Cybersecurity

South Korean crypto exchange GDAC hacked for nearly $14M

The exchange said that all deposits and withdrawals are temporarily suspended as it performs emergency server maintenance.

South Korean crypto exchange GDAC has been hacked for approximately $13.9 million worth of crypto. The exchange has halted all deposits and withdrawals and is performing emergency server maintenance in response to the attack, according to an April 10 announcement from GDAC CEO Han Seunghwan.

According to the announcement, the attacker gained control of some of the exchange’s hot wallets on the morning of April 9 and, at 7 am Korean Standard Time, began moving crypto into wallets under the attacker’s control. Around 61 Bitcoin (BTC), 350.5 Ether (ETH), 10 million of the WEMIX gaming currency, and $220,000 worth of Tether (USDT) was stolen in the attack. This totals around $13.9 million worth of crypto at April 10 prices.

The amount stolen is “approximately 23% of Gdac’s current total custodial assets,” the announcement said. The exchange has alerted the police, reported the hack to the Korea Internet & Security Agency (KISA), and notified the Financial Intelligence Unit (FIU) of the loss caused by the attack.

Related: Here’s how much was lost to crypto hacks and exploits in Q1 2023

GDAC is also asking crypto exchanges not to honor deposits made from the address that performed the attack.

Seunghwan said that the exchange does not know when withdrawals will be resumed. “We ask for your understanding that it is difficult to confirm the resumption point of deposit and withdrawal as the investigation is currently underway,” he said, according to Google Translate.

Centralized exchange hacks continue to be a problem in the crypto industry. Case in point: Crypto.com was hacked for over $15 million in January 2022. Amid a liquidity crisis at FTX, an attacker drained $663 million from the failed crypto exchange. The GDAC attack may be the first major centralized crypto exchange hack of 2023.

SushiSwap approval bug leads to $3.3 million exploit

Only users who have traded on the decentralized exchange in the last four days are apparently affected.

A bug on a smart contract on the decentralized finance (DeFi) protocol SushiSwap led to over $3 million in losses in the early hours of April 9, according to several security reports on Twitter. 

Blockchain security companies Certik Alert and Peckshield posted about an unusual activity related to the approval function in Sushi’s Router Processor 2 contract — a smart contract that aggregates trade liquidity from multiple sources and identifies the most favorable price for swapping coins. Within a few hours, the bug led to losses of $3.3 million.

According to DefiLlama pseudonymous developer 0xngmi, the hack should only affect users who swapped in the protocol in the past four days.

Sushi’s head developer Jared Grey urged users to revoke permissions for all contracts on the protocol. “Sushi’s RouteProcessor2 contract has an approval bug; please revoke approval ASAP. We’re working with security teams to mitigate the issue,” he noted. A list of contracts on GitHub with different blockchains requiring revocation has been created to address the problem.

Hours after the incident, Grey took to Twitter to announce that a “large portion of affected funds” had been recovered through a whitehat security process. “We’ve confirmed recovery of more than 300ETH from CoffeeBabe of Sifu’s stolen funds. We’re in contact with Lido’s team regarding 700 more ETH.”

The Sushi’s community has had an intense weekend. On April 8, Grey and his counsel provided comments on the recent subpoena from the United States Securities and Exchange Commission (SEC).

“The SEC’s investigation is a non-public, fact-finding inquiry trying to determine whether there have been any violations of the federal securities laws. To the best of our knowledge, the SEC has not (as of this writing) made any conclusions that anyone affiliated with Sushi has violated United States federal securities laws,” he stated.

Grey claims to be cooperating with the investigation. A legal defense fund in response to the subpoena was proposed on Sushi’s governance forum on March 21.

Magazine: Crypto audits and bug bounties are broken: Here’s how to fix them

SushiSwap approval bug leads to $3.3M exploit

Only users who have traded on the decentralized exchange in the last four days are apparently affected.

A bug on a smart contract on the decentralized finance (DeFi) protocol SushiSwap led to over $3 million in losses in the early hours of April 9, according to several security reports on Twitter. 

Blockchain security companies CertiK Alert and Peckshield posted about an unusual activity related to the approval function in Sushi’s Router Processor 2 contract — a smart contract that aggregates trade liquidity from multiple sources and identifies the most favorable price for swapping coins. Within a few hours, the bug led to losses of $3.3 million.

According to DefiLlama pseudonymous developer 0xngmi, the hack should only affect users who swapped in the protocol in the past four days.

Sushi’s head developer, Jared Grey, urged users to revoke permissions for all contracts on the protocol. “Sushi’s RouteProcessor2 contract has an approval bug; please revoke approval ASAP. We’re working with security teams to mitigate the issue,” he said. A list of contracts on GitHub with different blockchains requiring revocation has been created to address the problem.

