Security

FBI issues alert over cybercriminal exploits targeting DeFi

Smart contracts governing DeFi platforms identified as a particular cause for concern for the enforcement agency.

The United States Federal Bureau of Investigation (FBI) has issued a fresh warning for investors in decentralized finance (DeFi) platforms, which have been targeted with $1.6 billion in exploits in 2022. 

In a Tuesday public service announcement on the FBI’s Internet Crime Complaint Center, the agency said the exploits have caused investors to lose money — advising investors to conduct diligent research about DeFi platforms before using them while also urging platforms to improve monitoring and conduct rigorous code testing.

The law enforcement agency warned that cybercriminals are out in force to take advantage of ”investors’ increased interest in cryptocurrencies,” and ”the complexity of cross-chain functionality and open source nature of Defi platforms.”

The FBI observed cybercriminals exploiting vulnerabilities in smart contracts that govern DeFi platforms in order to steal investors’ cryptocurrency. 

In a specific example, the FBI mentioned cases where hackers used a “signature verification vulnerability” to plunder $321 million from the Wormhole token bridge back in February. It also mentioned a flash loan attack that was used to trigger an exploit in the Solana DeFi protocol Nirvana in July. 

However, that’s just a drop in a vast ocean. According to an analysis from blockchain security firm CertiK, since the start of the year, over $1.6 billion has been exploited from the DeFi space, surpassing the total amount stolen in 2020 and 2021 combined.

FBI recommends due diligence, testing

While the FBI admitted that “all investment involves some risk,” the agency has recommended that investors research DeFi platforms extensively before use and, when in doubt, seek advice from a licensed financial adviser.

The agency said it was also very important that the platform’s protocols are sound and to ensure they have had one or more code audits performed by independent auditors.

Typically, a code audit involves a review of the platforms underlying code to identify vulnerabilities or weaknesses, which could be exploited.

According to the FBI, any DeFi investment pools with an “extremely limited timeframe to join” or “rapid deployment of smart contracts” should also be approached with extreme caution, especially if they have not conducted a code audit.

Crowdsourced solutions, generating ideas or content by soliciting contributions from a large group of people, were also flagged by the law enforcement agency:

“Open source code repositories allow unfettered access to all individuals, to include those with nefarious intentions.”

The FBI said DeFi platforms can also do their part to increase security by testing their code regularly to identify vulnerabilities, along with real-time analytics and monitoring.

An incident response plan and informing users about possible platform vulnerabilities, hacks, exploits or other suspicious activity are also among the recommendations.

However, failing all that, the FBI urges American investors targeted by hackers to contact them through the Internet Crime Complaint Center or their local FBI field office.

Related: FBI issues public warning over fake crypto apps

Earlier this year, U.S. Deputy Attorney General Lisa Monaco announced the FBI was stepping up its efforts to address crime in the digital asset space with the formation of the Virtual Asset Exploitation Unit.

The specialized team is dedicated to cryptocurrency and includes experts to help with blockchain analysis as part of a shift in focus toward disruption of international criminal networks, rather than just their prosecution.

Ripple CEO comments on Crypto Leaks, denies funding law firm to target others

Kyle Roche allegedly approached Ripple’s CEO to invest in a law firm that would target competitor firms with lawsuits like those Ripple was facing in the United States.

Ripple CEO Brad Garlinghouse took to Twitter to deny recent explosive claims made by Crypto Leaks, an online publication focusing on corruption and fraud-related news in the crypto ecosystem.

Crypto Leaks published a report on Friday containing a series of short videos from an unknown source. The report claimed that Ava Labs formed a secret pact with the law firm to use the American legal system “gangster style” to “attack and harm crypto organizations.”

The same report also alleged that Ripple CEO Brad Garlinghouse funded a law firm to target competitor firms. The report claimed Roche, who founded Roche Freedman, was working with Boies Schiller Flexner, a firm that was representing Ripple in its lawsuit against the United States Securities and Exchange Commission (SEC).

