The month of August has proved to be an unlucky time for the crypto world in terms of blockchain security. In just four weeks, four major platforms and protocols have been attacked by four different hackers. This resulted in an estimated total loss of over $720M at the time of publishing.Â
Being forced to face staggering losses of millions in such quick succession has had the blockchain community reeling. Even more surprising is the distinctive nature of these attacks, with each one being carried out by individuals with no connection to each other. The motives and outcome of each hack also varied, with some attackers even going on to return all of the money they had stolen.
The uniqueness of these cyber thefts illuminates a dangerous message about the blockchain security and reliability of these platforms. This raised several questions. Is orchestrating an attack of this level really so easy? If I happen to be a daring individual with the right technical skills. Can I, too, be the owner of millions of dollars worth of funds? And most importantly, what measures can other platforms take beforehand to ensure they and their users are safe from becoming the next target?
Discussing these doubts is imperative to contribute to understanding and improving the spaces we operate in. Before we dive into that debate, however, let us first revisit each hack in detail.
Breaking Down Each Hack
Popsicle Finance
Date of Attack: 4th August 2021
Estimated Amount Stolen: $20.7MÂ
The first attack was on Popsicle Finance, taking place just 4 days into August. Popsicle Finance is a multichain yield optimization platform that manages liquidity for its users across multiple chains. One of their products named Sorbetto Fragola was targeted in the attack.
Sorbetto Fragola was designed especially for Uniswap V3 which allows LPs to decide their preferred price ranges. The way it works is that it provides liquidity to users. These users deposit their crypto holdings into Fragola by optimizing the price range. The protocol will deploy those holdings into the most lucrative liquidity pool, allowing users to obtain the highest yield possible.
However, there was one simple bug in the product’s smart contract which related to the claiming of rewards. The hacker took advantage of the absence of a very crucial check in the code, allowing him to manipulate the contract. He made it seem as if the rewards owed to him were equal to the total TVL of the pool. In this way, he was able to steal $20.7M worth of funds in just a single transaction. This was quite a hit on blockchain security as a whole.
After the attack, the Popsicle Finance team attempted to negotiate with the hacker, offering him $1M in the currency of his choice so long as he returned the stolen funds. Unfortunately, there has been no update on whether or not the attacker responded to this request.Â
Despite undergoing two separate audits by CertiK and PeckShield- neither of which were able to detect this vulnerability. Popsicle Finance’s smart contract for its liquidity manager platform remained at risk. Moreover, the effects of this hack are still being seen today, with the platform’s ICE token value 23 percent less than what it was the day before the attack.
Poly Network
Date of Attack: 10th August 2021
Estimated Amount Stolen: $600M
The attack on Poly Network made major headlines only recently for being the largest hack in the history of cryptocurrency. It was also one of the most bizarre cases the blockchain world has seen. Major highlights include the platform’s naive attempt at negotiation, a Q&A session led by the hacker himself, and an eventual return of almost all the stolen funds. Quite the rollercoaster.
Poly Network is a cross-chain interoperability protocol that enables different heterogeneous blockchains to work with each other on one platform. By hacking into the Poly Network platform, the attacker was able to drain funds from the Ethereum, Binance Smart Chain, and Polygon blockchains. The most affected was the Ethereum blockchain.
The attacker achieved this massive feat by exploiting a design flaw in the architecture of the code. They modified the keeper of a very important smart contract used to trigger messages between blockchains. By sending carefully constructed data to one of the smart contract’s functions, it was able to call the function of another contract. This function allowed him to change the keeper of the initial smart contract to an address of his own. This meant the attacker could then create transactions at will and withdraw any amount of funds he desired. All other normal transactions on the chain were also reverted, as the keeper was now modified. Blockchain security was tested one again this way.
Click here to read a much more in-depth analysis of this hack and the insights it delivered.
DAO Maker
Date of Attack: 12th August 2021
Estimated Amount Stolen: $7M
Do not confuse it with the Ethereum-based protocol MakerDao. Dao Maker is a cryptocurrency crowdfunding platform that creates solutions for and funds blockchain projects and startups. Over 5,000 users were affected by the hack, each of whom lost approximately $1,250 on average.
According to a statement released by the Dao Maker team, the attacker was able to exploit a vulnerability in the SHO smart contract. This vulnerability enabled him to grant himself admin privileges and access the platform’s wallets. Initially, the hacker made a single transaction to steal 10,000 USDC stablecoins. When that proved successful, the attacker went on to make 15 more transactions- reaching a grand total of $7M worth of funds lost.
Interestingly, an analysis of the hack made by BlockSec suggests that the victim wallet is the one who granted admin privileges to the hacker. This doesn’t quite make sense. Why would the victim grant this role to the attacker, essentially enabling him to steal millions?It seems like this may have been less of an attack and more of an inside job – the intent for which remains unclear and requires further scrutiny. It is not always the external factors blockchain security need to strengthen againsts.
Dao Maker has also seemed to recover quite quickly from the attack, with the price of their native token DAO dipping only immediately afterward. According to coingecko, the token is now valued at $2.28-Â a 14 percent increase from what it was immediately before the hack took place.
Liquid Global
Date of Attack: 19th August 2021
Estimated Amount Stolen: $97M
Based in Japan, Liquid Global is among the top 20 cryptocurrency exchange companies in the world. This month, the company suffered an attack despite its high ranking, with hackers compromising their hot wallets and causing an estimated loss of $97M worth of funds.
The company took to Twitter on the day of the attack to inform its users of the wallets that had been compromised. They also mentioned their decision to move the remaining assets to cold wallets where they will be less vulnerable. Hackers compromised four wallets in total, which contained BTC, ETH, TRX, and XRP tokens.
So, an investigation to discover how the attack took place and by whom is currently underway. Liquid Global has also published the addresses at which the funds were transferred. They are currently collaborating with other exchanges to freeze and recover the stolen money.
Is There Light At The End Of This Tunnel?
Witnessing several major hacks in the span of just a few weeks has brought forth layers of doubt surrounding the integrity of the cryptocurrency space. Blockchain, a technology prided for its decentralization, scalability, and security, underpins the foundation of these platforms.
Smart contracts are written by humans and are hence prone to errors and oversight. Since they are on the blockchain which in itself is transparent, anyone on the blockchain can easily access them. Though this is helpful when detecting bugs and fixing them, it can also be dangerous. A hacker with a good eye can study these smart contracts and manufacture a carefully curated attack. Intending of either pointing out a vulnerability (in the case of white-hat hackers) or for his own personal gain.
Still, not all hope is lost. This month of attacks has brought to light many valuable lessons for the blockchain community, with the most important one being that of responsibility. Many argue that the smart contract authors and auditors could have avoided almost all of these attacks if they had just been a little more careful.
In the end, like always, it all boils down to blockchain security and how much you are willing to achieve it. The importance of conducting good quality audits of your smart contracts is paramount to their success. It does not matter how many audits you perform- instead, you must be sure that those conducting those audits are meticulous in their scrutinization. Cutting corners may look appealing in the short term, but could very well be the reason for your platform’s downfall.
Read more Insights:
GameFi: Future of Gaming or Short-lived Gimmick?