Hours after the incident, Grey took to Twitter to announce that a ”large portion of affected funds” had been recovered through a white hat security process. “We’ve confirmed recovery of more than 300ETH from CoffeeBabe of Sifu’s stolen funds. We’re in contact with Lido’s team regarding 700 more ETH.”

The Sushi community has had an intense weekend. On April 8, Grey and his counsel provided comments on the recent subpoena from the United States Securities and Exchange Commission.

“The SEC’s investigation is a non-public, fact-finding inquiry trying to determine whether there have been any violations of the federal securities laws. To the best of our knowledge, the SEC has not (as of this writing) made any conclusions that anyone affiliated with Sushi has violated United States federal securities laws,” he stated.

Grey claims to be cooperating with the investigation. A legal defense fund in response to the subpoena was proposed on Sushi’s governance forum on March 21.

Magazine: Hodler’s Digest, April 2-8: BTC white paper hidden on macOS, Binance loses AUS license and DOGE news

Euler Finance attack: How it happened, and what can be learned

The Euler Finance exploit was the largest of Q1 2023, and the risk of a similar attack on other protocols remains.

The March 13 flash loan attack against Euler Finance resulted in over $195 million in losses. It caused a contagion to spread through multiple decentralized finance (DeFi) protocols, and at least 11 protocols other than Euler suffered losses due to the attack.

Over the next 23 days, and to the great relief of many Euler users, the attacker returned all of the exploited funds.

But while the crypto community can celebrate the return of the funds, the question remains whether similar attacks may cause massive losses in the future.

An analysis of how the attack happened and whether developers and users can do anything to help prevent these kinds of attacks in the future may be helpful.

Luckily, Euler’s developer docs clearly explain how the protocol works, and the blockchain itself has preserved a complete record of the attack. 

How Euler Finance works

According to the protocol’s official docs, Euler is a lending platform similar to Compound or Aave. Users can deposit crypto and allow the protocol to lend it to others, or they can use a deposit as collateral to borrow crypto.

The value of a user’s collateral must always be more than what they borrow. Suppose a user’s collateral falls below a specific ratio of collateral value to debt value. In that case, the platform will allow them to be “liquidated,” meaning their collateral will be sold off to pay back their debts. The exact amount of collateral a user needs depends upon the asset being deposited vs. the asset being borrowed.

eTokens are assets, while dTokens are debts

Whenever users deposit to Euler, they receive eTokens representing the deposited coins. For example, if a user deposits 1,000 USD Coin (USDC), they will receive the same amount of eUSDC in exchange.

Since they become worth more than the underlying coins as the deposit earns interest, eTokens don’t have a 1:1 correspondence with the underlying asset in terms of value.

Euler also allows users to gain leverage by minting eTokens. But if they do this, the protocol will send them debt tokens (dTokens) to balance out the assets created.

For example, the docs say that if a user deposits 1,000 USDC, they can mint 5,000 eUSDC. However, if they do this, the protocol will also send them 5,000 of a debt token called “dUSDC.”

The transfer function for a dToken is written differently than a standard ERC-20 token. If you own a debt token, you can’t transfer it to another person, but anyone can take a dToken from you if they want to.

Related: Liquidity protocol Sentiment exploited for over $500K

According to the Euler docs, a user can only mint as many eTokens as they would have been able to by depositing and borrowing over and over again, as it states, “The Mint function mimics what would happen if a user deposited $1,000 USDC, then borrowed $900 USDC, then redeposited that $900 USDC, to borrow $810 more USDC, and so on.”

Users liquidated if health scores drop to 1 or below

According to a blog post from Euler, each user has a “health score” based on the value of the eTokens held in their wallets vs. the value of the dTokens held. A user needs to have a greater dollar value of eTokens than dTokens, but how much more depends on the particular coins they are borrowing or depositing. Regardless, a user with enough eTokens will have a health score greater than 1.

If the user barely falls below the required number of eTokens, they will have a health score of precisely 1. This will subject them to “soft liquidation.” Liquidator bots can call a function to transfer some of the user’s eTokens and dTokens to themselves until the borrower’s health score returns to 1.25. Since a user who is barely below the collateral requirements will still have more collateral than debt, the liquidator should profit from this transaction.

If a user’s health score falls below 1, then an increasing discount is given out to the liquidator based on how bad the health score is. The worse the health score, the greater the discount to the liquidator. This is intended to make sure that someone will always liquidate an account before it accumulates too much bad debt.