Roche allegedly approached Garlinghouse to invest in a law firm that would target competitor crypto firms with lawsuits quite similar to what Ripple was facing at the time. And Kyle claimed that Garlinhouse agreed to his proposal.

“For whatever reasons Brad Garlinghouse invested in Kyle Roche and supported him on his current path, it certainly didn’t save him from the SEC.”

ThRipple CEO took to Twitter to deny any such allegations and claimed that he has “never met or spoken to (much less invested in) Kyle Roche. “

Crypto Leaks’ recent slew of allegations against Ava Labs and Brad Garlinghouse created quite a buzz in the crypto industry as both the CEOs of the firm have denied any allegiance to Kyle Roche and his law firm.

Related: Ripple CTO lashes back at Vitalik Buterin for his dig at XRP

Ripple and the XRP community were quick to come to the defense of the company’s CEO, where one user pointed toward the flaw in the argument put forward by Crypto Leaks. The user wrote  the claims were based on Kyle’s comments, which were later presented as facts without proof.

While Garlinghouse denied investing in a law firm that targets competitors, Ripple’s co-founder and executive chairman Chris Larsen was infamously involved in the campaign to change the code of Bitcoin.

Binance gives security assurances in Philippine senate banking committee hearing

Binance is seeking licensing to establish a presence in the Philippines ahead of a moratorium and providing educational resources for future traders and blockchain developers.

Binance representatives participated in a hearing of the Philippine Senate Banking Committee, according to a report in the local press Wednesday. Bangko Sentral ng Pilipinas deputy governor Chuchi Fonacier, the country’s Security Exchange Commission (SEC) chair Emilio Aquino, and members of FinTech Alliance Philippines and the Cagayan Economic Zone Authority also took part in that hearing.

The hearing was devoted to fintech innovation and consumer protection, according to the report. Fonacier discussed a sandbox approach to regulation, and Aquino talked about digital asset security. Binance was represented by APAC director Leon Foong and Philippines general manager Kenneth Stern, who told the hearing about the exchange’s security and Know Your Customer process. Stern said at the hearing:

“78% of Filipinos remain unbanked, but crypto can help decrease that number as crypto asset holders will soon surpass the number of credit card holders in the country.”

Binance said that it is also sponsoring a training program for new cryptocurrency traders in the Philippines this month, and is in talks with local universities on providing courses and certification in blockchain technology.

The Philippines has had an ambiguous relationship with crypto and Binance in particular, despite its rapidly growing economy and the popularity of cryptocurrency in the country. Binance has long been looking to set up services in the country but faced opposition from a local think tank that was later dismissed by the authorities.

Nonetheless, the Philippine SEC released a letter on Aug. 2 cautioning the public against investing with Binance. The country’s central bank will impose a three-year moratorium on virtual asset service provider applications beginning Sept. 1, citing “risks that may undermine financial stability.” Binance CEO Changpeng Zhao stated in June that the company would pursue VASP licensing in the country.

The Philippine central bank has stated that it is also exploring the issuance of a wholesale central bank digital currency.

Plaintiff in Coinbase lawsuit raises issues of account lockouts, crypto as a security

A Coinbase user claimed the crypto exchange “boldly flouts federal and state laws” by not completing the proper registration as a securities exchange in the United States.

One user has filed a class-action lawsuit against crypto exchange Coinbase on behalf of account and wallet holders “who have had their accounts breached and incurred losses arising from the unauthorized transfer of assets.”

In an Aug. 15 filing in the U.S. district court for the Northern District of Georgia, plaintiff George Kattula requested a jury trial against Coinbase, claiming the crypto exchange did not employ practices aimed at keeping users’ accounts secure and had “improperly and unreasonably” locked clients out of their accounts during periods of peak volatility in the crypto market. In addition, Kattula alleged that Coinbase should be registered as a broker or dealer in the United States as the platform handles the transfer of securities — in this case, cryptocurrencies.

