blockchain security

Why DeFi should expect more hacks this year: Blockchain security execs

One reason is that “hackers have gotten smarter, gained more experience, and learned how to look for bugs,” according to the founder of a crypto auditing firm.

Decentralized finance (DeFi) investors should buckle themselves up for another big year of exploits and attacks as new projects enter the market and hackers become more sophisticated.

Executives from blockchain security and auditing firms HashEx, Beosin and Apostro were interviewed for Drofa’s “An Overview of DeFi Security In 2022” report, shared exclusively with Cointelegraph.

The executives were asked about the reason behind last year’s significant increase in DeFi hacks, and whether this will continue through 2023.

Tommy Deng, managing director of blockchain security firm Beosin, said while DeFi protocols will continue to strengthen and improve security, he also admitted that “there is no absolute security,” stating:

“As long as there is interest in the crypto market, the number of hackers will not decrease.”

Deng added that many new DeFi projects “don’t go through complete security testing before going live.”

Additionally, a significant amount of projects are now exploring the use of cross-chain bridges, which were a prime target for attackers last year, with $1.4 billion stolen in six exploits.

Deng’s comments mirror those of blockchain security firm CertiK, whictold Cointelegraph on Jan. 3 that it doesn’t “anticipate a respite in exploits, flash loans or exit scams” in the coming year.

In particular, CertiK noted the likelihood of “further attempts from hackers targeting bridges in 2023,” citing the historically high returns from attacks in 2022.

The founder and CEO of crypto auditing firm HashEx, Dmitry Mishunin, said th “hackers have gotten smarter, gained more experience, and learned how to look for bugs.”

“The crypto industry is still relatively new, and everyone is growing with each other, so it’s difficult to get too far ahead of bad actors.”

He added the amount of value in some DeFi projects made the industry “very attractive” to malicious actors and that the number of hacks “is only going to grow going forward.”

Mishuin said these attacks may even spread outside of DeFi, with attackers setting their sights on “crypto exchanges and banks” that enter the market offering “more secure solutions for storing digital assets.”

Smart contract security and auditing firm Apostro co-founder Tim Ismiliaev gave a more hopeful take, however, as he expects the space to “mature over the next five years, and new best practices for securing decentralized finance protocols will emerge.”

Too long; didn’t read

Interestingly, both Mishunin and Deng noted that many of the post-incident reports provided by blockchain security firms often fail to reach their target audience — blockchain developers.

“The people that read such analyses are average investors that are concerned about their money. Actual blockchain developers are too busy coding; they don’t have time to read stuff like that,” said Mishunin.

Meanwhile, Deng said the reports are usually about “event-based vulnerabilities and related recommendations,” so they often don’t help other developers that might be vulnerable to other exploits.

He admitted, however, that reports on “general vulnerabilities” in DeFi “tend to do a good job of ramping up protection.”

“The reentrancy vulnerabilities are now not as common as they used to be.”

$62M crypto stolen in Dec was the ‘lowest monthly figure’ in 2022: CertiK

December proved to be the month with the least crypto stolen in 2022, although there were still 23 major incidents, according to CertiK.

Cryptocurrency hackers and exploiters seemingly slowed down for the 2022 holidays as December saw $62.2 million worth of cryptocurrencies stolen, the “lowest monthly figure” of the year, according to CertiK.

The blockchain security company on Dec. 31 tweeted a list of the month’s most significant attacks. It highlighted the $15.5 million worth of exit scams as the method that stole the most value over the month, followed by the $7.6 million worth of flash loan-based exploits.

#CertiKStatsAlert

Combining all the incidents in December we’ve confirmed ~$62.2M lost to exploits, hacks and scams.

The lowest monthly figure this year.

Exit scams were ~$15.5M

Flashloans were ~$7.6M

See the details below pic.twitter.com/1ub3mYVv6K

— CertiK Alert (@CertiKAlert) December 31, 2022

A later tweet on Jan. 1 confirmed that the 23 largest exploits were responsible for around 98.5% of the $62.2 million figure, with the $15 million Helio Protocol incident on Dec. 2 the largest of the month.

The protocol, which manages the stablecoin HAY (HAY), suffered a loss when a trader took advantage of a price discrepancy in Ankr Reward Bearing Staked BNB (aBNBc) to borrow millions worth of HAY.

At the time, the decentralized finance (DeFi) protocol Ankr suffered a separate exploit where an attacker minted 20 trillion aBNBc, causing its price to plummet. The Helio trader quickly deposited aBNBc tokens to borrow 16 million HAY, causing the loan to be significantly undercollateralized, leading to the protocol’s loss and a depeg of its stablecoin.

The second largest incident of the month was the $12.9 million exploits of Defrost Finance’s v1 and v2 protocols on Dec. 23, where an attacker carried out a flash loan attack by adding a fake collateral token and a malicious price oracle to liquidate the protocol.

Days after the exploit, the hacker returned the funds stolen from the v1 protocol to an address controlled by Defrost, though funds are yet to have been returned for the v2 hack.

CertiK labeled the exploit an “exit scam” due to the fact an admin key was required to conduct the attack. Defrost denied the allegations to Cointelegraph, claiming the key was compromised.

