The Collapse of Blockchain Security: August Edition

Introduction

The month of August has proved to be an unlucky time for the crypto world. In just four weeks, four major platforms and protocols have been attacked by four different hackers- resulting in an estimated total loss of over $720M at the time of publishing. 

Being forced to face staggering losses in millions in such quick succession has had the blockchain community reeling. Even more surprising is the distinctive nature of these attacks, with each one being carried out by individuals with no connection to each other. The motives and outcome of each hack also varied, with some attackers even going on to return all of the money they had stolen.

The uniqueness of these cyber thefts illuminates a dangerous message about the security and reliability of these platforms, raising several questions. Is orchestrating an attack of this level really so easy? If I happen to be a daring individual with the right technical skills, can I too be the owner of millions of dollars worth of funds? And most importantly, what measures can other platforms take beforehand to ensure they and their users are safe from becoming the next target?

Discussing these doubts is imperative to contribute to understanding and improving the spaces we operate in. Before we dive into that debate, however, let us first revisit each hack in detail.

Breaking Down Each Hack

Popsicle Finance

Date of Attack: 4th August 2021
Estimated Amount Stolen: $20.7M 

The first attack was on Popsicle Finance, taking place just 4 days into the month of August. Popsicle Finance is a multichain yield optimization platform that manages liquidity for its users across multiple chains. One of their products named Sorbetto Fragola was targeted in the attack.

Sorbetto Fragola was designed especially for Uniswap V3 which allows LPs to decide their preferred price ranges. The way it works is that it provides liquidity to users who deposit their crypto holdings into Fragola by optimizing the price range. The protocol will deploy those holdings into the most lucrative liquidity pool, allowing users to obtain the highest yield possible.

However, there was one simple bug in the product’s smart contract which related to the claiming of rewards. The hacker took advantage of the absence of a very crucial check in the code, allowing him to manipulate the contract to make it seem as if the rewards owed to him were equal to the total TVL of the pool. In this way, he was able to steal $20.7M worth of funds in just a single transaction.

After the attack, the Popsicle Finance team attempted to negotiate with the hacker, offering him $1M in the currency of his choice so long as he returned the stolen funds. Unfortunately, there has been no update on whether or not the attacker responded to this request. 

Despite undergoing two separate audits by CertiK and PeckShield- neither of which were able to detect this vulnerability- Popsicle Finance’s smart contract for their liquidity manager platform remained at risk. Moreover, the effects of this hack are still being seen today, with the platform’s ICE token value 23 percent less than what it was the day before the attack.

Poly Network

Date of Attack: 10th August 2021
Estimated Amount Stolen: $600M

The attack on Poly Network made major headlines only recently for being the largest hack in the history of cryptocurrency. It was also one of the most bizarre cases the blockchain world has seen- major highlights include the platform’s naive attempt at negotiation, a Q&A session led by the hacker himself, and an eventual return of almost all the stolen funds. Quite the rollercoaster.

Poly Network is a cross-chain interoperability protocol that enables different heterogeneous blockchains to work with each other on one platform. By hacking into the Poly Network platform, the attacker was able to drain funds from the Ethereum, Binance Smart Chain, and Polygon blockchains, with the Ethereum blockchain being most affected.

The attacker achieved this massive feat by exploiting a design flaw in the architecture of the code to modify the keeper of a very important smart contract used to trigger messages between blockchains. By sending carefully constructed data to one of the smart contract’s functions, it was able to call the function of another contract. This function allowed him to change the keeper of the initial smart contract to an address of his own. This meant the attacker could then create transactions at will and withdraw any amount of funds he desired. All other normal transactions on the chain were also reverted, as the keeper was now modified.

Click here to read a much more in-depth analysis of this hack and the insights it delivered.

DAO Maker

Date of Attack: 12th August 2021
Estimated Amount Stolen: $7M

Not to be confused with the Ethereum-based protocol MakerDao, Dao Maker is a cryptocurrency crowdfunding platform that creates solutions for and funds blockchain projects and startups. Over 5,000 users were affected by the hack, each of whom lost approximately $1,250 on average.

According to a statement released by the Dao Maker team, the attacker was able to exploit a vulnerability in the SHO smart contract which enabled him to grant himself admin privileges and access the platform’s wallets. Initially, a single transaction was made to steal 10,000 USDC stablecoins and when that proved successful, the attacker went on to make 15 more transactions- reaching a grand total of $7M worth of funds lost.

Interestingly, an analysis of the hack made by BlockSec suggests that the victim wallet is the one who granted admin privileges to the hacker- which doesn't quite make sense. Why would the victim grant this role to the attacker, essentially enabling him to steal millions? It seems like this may have been less of an attack and more of an inside job- the intent for which remains unclear and should be further scrutinized. 

Dao Maker has also seemed to recover quite quickly from the attack, with the price of their native token DAO dipping only immediately afterward. According to coingecko, the token is now valued at $2.28-  a 14 percent increase from what it was immediately before the hack took place.

Liquid Global

Date of Attack: 19th August 2021
Estimated Amount Stolen: $97M

Based in Japan, Liquid Global is among the top 20 cryptocurrency exchange companies in the world. Despite its high ranking, the company still suffered an attack this month, losing an estimated $97M worth of funds after their hot wallets were compromised.

The company took to Twitter on the day of the attack to inform its users of the wallets that had been compromised as well as mention their decision to move the remaining assets to cold wallets where they will be less vulnerable. Four wallets in total were compromised which included BTC, ETH, TRX, and XRP tokens.

An investigation to discover how the attack took place and by whom is currently underway. Liquid Global has also published the addresses at which the funds were transferred and is currently collaborating with other exchanges to freeze and recover the stolen money.

Is There Light At The End Of This Tunnel?

Witnessing several major hacks in the span of just a few weeks has brought forth layers of doubt surrounding the integrity of the cryptocurrency space. The foundation that these platforms are built on is blockchain- a technology prided for being decentralized, scalable, and secure. 

Smart contracts are written by humans and are hence prone to errors and oversight. Since they are on the blockchain which in itself is transparent, anyone on the blockchain can easily access them. Though this is helpful when detecting bugs and fixing them, it can also be dangerous. A hacker with a good eye can study these smart contracts and manufacture a carefully curated attack with the intent of either pointing out a vulnerability (in the case of white-hat hackers) or for his own personal gain.

Still, not all hope is lost. This month of attacks has brought to light many valuable lessons for the blockchain community, with the most important one being that of responsibility. Many argue that almost all of these attacks could have been avoided if the smart contract authors and auditors had just been a little more careful.

In the end, like always, it all boils down to security and how much you are willing to achieve it. The importance of conducting good quality audits of your smart contracts is paramount to their success. It does not matter how many audits you perform- instead, you must be sure that those conducting those audits are meticulous in their scrutinization. Cutting corners may look appealing in the short term, but could very well be the reason for your platform’s downfall.