“Coinbase does not disclose that the crypto assets on its platform are securities,” said the lawsuit. “Indeed, Coinbase boldly flouts federal and state laws by proclaiming it does not need a registration statement for those securities and by refusing to register as a securities exchange or as a broker-dealer.”

The filing added:

“Crypto assets resemble traditional securities because they represent an investment in a project that is to be undertaken with the funds raised through the sale of the crypto (whether it be a “token,” “stablecoin,” or cryptocurrency). Investors purchase crypto with the hope that the crypto’s value will appreciate as the issuer creates some use that gives the crypto value.”

Coinbase has gone offline many times during periods of extreme volatility in the crypto market, prompting some users to take legal action. In March 2022, a class-action lawsuit filed in the Southern District Court of New York also claimed the crypto exchange was operating as an unregistered securities exchange, listing 79 different cryptocurrencies as securities falling under the regulatory umbrella of the Securities and Exchange Commission.

Related: Robinhood to face class action lawsuit from meme stock debacle

SEC chair Gary Gensler has said many times that “most” offerings from token projects fall under the agency’s regulatory purview as securities and should be registered accordingly. In July, the SEC announced charges against a former Coinbase product manager, his brother and an associate related to insider trading, claiming at least nine of the 25 cryptocurrencies the trio allegedly used were securities.

In an interview with Cointelegraph released on Tuesday, former director of the Consumer Financial Protection Bureau Kathy Kraninger said that regulatory clarity in the crypto space could come down to case law. The legal team of a former OpenSea employee also accused of insider trading alleged in a Friday filing that prosecutors only filed charges in an attempt to set a legal precedent that nonfungible tokens were securities.

Ethereum advances with standards for smart contract security audits

The Enterprise Ethereum Alliance has published a smart contract security audit specification to ensure consistency when it comes to smart contract security.

The Ethereum ecosystem continues to witness a flurry of activity that has individuals and organizations deploying token contracts, adding liquidity to pools and deploying smart contracts to support a wide range of business models. While notable, this growth has also been riddled with security exploits, leaving decentralized finance (DeFi) protocols vulnerable to hacks and scams. 

For instance, recent findings from crypto intelligence firm Chainalysis show that crypto-related hacks have increased by 58.3% from the beginning of the year through July 2022. The report further notes that $1.9 billion has been lost to hacks during this timeframe — a figure that doesn’t include the $190 million Nomad bridge hack that occurred on August 1, 2022.

Although open source code may be beneficial for the blockchain industry, it can unfortunately easily be studied by cybercriminals looking for exploits. Security audits for smart contracts aim to solve these challenges, yet this procedure lacks industry standards, thus creating complexity.

An industry standard to ensure smart contract security 

Chris Cordi, chair of the EthTrust Security Levels Working Group at the Enterprise Ethereum Alliance (EEA), told Cointelegraph that as the Ethereum blockchain industry grows, so does the need for a mature framework to assess the security of smart contracts. 

In order to address this, Cordi, along with several EEA member representatives with auditing and security expertise, helped establish the EthTrust Security Levels Working Group in November 2020. The organization has since been working on a draft document of a smart contract specification, or industry standard, aimed at improving the security behind smart contacts.

Most recently, the working group announced the publication of the EthTrust Security Levels Specification v1. Chaals Nevile, technical program director of the EEA, told Cointelegraph that this specification describes smart contract vulnerabilities that a proper security audit requires as a minimum measure of quality:

“It is relevant to all EVM-based smart-contract platforms where developers use Solidity as a coding language. In a recent analysis by Splunk, this is well over 3/4 of mainnet contracts. But, there are also private networks and projects that are based on the Ethereum technology stack but running one their own chain. This specification is as useful to them as it is for mainnet users in helping to secure their work.”