The December figure is much lower than the month prior, seeing an 89.5% decrease from the $595 million worth of exploits across 36 major incidents CertiK recorded in November, a figure largely skewed by the $477 million hack of crypto exchange FTX.

#CertiKStatsAlert

36 major attacks were recorded in November totalling a loss of ~$595 Million.

As always, make sure a project has an audit & KYC before investing!

Remember to always #DYOR and read the audit reports! pic.twitter.com/UhiDU2itAm

— CertiK Alert (@CertiKAlert) December 1, 2022

Overall for 2022, just the largest 10 exploits of the year funneled around $2.1 billion to bad actors, largely on cross-blockchain bridges and DeFi protocols.

$100M drained from Solana DeFi platform Mango Markets, token plunges 52%

The platform’s treasury was drained of over $100 million worth of cryptocurrency after an attacker manipulated the price data of its native token to take out loans against their holdings.

Solana-based decentralized finance (DeFi) exchange Mango Markets has been hit with a reported exploit of over $100 million through an attacker manipulating price oracle data, allowing them to take out under-collateralized cryptocurrency loans.

The exploit was first identified by blockchain security firm OtterSec, which tweeted the exchange had been drained of over $100 million due to the attacker manipulating the value of its MNGO native token collateral, then taking out “massive loans” from Mango’s treasury.

It appears the attacker was able to manipulate their Mango collateral. They temporarily spiked up their collateral value, and then took out massive loans from the Mango treasury. pic.twitter.com/2IJrB9RcEJ

— OtterSec (@osec_io) October 11, 2022

The Mango Markets team tweeted soon after, warning users not to deposit funds until “the situation was more clear” and asking the attacker to contact them to discuss a bug bounty.

The team later confirmed the manipulation of a price oracle — a price data feed of the value of its MNGO token — and stated that it had disabled deposits while it continued investigations of the incident.

We will be disabling deposits on the front end as a precaution, and will keep you updated as the situation evolves.

If you have any information, please contact blockworks@protonmail.com to discuss a bounty for the return of funds. 2/

— Mango (@mangomarkets) October 11, 2022

Due to news of the exploit, the price of the platforms’ MNGO token has fallen by around 52% in the last 24 hours at the time of writing, according to data from CoinGecko.

The exploiters’ account on the platform shows the three largest withdrawals were for $50 million worth of USD Coin (USDC), over $26.7 million worth of a Solana staking token called Marinade Staked SOL (mSOL), and nearly $24 million worth of Solana’s SOL (SOL).

Over $14.7 million worth of MNGO was withdrawn, and Mango said it’s “taking steps to have third parties freeze funds in flight.”

Meanwhile, the QANplatform blockchain also suffered from an exploit of its own on Oct. 11, with its Ethereum bridge drained of around $1.89 million worth of its native QANX token, according to blockchain security company Beosin. QANplatform said it’s investigating the incident.

Crypto security experts raking in $430K salaries amid spike in hacks

The demand for blockchain security experts comes amid a rise in crypto hackings in 2022.

The rise of crypto hacks over 2022 has skyrocketed demand for blockchain security experts, with some auditors making upwards of $430,000 per year.

Speaking with Cointelegraph, blockchain recruitment firm CryptoRecruit founder Neil Dundon said that while security audit services have long been in demand, the rise of decentralized finance (DeFi) protocols has opened up opportunities for auditors to review potentially vulnerable smart contracts:

“There’s always been a demand for security auditors […] But since DeFi apps have been out there, there has been quite a big increase in demand for security audits across the space because one small vulnerability in the protocol can potentially lead to the loss of hundreds of millions of dollars.”

A report from Chainalysis earlier this month revealed that hackers extracted more than $2 billion from cross-chain bridge protocols alone this year.

In a Bloomberg report on Monday, CEO of decentralized lending service Morpho Labs Paul Frambot said that crypto security audits have moved from a “nice to have” business expense to a “must have” one.

“Security is, in my opinion, not taken sufficiently seriously in DeFi,” he said.

The rise in demand for crypto security auditors has seen a plethora of “for hire” ads across the industry.

According to job advertisements posted on Cryptocurrency Jobs, blockchain audit companies mostly look for experienced programmers with an understanding of blockchain technology, cybersecurity and cryptography.

While most security audit salaries fall within the $100,000-$250,000 range, some companies are willing to pay upward of $430,000 per year, according to Web3.career’s job board.

Crypto recruitment firm Plexus Resource Solutions Zeth Couceiro made a similar comment to Bloomberg, noting that in some cases, blockchain security auditors have been raking up to $400,000 annually.

Couceiro added that these auditors tend to make about 20% more than Solidity-focused developers, which is the most popular programming language used to deploy smart contracts on Ethereum and other Ethereum Virtual Machine- (EVM)-compatible blockchains.

Among the top vulnerabilities that security auditors look for in smart contracts include timestamp dependency, reentrancy attacks, random number vulnerability and spelling mistakes.

The Bloomberg report noted that venture capital firms have already poured $257 million into crypto security audit companies this year, which is up 38.9% from all of 2021, according to CB insights.