Euler’s post claims that other protocols offer a “fixed discount” for liquidation and argues why it thinks variable discounts are superior.

How the Euler attack happened

Blockchain data reveals that the attacker engaged in a series of attacks that drained various tokens from the protocol. The first attack drained around $8.9 million worth of Dai (DAI) from the Dai deposit pool. It was then repeated over and over again for other deposit pools until the total amount was drained.

The attacker used three different Ethereum addresses to perform the attack. The first was a smart contract, which Etherscan has labeled “Euler Exploit Contract 1,” used to borrow from Aave. The second address was used to deposit and borrow from Euler, and the third was used to perform a liquidation.

To avoid having to repeatedly state the addresses that Etherscan has not labeled, the second account will be referred to as “Borrower” and the third account “Liquidator,” as shown below:

Ethereum addresses used by the hacker. Source: Etherscan

The first attack consisted of 20 transactions in the same block.

First, Euler Exploit Contract 1 borrowed 30 million DAI from Aave in a flash loan. It then sent this loan to the borrower account.

After receiving the 30 million DAI, borrower deposited 20 million of it to Euler. Euler then responded by minting approximately 19.6 million eDAI and sending it to borrower.

These eDAI coins were a receipt for the deposit, so a corresponding amount of dDai was not minted in the process. And since each eDAI can be redeemed for slightly more than one DAI, the borrower only received 19.6 million instead of the full 20 million.

After performing this initial deposit, borrower minted approximately 195.7 million eDAI. In response, Euler minted 200 million dDAI and sent it to borrower.

At this point, borrower was near their eDAI mint limit, as they had now borrowed about 10 times the amount of DAI they had deposited. So their next step was to pay off some of the debts. They deposited the other 10 million DAI they had held onto, effectively paying back $10 million of the loan. In response, Euler took 10 million dDAI out of borrower’s wallet and burned it, reducing borrower’s debt by $10 million.

Related: Allbridge offers bounty to exploiter who stole $573K in flash loan attack

The attacker was then free to mint more eDAI. Borrower minted another 195.7 million eDAI, bringing their eDAI total minted to around 391.4 million. The 19.6 million eDAI in deposit receipts brought borrower’s eDAI total to about 411 million.

In response, Euler minted another 200 million dDai and sent it to borrower, bringing borrower’s total debt to $400 million.

Once borrower had maximized their eDAI minting capacity, they sent 100 million eDai to the null address, effectively destroying it.

This pushed their health score well below 1, as they now had $400 million in debt vs. approximately $320 million in assets.

This is where the liquidator account comes in. It called the liquidate function, entering borrower’s address as the account to be liquidated.

Liquidation event emitted during the Euler attack. Source: Ethereum blockchain data

In response, Euler initiated the liquidation process. It first took around 254 million dDAI from borrower and destroyed it, then minted 254 million new dDai and transferred it to liquidator. These two steps transferred $254 million worth of debt from borrower to liquidator.

Next, Euler minted an additional 5.08 million dDAI and sent it to liquidator. This brought liquidator’s debt to $260 million. Finally, Euler transferred approximately 310.9 million eDAI from borrower to liquidator, completing the liquidation process.

In the end, borrower was left with no eDAI, no DAI, and 146 million dDAI. This meant that the account had no assets and $146 million worth of debt.

On the other hand, liquidator had approximately 310.9 million eDAI and only 260 million dDAI.

Once the liquidation had been completed, liquidator redeemed 38 million eDAI ($38.9 million), receiving 38.9 million DAI in return. They then returned 30 million DAI plus interest to Euler Exploiter Contract 1, which the contract used to pay back the loan from Aave.

In the end, liquidator was left with approx. $8.9 million in profit that had been exploited from other users of the protocol.

This attack was repeated for multiple other tokens, including Wrapped Bitcoin (WBTC), Staked Ether (stETH) and USDC, amounting to $197 million in exploited cryptocurrencies.

Losses from Euler attack. Source: Blocksec

What went wrong in the Euler attack

Blockchain security firms Omniscia and SlowMist have analyzed the attack to try and determine what could have prevented it.

According to a March 13 report from Omniscia, the primary problem with Euler was its “donateToReserves” function. This function allowed the attacker to donate their eDAI to Euler reserves, removing assets from their wallet without removing a corresponding amount of debt. Omnisica says that this function was not in the original version of Euler but was introduced in Euler Improvement Proposal 14 (eIP-14).

The code for eIP-14 reveals that it created a function called donateToReserves, which allows the user to transfer tokens from their own balance to a protocol variable called “assetStorage.reserveBalance.” Whenever this function is called, the contract emits a “RequestDonate” event that provides information about the transaction.