From a technical perspective, Nevile explained that the new specification outlines three levels of tests that organizations should consider when conducting smart contract security audits.

“Level [S] is designed so that for most cases, where common features of Solidity are used following well-known patterns, tested code can be certified by an automated ‘static analysis’ tool,” he said.

He added that the Level [M] test mandates a stricter static analysis, noting that this includes requirements where a human auditor is expected to determine whether the use of a feature is necessary or whether a claim about the security properties of code is justified.

Nevile further explained that the Level [Q] test provides an analysis of the business logic the tested code implements. “This is to ensure that the code does not exhibit known security vulnerabilities, while also making sure it correctly implements what it claims,” he said. There is also an optional “recommended good practices” test that can help enhance the security behind smart contracts. Nevile said:

“Using the latest compiler is one of the ‘recommended good practices.’ It’s a pretty straightforward one in most cases, but there are a lot of reasons why a contract might not have been deployed with the latest version. Other good practices include reporting new vulnerabilities so they can be addressed in an update to the spec and writing clean easy-to-read code.”

Overall, there are 107 requirements within the entire specification. According to Nevile, about 50 of these are Level [S] requirements that arise from bugs in solidity compilers

Will an industry standard help organizations and developers? 

Nevile pointed out that the EthTrust Security Levels Specification ultimately aims to help auditors demonstrate to customers that they are operating at an industry-appropriate level. “Auditors can point to this industry standard to establish basic credibility,” he said. 

Recent: Web3 games incorporate features to drive female participation

Shedding light on this, Ronghui Gu, CEO and co-founder of blockchain security firm CertiK, told Cointelegraph that having standards like these help ensure expected processes and guidelines. However, he noted that such standards are not by any means a “rubber stamp” to indicate that a smart contract is entirely secure:

“It’s important to understand that not all smart contract auditors are equal. Smart contract auditing starts with understanding and experience of the specific ecosystem that a smart contract is being audited for, and the technology stack and code language being used. Not all code or chains are equal. Experience is important here for coverage and findings.”

Given this, Gu believes that companies wanting to have their smart contracts audited should look beyond the certification an auditor claims to have and take into account the quality, scale and reputation of the auditor. Because these standards are guidelines, Gu remarked that he thinks this specification is a good starting point. 

From a developer’s perspective, these specifications may prove to be extremely beneficial. Mark Beylin, co-founder of Myco — an emerging blockchain-based social network — told Cointelegraph that these standards will be incredibly valuable to help smart contract developers better understand what to expect from a security audit. He said:

“Currently, there are many scattered resources for smart contract security, but there isn’t a specific rulebook that auditors will follow when assessing a project’s security. Using this specification, both security auditors and their clients can be on the same page for what kind of security requirements will be checked.”

Michael Lewellen, a developer and contributor to the specification, further told Cointelegraph that these specifications help by providing a checklist of known security issues to check against. “Many Solidity developers have not received recent formal education or training in the security aspects of Solidity development, but security is still expected. Having specs like this makes it easier to figure out how to write code more securely,” he said.

Recent: Ethereum Merge prompts miners and mining pools to make a choice

Lewellen also noted that most of the specification requirements are written in a straightforward manner, making it easy for developers to understand. However, he commented that it’s not always clear why a requirement is included. “Some have links to external documentation of a vulnerability, but some do not. It would be easier for developers to understand if they had clearer examples of what compliant and noncompliant code might look like.”

The evolution of smart contract security standards 

All things considered, the security level’s specification is helping to advance the Ethereum ecosystem by establishing guidelines for smart contract audits. Yet, Nevile noted that the most challenging aspect moving forward is anticipating how an exploit could occur. He said: 

“This specification doesn’t solve those challenges completely. What the spec does do, though, is identify certain steps, like documenting the architecture and the business logic behind contracts, that are important to enabling a thorough security audit.”

