to operate for over a week without detection.
The root of the exploit was traced back to an issue that occurred last year in which Sky Mavis was granted control of a third-party validator node run by a decentralized organization (DAO). Unfortunately, this access was never revoked, allowing the hackers to install and manage a backdoor access.
What: The hackers funneled an incredible $615 million worth of ETH into several decentralized exchanges. The laundered funds were then used to short both Axie Infinity (AXS) and Ronin (RON), as the hackers assumed that these values would tank once news of the breach broke. Ironically, since it took so long for the breach to be detected, their short position was liquidated before they could cash in.
2. Wormhole
Who: Wormhole, yet another crypto bridge, allows top decentralized finance networks to communicate with each other. In essence, they allow tokens from various blockchains (such as Solana, Ethereum, Terra, and others) to be converted from one 'currency' to the other by functioning as a middle man.
How: The wormhole attack took place on February 2, leveraging a bug that was made public through the project's GitHub repository. The bug fix had been written a month prior and was included in the GitHub commit. However, in the hours before the update was rolled into production, the hackers were able to identify and leverage the vulnerability.
What: Using a forged signature, the hackers were able to mint 120,000 fresh wETH (a 'wrapped' ETH-equivalent used by the Solana network). These were then converted into legitimate ETH, leaving the Wormhole team to foot the $326 million bill.
3. Mirror Protocol
Who: Mirror Protocol is a decentralized application that allows users to create digital synthetics that track real-world assets, such as stocks or commodities. While Mirror assets are available on Ethereum and Binance Smart Chain, the core contracts are deployed on Terra Classic.
How: A software bug allowed users to repeatedly unlock collateral from existing contracts at little to no cost. By analyzing on-chain data, community members identified a single hacker who had been exploiting the vulnerability over a period of seven months before Mirror developers deployed a fix.
What: The hacker made off with $89,706,164, helped in large part by an inordinately long time-to-detection. This is by far the greatest length of time it has taken for a crypto breach to be discovered and was only eventually made public by an independent security researcher, alias FatMan.
4. Qubit Finance
Who: Qubit Finance is a DeFi lending protocol, based on the Binance Smart Chain, that allows members to borrow and lend various virtual assets. Borrowers deposit funds as collateral, and interest is automatically calculated based on the smart contract protocol.
How: In January, hackers discovered a gap in the smart contract that allowed them to freely mint an unlimited quantity of qXETH (an asset representing ETH that's been bridged via Qubit). By duping the contract into believing that they'd deposited funds (when, in fact, they had not), the attackers earned 77,162 qXETH for free.
What: The xETH was used as collateral to withdraw all of the Binance Coin available on Qubit, totaling $80 million at the time of the breach.
5. Cashio
Who: Rounding out the top five, we have Cashio, a Solana-based stable coin (CASH). Since the token is pegged to the US dollar, users must deposit liquidity provider (LP) tokens equivalent to USD (in this case, USDT and USDC) into a collateral account on Solana's decentralized exchange, Saber, in order to mint fresh CASH.
How: In theory, Cashio verifies that the collateral has been deposited in the correct account and in the accepted currency before minting new CASH. However, attackers were able to take advantage of two key holes in the validation process which allowed them to create a fake issuing bank, mint fake tokens, and deposit them into a fake collateral account.
Simply put, they used an 'infinite mint glitch' to convert worthless tokens into real CASH.
What: Hackers made off with $52 million worth of CASH, crashing the stable coin in the process. CASH value plunged from $1 to $0.00005 in minutes. (A post-mortem analysis suggests that the mastermind behind the attack was only 16 years old.)
Recommendations:
Smart Contract Audit
As we've seen, smart contract flaws have been responsible for billions of dollars of losses. If a more rigorous approach is not taken, the causalities will only continue to mount. Nation-state actors like the Lazarus group have proven themselves to be skilled operators in the DeFi environment and target everyone from startups to enterprise blockchain projects.
A properly audited smart contract will protect users from external threats as well as preventing most non-malicious exploitations. In addition, a smart contract audit may allow the code to work more efficiently thereby allowing a project to demonstrate higher performance at a lower cost.
Penetration Testing
Instead of waiting for a malicious actor to identify the gaps in technology or organization, blockchain organizations should hire a white hat security team to pen test their project prior to launch. This will proactively identify weak spots in the software by testing your systems against a simulated cyberattack in a safe and controlled environment.
Bug Bounty
Similar to Penetration Testing, bug bounty programs have been widely accepted as an effective and cost-efficient way to quickly track down security flaws in deployed software. Decentralized technology developers understand more than anyone else the power that comes with community. Leveraging their network to constantly and aggressively pursue security excellence will go a long way to safeguard their users and ensure long term success.
Similar Reads:
Are We At (Cyber) War With China?
Does Crypto Need a Cybersecurity Refresh?
How the Dark Web Can Protect Your Company
About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.