Blockchain data shows that this RequestDonate event was emitted for a value of 100 million tokens. This is the exact amount that Etherscan shows were burned, pushing the account into insolvency.

Euler’s RequestDonate event being emitted during the attack. Source: Ethereum blockchain data

In their March 15 analysis, SlowMist agreed with Omniscia about the importance of the donateToReserve function, stating:

“Failure to check whether the user was in a state of liquidation after donating funds to the reserve address resulted in the direct triggering of the soft liquidation mechanism.”

The attacker might have also been able to carry out the attack even if the donate function had not existed. The Euler “EToken.sol” contract code on GitHub contains a standard ERC-20 “transfer” function. This seems to imply that the attacker could have transferred their eTokens to another random user or to the null address instead of donating, pushing themselves into insolvency anyway.

Euler eToken contract transfer function. Source: GitHub

However, the attacker did choose to donate the funds rather than transfer them, suggesting the transfer would not have worked.

Cointelegraph has reached out to Omniscia, SlowMist and the Euler team for clarification on whether the donateToReserves function was essential to the attack. However, it has not received a response by publication time.

Related: Euler team denies on-chain sleuth was a suspect in hack case

The two firms agreed that another major vulnerability in Euler was the steep discounts offered to liquidators. According to SlowMist, when a lending protocol has a “liquidation mechanism that dynamically updates discounts,” it “creates lucrative arbitrage opportunities for attackers to siphon off a large amount of collateral without the need for collateral or debt repayment.” Omniscia made similar observations, stating:

“When the violator liquidates themselves, a percentage-based discount is applied […] guaranteeing that they will be ‘above-water’ and incur only the debt that matches the collateral they will acquire.”

How to prevent a future Euler attack

In its analysis, SlowMist advised developers on how to prevent another Euler-style attack in the future. It argued that lending protocols should not allow users to burn assets if this will cause them to create bad debt, and it claimed that developers should be careful when using multiple modules that may interact with each other in unexpected ways:

“The SlowMist Security Team recommends that lending protocols incorporate necessary health checks in functions that involve user funds, while also considering the security risks that can arise from combining different modules. This will allow for the design of secure economic and viable models that effectively mitigate such attacks in the future.”

A representative from DeFi developer Spool told Cointelegraph that technological risk is an intrinsic feature of the DeFi ecosystem. Although it can’t be eliminated, it can be mitigated through models that properly rate the risks of protocols.

According to Spool’s risk management white paper, it uses a “risk matrix” to determine the riskiness of protocols. This matrix considers factors such as the protocol’s annual percentage yield (APY), audits performed on its contracts, time since its deployment, total value locked (TVL) and others to create a risk rating. Users of Spool can employ this matrix to diversify DeFi investments and limit risks.

The representative told Cointelegraph that Spool’s matrix significantly reduced investor losses from the Euler incident.

“In this incident, the worst affected Smart Vaults, those designed by users to seek higher (and riskier) yields, were only affected for up to 35%. The lowest affected vault with exposure to Euler strategies (via Harvest or Idle), in comparison, was only affected by 6%. Some vaults had zero exposure and were thus not impacted,” they stated.

Spool continued, “While this is not ideal, it clearly demonstrates the ability of the Smart Vaults to provide tailored risk models and to distribute users’ funds among multiple yield sources.”

Cointelegraph got a similar answer from SwissBorg, another DeFi protocol that aims to help users limit risk through diversification. SwissBorg CEO Cyrus Fazel stated that the SwissBorg app has “different yield strategies based on risk/timeAPY.”

Some strategies are listed as “1: core = low,” while others are listed as “2: adventurous = risky.” Because Euler was given a “2” rating, losses from the protocol were limited to only a small portion of SwissBorg’s total value locked, Fazel stated.

SwissBorg head of engineering Nicolas Rémond clarified further that the team employs sophisticated criteria to determine what protocols can be listed in the SwissBorg app.

“We have a due-diligence process for all DeFi platforms before entering any position. And then, once we’re there, we have operation procedures,“ he said, adding, ”The due diligence is all about TVL, team, audits, open-source code, TVL, oracle manipulation attack, etc. […] The operation procedure is about platform monitoring, social media monitoring and some emergency measures. Some are still manual, but we’re investing to automatize everything based so that we can be extremely reactive.”

In a March 13 Twitter thread, the SwissBorg team stated that although the protocol had lost 2.2% of the funds from one pool and 29.52% from another, all users would be compensated by SwissBorg should the funds not be recoverable from Euler.

The Euler attack was the worst DeFi exploit of Q1 2023. Thankfully, the attacker returned most of the funds, and most users should end up with no losses when all is said and done. But the attack raises questions about how developers and users can limit risk as the DeFi ecosystem continues to expand.