Gu also thinks that different chains will start to develop similar standards as Web3 advances. For instance, some developers within the Ethereum industry are coming up with their own smart contract requirements to help others. For example, Samuel Cardillo, chief technology officer at RTFKT, recently tweeted that he has created a system for developers to publicly rate smart contracts based on good and bad elements in terms of development: 

Although all of this is a step in the right direction, Gu pointed out that standards take time to be widely adopted. Moreover, Nevile explained that security is never static. As such, he explained that it’s possible for individuals to send questions to the working group who wrote the specification. “We will take that feedback, as well as look at what the discussions are in the broader public space because we expect to update the specification,” Nevile said. He added that a new version of the specification will be produced within six to eighteen months. 

Organizations look toward multiparty computation to advance Web3

Multiparty computation is being leveraged to ensure private key security and decentralization within Web3 platforms. But why use it?

Protecting user data and private keys is crucial as Web3 advances. Yet, the number of hacks that have occurred within the Web3 space in 2022 alone has been monumental, proving that additional security measures, along with greater forms of decentralization, are still required.

As this becomes obvious, a number of organizations have started leveraging multiparty computation, or MPC, to ensure privacy and confidentiality for Web3 platforms. MPC is a cryptographic protocol that utilizes an algorithm across multiple parties. Andrew Masanto, co-founder of Nillion — a Web3 startup specializing in decentralized computation — told Cointelegraph that MPC is unique because no individual party can see the other parties’ data, yet the parties are able to jointly compute an output: “It basically allows multiple parties to run computations without sharing any data.”

Masanto added that MPC has a history that runs parallel to blockchain. “Around the same time that blockchain was conceptualized, a sibling technology purpose-built for processing and computation within a trustless environment was being developed, which is multiparty computation,” he said. It has also been noted that the theory behind MPC was conceived in the early 1980s. Yet, given the complexity of this cryptographic method, practical uses of MPC were delayed.

Understanding how MPC will transform Web3

It was only recently that blockchain-based platforms began to implement MPC to ensure data confidentiality without revealing sensitive information. Vinson Lee Leow, chief ecosystem officer at Partisia Blockchain — a Web3 infrastructure platform focused on security — told Cointelegraph that MPC is a perfect ideological match for the blockchain economy.

Unlike public blockchain networks, he noted that MPC solves for confidentiality through a network of nodes that computes directly on encrypted data with zero knowledge about the information. Given this, companies focused on digital asset security began leveraging MPC in 2020 to ensure the security of users’ private keys. Yet, as Web3 develops, more companies are starting to implement MPC to create a greater level of decentralized privacy for various use cases. Masanto added:

“The evolution of Web2 to Web3 focuses on creating methods where people and organizations can collaboratively work on different data sets in a manner that respects privacy and confidentiality while maintaining compliance. Blockchains are not purpose-designed for this because they are typically inherently public, and smart contracts are often run by one node and then confirmed by others. MPC breaks down the computation across the network of nodes, making it a truly decentralized form of computation.”

The promise of MPC has since piqued the interest of Coinbase, which recently announced its Web3 application functionality. Coinbase’s new wallet and DApp functionalities are operated with MPC in order to secure the privacy of senders and receivers while ensuring the accuracy of a transaction.

Rishi Dean, director of product management at Coinbase, explained in a blog post that MPC allows users to have a dedicated, secure on-chain wallet. “This is due to the way this wallet is set up, which allows the ‘key’ to be split between you and Coinbase,” he wrote. Dean added that this provides a greater level of security for users, noting that if they lose access to their device, a DApp wallet is still safe since Coinbase can assist in the recovery.

While Coinbase released this feature in early May 2022, crypto wallet provider ZenGo was equipped with MPC from the company’s inception in 2018. Talking with Cointelegraph, Tal Be’ery, co-founder and chief technology officer of ZenGo, said that the wallet applies MPC for disrupted key generation and signing, also known as threshold signature scheme (TSS). He explained that the key is broken up into two “secret shares” split between the user and the company server.

Related: Blockchain and NFTs are changing the publishing industry

According to Be’ery, this specific type of MPC architecture allows a user to sign an on-chain transaction in a completely distributed manner. More importantly, Be’ery added that both secret shares are never joined. “They are created in different places, and used in different places, but are never in the same place,” he explained. As such, he noted that this model remains true to the original MPC promise: “It jointly computes a function (the function, in this case, is key generation or signing) over their inputs (key shares), while keeping those inputs private (the user’s key share is not revealed to the server and vice versa).”

Be’ery believes that using MPC for signatures is complementary to blockchain technology, since a private key is also required to interact with blockchain networks. However, the TSS method leveraged by ZenGo allows users to distribute their private key, adding an additional layer of security. To put this in perspective, Be’ery explained that private keys for noncustodial wallet solutions are typically burdened by an inherent tension between confidentiality and recoverability:

“Because a private key is the only way to access the blockchain in traditional wallets, it also represents a singular point of failure. From a security perspective, the goal is to keep this private key in as few places as possible to prevent it from getting in others’ hands. But from a recoverability perspective, the goal is to keep the private key as accessible as needed, in case there is a need to recover access.”

However, this tradeoff is not an issue for most MPC-powered systems, as Be’ery noted that this is one of the main challenges MPC solves for crypto wallet providers. Moreover, as Web3 develops, other multiparty computation use cases are coming to fruition. For example, Oasis Labs — a privacy-focused cloud computing platform built on the Oasis network — recently announced a partnership with Meta to use secure multiparty computation to safeguard user information when Instagram surveys asking for personal information are initiated. Vishwanath Raman, head of enterprise solutions at Oasis Labs, told Cointelegraph that MPC creates unlimited possibilities for privately sharing data between parties: “Both parties gain mutually beneficial insights from that data, providing a solution to the growing debate around privacy and information collection.”

Specifically speaking, Raman explained that Oasis Labs designed an MPC protocol together with Meta and academic partners to ensure that sensitive data is split into secret shares. He noted that these are then distributed to university participants that compute fairness measurements, ensuring that secret shares are not used to “learn” sensitive demographic data from individuals. Raman added that homomorphic encryption is used to allow Meta to share its prediction data while ensuring that no other participants can uncover these predictions to associate them with individuals:

“We can say with confidence that our design and implementation of the secure multiparty computation protocol for fairness measurement is 100% privacy-preserving for all parties.”

MPC will reign supreme as Web3 advances

Unsurprisingly, industry participants predict that MPC will be leveraged more as Web3 advances. Raman believes that this will be the case, yet he pointed out that it will be critical for companies to identify logical combinations of technologies to solve real-world problems that guarantee data privacy:

“These protocols and the underlying cryptographic building blocks require expertise that is not widely available. This makes it difficult to have large development teams designing and implementing secure multiparty-computation-based solutions.”

It’s also important to highlight that MPC solutions are not entirely foolproof. “Everything is hackable,” admitted Be’ery. However, he emphasized that distributing a private key into multiple shares removes the singular attack vector that has been a clear vulnerability for traditional private key wallet providers. “Instead of getting access to a seed phrase or private key, in an MPC-based system, the hacker would need to hack multiple parties, each of which has different types of security mechanisms applied.”

While this may be, Lior Lamesh, CEO and co-founder of GK8 — a digital asset custody solution provider for institutions — told Cointelegraph that MPC is not sufficient by itself to protect institutions against professional hackers. According to Lamesh, hackers simply need to compromise three internet-connected computers to outsmart MPC systems. “This is like hacking three standard hot wallets. Hackers will invest millions when it comes to stealing billions,” he said. Lamesh believes that an MPC enterprise-grade approach requires a true offline cold wallet to manage most digital assets, while an MPC solution can manage small amounts.

Related: Ethereum Merge: How will the PoS transition impact the ETH ecosystem?