Some combination of developer diligence and investor diversification may be the solution to the problem. But regardless, the Euler hack may continue to be discussed well into the future, if for no other reason than its sheer size and illustration of the risks of DeFi exploits.

Euler team denies on-chain sleuth was a suspect in hack case

The investigator claimed to be targeted as a suspect because they maintained a crypto security repo on GitHub.

The pseudonymous Twitter user and blockchain investigator Officer’s Notes believes they may have been a suspect in the $195 million Euler Finance hack. In an April 4 Twitter thread, the security researcher stated, “Seems like I was a suspect in this case, as usual.”

The Euler team has denied that Officer’s Notes was a suspect, claiming instead that the researcher was helpful in the investigation.

Officer’s Notes, also known as Officer_cia, is a security researcher, blogger and auditor, according to their Twitter bio. The blog posts contain in-depth explanations of crypto security topics. They also maintain the “Crypto Op Sec Self Guard” GitHub repo, which features privacy tools for crypto users.

In their Twitter thread, Officer’s Notes states that the Euler team woke them up “in the middle of the night,” asking for access data logs from the Op Sec repo, including IP addresses of people who have visited it. Officer’s Notes complied with the request after being told that “this data was crucial in the investigation.”

Officer’s Notes expressed remorse for handing out this information, seeing it as a violation of readers’ privacy:

“So if you’ve ever interacted with my repositories, I hope you’ve done it under a VPN. I have no way of knowing what will happen to that data. I’m sorry.”

The blogger stated they might have been seen as a suspect in the Euler hacking case but protested the notion because they were too busy to commit any such crime: 

“Really, if I wanted to hack the protocol, would I be in my third year of blogging and working? Please think about it. I’m glad you like my nickname, but you can’t exaggerate jokes like that.”

Related: Sentiment recovers $870K after negotiations with hacker

In a conversation with Cointelegraph, a representative from Euler stated that Officer’s Notes was never a suspect and that the team later thanked them for their help with the case:

“The investigation reached out to Officer CIA for help at a point when it believed some of his security tools were being used by the attacker to avoid detection. At no point was he believed by anyone at Euler to have played a part in the exploit. He was later thanked for the help he gave, even though he had been inadvertently left off the initial communications list.”

Euler Finance was the victim of a flash loan exploit on March 13. Over $195 million worth of crypto was stolen in the attack. On March 20, the attacker attempted to open negotiations with the Euler team to return the stolen funds. On March 18, they posted an apology letter to the Ethereum network, saying, “I didn’t want to, but I messed with others’ money, others’ jobs, others’ lives. […] I’m sorry.”

Euler exploiter’s publicly posted apology. Source: Ethereum transaction hash.

The attacker returned all of the recoverable funds by April 4.

73.3% of Q1 rug pulls happened on BNB Chain: Immunefi

Rug pulls and other frauds made up a small percentage of losses compared to hacks and exploits, the report stated.

BNB Chain was the king of rug pulls in the first quarter of 2023, with over 73.3% of such scams in the entire crypto ecosystem happening on the network, according to an April 4 report from blockchain security firm Immunefi.

The report, titled “Crypto Losses in Q1 2023,” investigated a variety of crypto hacks and scams in the first quarter of the year. It found that Ethereum and BNB Chain were the two largest targets for hackers and scammers, with 68.8% of total losses from these networks combined. BNB Chain, in particular, made up 41.3% of total losses from hacks and scams.

One type of scam, in particular, reigned supreme on BNB Chain: rug pulls, a type of scam where developers raise funds and then close up shop without delivering a product or service. Immunefi stated that 73.3% of all rug pulls in the crypto ecosystem happened on BNB Chain in the first quarter.

Related: Uniswap launches on BNB Chain ecosystem to drive growth and liquidity

Immunefi tech Lead Adrian Hetman speculated that the large number of rug pulls on the chain may be due to a culture that promotes forking open-source code:

“BNB Chain still has a serious issue with developers using forked code. Its community lacks a security-first approach and attracts many users looking for a quick way to earn money. That’s why we continue to see the biggest number of exploits and rug pulls in this ecosystem.”

Despite the prevalence of these scams on BNB Chain, Immunefi also stated that rug pulls and other frauds are a much smaller problem in the crypto community than hacks or exploits. Hacks were the “predominant cause” of losses in Q1 2023, the report said, whereas all frauds combined (including rug pulls and other scams) made up only 4.3% of total losses.