Masanto further claimed that traditional MPC solutions may be superior to a solution that “stores sensitive data across many different nodes in the network as a group of unrecognizable, information-theoretic security particles.” As the result, hackers would need to find each particle without any identifiable footprint connecting any of the nodes. Masanto added that to make the particle recognizable again, the hacker would need a large proportion of “blinding factors,” which are used to hide the data inside each particle in an information-theoretic security manner.

Those are just some examples of how MPC-based solutions will advance in the future. According to Masanto, this will create access to even more MPC use cases and, for example, utilizing the network itself for authentication:

“We consider this a form of ‘super authentication’ — a user will authenticate based on multiple factors (e.g., biometrics, identity, password, etc.) to a network without any of the nodes in the network knowing what they are actually authenticating because the computation of authentication is part of MPC.”

According to Masanto, such a form of authentication will lead to use cases within identity management, healthcare, financial services, government services, defense and law enforcement. “MPC enables systems to be made interoperable while also respecting people’s rights and giving them control and visibility over their data and how it is used. This is the future.”

Cross-chains in the crosshairs: Hacks call for better defense mechanisms

Cryptocurrency security firms, decentralized finance and cross-chain platforms are stressing the importance of improved defense mechanisms after a spate of hacks and exploits targeting the ecosystem.

2022 has been a lucrative year for hackers preying on the nascent Web3 and decentralized finance (DeFi) spaces, with more than $2 billion worth of cryptocurrency fleeced in several high-profile hacks to date. Cross-chain protocols have been particularly hard hit, with Axie Infinity’s $650 million Ronin Bridge hack accounting for a significant portion of stolen funds this year.

The pillaging continued into the second half of 2022 as cross-chain platform Nomad saw $190 million drained from wallets. The Solana ecosystem was the next target, with hackers gaining access to the private keys of some 8000 wallets that resulted in $5 million worth of Solana (SOL) and Solana Program Library (SPL) tokens being pilfered.

deBridge Finance managed to sidestep an attempted phishing attack on Monday, Aug. 8, unpacking the methods used by what the firm suspects are a wide-ranging attack vector used by North Korean Lazarus Group hackers. Just a few days later, Curve Finance suffered an exploit that saw hackers reroute users to a counterfeit webpage that resulted in the theft of $600,000 worth of USD Coin (USDC).

Multiple points of failure

The team at deBridge Finance offered some pertinent insights into the prevalence of these attacks in correspondence with Cointelegraph, given that a number of their team members previously worked for a prominent anti-virus company.

Co-founder Alex Smirnov highlighted the driving factor behind the targeting of cross-chain protocols, given their role as liquidity aggregators that fulfill cross-chain value transfer requests. Most of these protocols look to aggregate as much liquidity as possible through liquidity mining and other incentives, which has inevitably become a honey-pot for nefarious actors:

“By locking a large amount of liquidity and inadvertently providing a diverse set of available attack methods, bridges are making themselves a target for hackers.”

Smirnov added that bridging protocols are middleware that relies on the security models of all the supported blockchains from which they aggregate, which drastically increases the potential attack surface. This alsmakes it possible to perform an attack in one chain to draw liquidity from others.

Related: Is there a secure future for cross-chain bridges? 

Smirnov added that the Web3 and cross-chain space is in a period of nascence, with an iterative process of development seeing teams learn from others’ mistakes. Drawing parallels to the first two years in the DeFi space where exploits were rife, the deBridge co-founder conceded that this was a natural teething process:

“The cross-chain space is extremely young even within the context of Web3, so we’re seeing this same process play out. Cross-chain has tremendous potential and it is inevitable that more capital flows in, and hackers allocate more time and resources to finding attack vectors.”