The first quarter of 2023 has seen spectacular hacks and exploits, draining millions of dollars from decentralized finance (DeFi) protocols. On Feb. 1, the DeFi lending app BonqDAO was the victim of an oracle hack, losing $120 million in crypto. On Feb. 17, decentralized exchange aggregator Dexible was hacked for over $2 million. And on March 13, Euler lost over $195 million of crypto in the largest DeFi attack of the quarter.

Gnosis launches Hashi bridge aggregator to help prevent hacks

Bridge protocols LayerZero, Celer, Wormhole, LiFi, and others have already committed to implementing the new protocol.

Gnosis, the team behind Gnosis Safe multi-sig and Gnosis Chain, has launched a hash oracle aggregator for blockchain bridges, according to an announcement from the company. In a conversation with Cointelegraph, Gnosis CEO Martin Köppelmann stated that the new aggregator should make bridges more secure by requiring more than one bridge to validate a withdrawal before it can be confirmed.

Multiple bridge protocols have already committed to integrating with Hashi, including Succinct Labs, DendrETH, ZK Collective, Connext, Celer, LayerZero, Axiom, Wormhole and LI.FI, according to the announcement. 

Over $2 billion was stolen from bridges in 2021 and 2022, according to a report by Token Terminal. Bugs in the code have caused some bridge hacks, whereas others have been caused by the attacker taking over a multi-sig governance wallet.

According to Köppelmann, Hashi can provide the first step towards making these cross-chain transactions more secure throughout the blockchain ecosystem, by requiring withdrawals to be validated by multiple bridges instead of just one:

“Hashi is about essentially creating this aggregator that can use different bridges and basically say they all need to agree to the same message […] If they do, great, then we can be really, really certain that this message is actually real and if they disagree […] Then we know we need to escalate to governance, we need to halt the bridge.”

Köppelmann also emphasized that Hashi helps to prevent multi-sig governance attacks because it allows a protocol to prevent governance from intervening if there is no disagreement between individual bridges.

“Here you can have this nice tradeoff where you say ‘the governance is not allowed to do anything,’ so it cannot interfere with the system unless there is explicitly a conflict or a bug,” he explained. “So as soon as those bridges that are supposed to report on the same thing […] Disagree, well then governance is allowed to interfere, otherwise governance has no role. That’s Hashi.”

Related: Uniswap’s BNB deployment should use multiple bridges, claims LIFI CEO

Hashi is open source and available on GitHub.

The idea of a multi-bridge aggregator rose to prominence during the Uniswap bridge debate in December and January. Although Wormhole was ultimately chosen as Uniswap’s bridge provider, representatives from Celer, LiFi, and deBridge, as well as other participants concluded that a multi-bridge aggregation solution needed to be implemented going forward.

A third of US crypto holders have experienced theft: Report

10% of crypto holders surveyed made no attempt at protecting their assets; victimization varied strongly by age.

Cybersecurity services provider Kaspersky has released a report on risks associated with cryptocurrency use. The report titled “Crypto Threats 2023” focused on the United States and uncovered some surprisingly poor user security habits. 

Kaspersky surveyed 2,000 American adults in October 2022 and found that 24% of respondents overall owned cryptocurrency or digital assets. Ownership ranged from 36% in the 25–44 age category to 10% among those aged 55 or older.

A third of the crypto owners surveyed reported having crypto stolen, and an equal portion reported being victims of scams. Identity theft, theft of payment details and loss of account access led the list of scam consequences.

The average value of assets stolen was $97,583. The median figure would be much lower, however, since only 29% of thefts were valued above $10,000, and 39% were valued at $1,000 or less. Here, too, there was a sharp differentiation by age, with 47% of those ages 18–24 reporting thefts of crypto, compared to 8% of those over 55. The report did not specify the average value of crypto holdings.

Related: Beware of fake Arbitrum airdrops, community warns

Lax security might account for many of the losses experienced by respondents. The survey found that crypto owners last checked on their crypto six weeks ago, and their accounts have minimal protection:

“27% of users keep their crypto stored in an exchange account with no added protection, while only 34% use multi-factor authentication to protect their account.”

10% of respondents reported making no effort to protect their crypto, and 14% claimed not to store seed phrases or private keys. The report concluded:

“Without any regulation or established common knowledge, people need to take care to protect themselves.”

Kaspersky said in an earlier report that users were becoming more sophisticated in spotting scams and that the use of Bitcoin (BTC) in ransomware attacks would fall as regulation and tracking methods improved. It warned in a previous report that exploitation risks are rising in the metaverse.

‘AI can be defeated with cryptography,’ says Chelsea Manning at SXSW

Cointelegraph sat down with activist and cybersecurity expert Chelsea Manning to discuss how blockchain technology can combat challenges associated with artificial intelligence.

Artificial intelligence (AI) has become a hot topic following the launch of ChatGPT, an AI chatbot created by research company OpenAI. Yet, while ChatGPT has the potential to write blogs and create crypto trading bots, some worry that AI could be harmful. 

A survey conducted by sales platform Tidio found that 69% of college graduates believe AI could take their job or make it irrelevant in the coming years. Others have pointed out that the rise of AI will make it increasingly challenging to verify accurate information versus fake news generated by artificial intelligence.

For example, Chelsea Manning — an activist, security consultant for decentralized privacy platform Nym and former army intelligence analyst — told Cointelegraph that information verification would become a fundamental problem as AI is integrated into society. Manning told Cointelegraph about how blockchain technology can help combat AI challenges during an exclusive interview at South by Southwest 2023.

Cointelegraph: Why is the rise of AI concerning, and how can blockchain technology combat these concerns?

Chelsea Manning: The actual teachings of AI have been going on for a long time, yet as surveillance in AI becomes more efficient, it will reduce the effectiveness of virtual private networks and other circuits from protecting user data.

Another danger associated with AI and deep fakes is that these elements will eventually become so convincing that many of these instances will end up in a courtroom setting. For instance, there will be situations in the future where individuals will have to forensically verify to a court if something was generated by AI.

We can use blockchain technology to create a decentralized list of where information is coming from, who is producing it and where it was created. This can then be verified on a distributed ledger to prove that a particular event historically occurred, resulting in less dispute.

For instance, someone could take a photograph and then place that metadata on a ledger for verification. If someone tries to dispute that, they can go to the ledger and view the cryptographic signature for verification to see that a particular event occurred.

CT: Do you think we will see more companies evolve that will use cryptography to combat AI challenges?

CM: Yes — since verification is going to be a fundamental problem that arises between society’s exposure to products or surveillance that leverage AI. One way to challenge this is through cryptography, which is going to be fundamental.

Manning (right) with Cointelegraph reporter Rachel Wolfson at SXSW. 

I also believe that a great battle within the technology space over the next decade is going to be this issue of verification and knowing if the information we are receiving is accurate. We are running the very real risk of having our entire reality exposed through our phones or televisions and other places online. Although this is a fundamental way to interact with the world, this information will increasingly not be accurate, yet it will be convincing. I believe there are solutions to these problems, and with some foresight and planning, these doomsday scenarios can be navigated.

CT: You also have strong views on taking an infrastructure approach when it comes to ensuring privacy and security. Can you explain what this means?

CM: One of the most frustrating aspects of developing hardware technology is ensuring that the hardware itself is secure. This is why hardware developers need to focus intensively on supply chain matters — who is developing the technology, who is designing it, etc.

I also believe in the added benefit of an open-source architecture, as these standards are common and universal. I’ve been looking at open-source architectures for designing and developing secure hardware technology for Nym. For example, RISC-V is open source architecture developed at the University of California, Berkeley. RISC-V was designed to grow over time as a standard that doesn’t require any intellectual property (IP). Users can build an IP based on RISC-V, but the architecture itself is available to anyone without requiring a fee.

CT: What are your thoughts on cryptocurrency?

CM: I was very interested in Bitcoin when the white paper came out, but I didn’t necessarily view tokens as being assets or the value behind blockchain technology. I was quite surprised and struck by how readily people were to view proof-of-work certificates as being something that they would buy, sell and speculate on.

This is not necessarily my interest, as I don’t play with speculative assets in general. But from a purely academic sense, I find the technology fascinating. I think cryptocurrency is still a proof-of-concept for what is possible down the line with blockchain technology, but not necessarily ripe and ready to change the world.

CT: Recently, we saw Silicon Valley Bank overtaken by regulators. How do you think this will impact the tech industry as a whole?

CM: This is a seismic event and it goes back to my skepticism of speculative assets in general. This shows that we are still at the whims of the economy, both with traditional banks and with token assets.

The Federal Reserve System and regulators are all interconnected, so it doesn’t surprise me that as inflation has been high, and as the Federal Reserve has tried to curtail the amount of currency flowing, we have seen a number of stressors on more speculative and risky ventures. We are now seeing the effects of that.

But out of every one of these cycles, there has been innovation. If anything, operating in an environment where there is less cash available forces people into a position where they have to innovate more in order to survive. I think this will be an interesting time for the technology industry. It will slow down startups for sure, but I think that existing startups that are able to survive this will be the ones to look out for the most over the next 10 years.

What is ethical hacking, and how does it work?

Ethical hacking is the practice of identifying and testing vulnerabilities in a system to improve its security and prevent unauthorized access.

Ethical hacking, also known as “white hat” hacking, is the process of identifying and exploiting vulnerabilities in a computer system or network in order to assess its security and provide recommendations for improving it. Ethical hacking is done with the permission and knowledge of the organization or individual that owns the system being tested.

Ethical hacking aims to find flaws in a system before malevolent hackers may take advantage of them. The same tools and methods used by malevolent hackers are also used by ethical hackers, but their objective is to enhance security rather than cause harm.

Here’s how ethical hacking typically works.

Planning and reconnaissance

The target system or network is investigated by the ethical hacker in order to acquire data that could be utilized to find weaknesses. This could consist of information such as IP addresses, domain names, network topology and other pertinent facts.

Scanning

In order to find open ports, services and other details about the target system that could be utilized to launch an attack, the ethical hacker uses scanning tools.

Enumeration

To acquire unauthorized access, the ethical hacker searches the target system for more specific information, such as user accounts, network shares and other specifics.

Vulnerability analysis

To find weaknesses in the target system, such as out-of-date software, incorrectly configured settings or weak passwords, the ethical hacker uses both automated tools and human procedures.

Exploitation

The ethical hacker looks to take advantage of vulnerabilities once found in order to obtain unauthorized access to the target system or network.

Reporting

Ultimately, the ethical hacker records the flaws that were found and offers suggestions for enhancing security. The company or individual will then use this report to resolve the system’s or network’s security flaws and enhance overall security.

For businesses and individuals that want to guarantee the security of their computer networks and systems, ethical hacking can be a useful tool. Ethical hackers can aid in the prevention of data breaches and other security problems by finding vulnerabilities before they can be exploited by criminal hackers.

Can blockchains be hacked?

While the technology behind blockchains is designed to be secure, there are still several ways that attackers can exploit vulnerabilities in the system and compromise the integrity of the blockchain. Here are some ways in which blockchains can be hacked:

  • 51% attack: A 51% attack is one in which the attacker has complete control over the blockchain network’s computer resources. As a result, the attacker may be able to reverse transactions and modify the blockchain, thus spending money twice.
  • Smart contract exploits: If a smart contract has a vulnerability, an attacker can exploit that vulnerability to steal cryptocurrency or manipulate the blockchain.
  • Malware: On the blockchain network, malware can be deployed to jeopardize the security of specific users. The private keys required to access a user’s cryptocurrency wallet, for instance, could be taken by an attacker using malware.
  • Distributed denial of service (DDoS) attack: DDoS is a type of cyberattack where multiple compromised systems are used to flood a targeted website or network with traffic, making it inaccessible to users. A DDoS attack can be used to flood the blockchain network with traffic, effectively bringing it to a complete halt.

Related: What is cryptojacking? A beginner’s guide to crypto mining malware

Therefore, it is important to remain vigilant and take steps to ensure the security of your blockchain-based applications and platforms.

The role of ethical hacking in blockchain security

Blockchain-based ethical hacking is a new field that concentrates on finding weaknesses and potential attacks in blockchain-based systems. Due to its security and decentralization, blockchain technology has grown in popularity, but it is not impervious to security risks. The security of blockchain systems can be tested by ethical hackers using a variety of techniques to find any potential weaknesses.

Here are some ways ethical hacking can be used in blockchain:

  • Smart contract auditing: Smart contracts are automatically executing contracts in which the conditions of the deal between the buyer and the seller are written directly into lines of code. Smart contracts can be audited by ethical hackers to find any defects or weaknesses that might be exploited.
  • Network penetration testing: To find potential holes in the blockchain network, ethical hackers might carry out network penetration testing. They can make use of tools such as Nessus and OpenVAS to find nodes that have known vulnerabilities, scan the network for typical assaults, and spot any possible weak points.
  • Consensus mechanism analysis: The consensus mechanism is a fundamental aspect of blockchain technology. The consensus mechanism can be examined by ethical hackers to find any weaknesses in the algorithm that might be exploited.
  • Privacy and security testing: Blockchain systems are intended to be private and safe, but they are not totally impervious to attacks. The privacy and security of the blockchain system can be tested by ethical hackers to find any potential weak points.
  • Cryptography analysis: Blockchain technology is strongly dependent on cryptography. The blockchain system’s cryptographic protocols can be examined by ethical hackers to find any flaws in the implementation of algorithms.

Related: What is a smart contract security audit? A beginner’s guide

Overall, ethical hacking can be a valuable tool in identifying and addressing security threats in blockchain systems. By identifying vulnerabilities and providing recommendations for improving security, ethical hackers can help ensure the security and integrity of blockchain-based applications and platforms.