The Curve Finance DNS hijacking incident also illustrates the variety of attack methods available to nefarious actors. Bitfinex chief technology officer Paolo Ardoino told Cointelegraph the industry needs to be on guard against all security threats:

“This attack demonstrates once again that the ingenuity of hackers presents a near and ever-present danger to our industry. The fact that a hacker is able to change the DNS entry for the protocol, forwarding users to a fake clone and approving a malicious contract says a lot for the vigilance that must be exercised.”

Stemming the tide

With exploits becoming rife, projects will no doubt be considering ways to mitigate these risks. The answer is far from clear-cut, given the array of avenues attackers have at their disposal. Smirnov likes to use a “swiss cheese model” when conceptualizing the security of bridging protocols, with the only way to execute an attack is if a number of “holes” momentarily line up.

“In order to make the level of risk negligible, the size of the hole on each layer should be aimed to be as minimal as possible, and the number of layers should be maximized.”

Again this is a complicated task, given the moving parts involved in cross-chain platforms. Building reliable multilevel security models requires understanding the diversity of risks associated with cross-chain protocols and the risks of supported chains.

The chief threats include vulnerabilities with the consensus algorithm and codebase of supported chains, 51% attacks and blockchain reorganizations. Risks to the validation layers could include the collusion of validators and compromised infrastructure.

Software development risks are also another consideration with vulnerabilities or bugs in smart contracts and bridge validation nodes key areas of concern. Lastly, deBridge notes protocol management risks such as compromised protocol authority keys as another security consideration.

“All these risks are quickly compounded. Projects should take a multi-faceted approach, and in addition to security audits and bug bounty campaigns, lay various security measures and validations into the protocol design itself.”

Social engineering, more commonly referred to as phishing attacks, is another point to consider. While the deBridge team managed to thwart this type of attack, it still remains one of the most prevalent threats to the wider ecosystem. Education and strict internal security policies are vital to avoid falling prey to these cunning attempts to steal credentials and hijack systems.

88% of Nomad Bridge exploiters were ‘copycats’ — Report

Copycats used the same code as the original hackers but modified the target token, token amount and recipient addresses.

Close to 90% of addresses taking part in the $186 million Nomad Bridge hack last week have been identified as “copycats,” making off with a total of $88 million worth of tokens on Aug. 1, a new report has revealed.

In a Wednesday Coinbase blog, authored by Peter Kacherginsky, Coinbase’s principal blockchain threat intelligence researcher, and Heidi Wilder, a senior associate of the special investigations team, the pair confirmed what many had suspected during the bridge hack on Aug. 1 — that once the initial hackers figured out how to extract funds, hundreds of “copycats” joined the party.

Source: Coinbase

According to the security researchers, the “copycat” method was a variation of the original exploit, which used a loophole in Nomad’s smart contract, allowing users to extract funds from the bridge that wasn’t theirs.

The copycats then copied the same code but modified the target token, token amount and recipient addresses.

But, while the first two hackers were the most successful (in terms of total funds extracted), once the method became apparent to the copycats, it became a race for all involved to extract as many funds as possible.

The Coinbase analysts also noted that the original hackers first targeted the Bridge’s Wrapped Bitcoin (wBTC), followed by USD Coin (USDC) and Wrapped Ether (wETH).

Source: Coinbase

As the wBTC, USDC and wETH tokens were present in the largest concentrations in the Nomad Bridge, it made sense for the original hackers to first extract these tokens.

White-hat efforts

Surprisingly, Nomad Bridge’s request for stolen funds yielded a 17% return (as of Tuesday), with the majority of those tokens being in the form of USDC (30.2%), Tether (USDT) (15.5%) and wBTC (14.0%).

Source: Coinbase

Because the original hackers mostly exploited wBTC and wETH, the fact that most of the returned funds came in the form of USDC and USDT suggests that the majority of the funds returned were from white-hat copycats.

Meanwhile, approximately 49% of the exploited funds (as of Tuesday) have been transferred elsewhere from each of the recipient’s addresses.

Related: $2B in crypto stolen from cross-chain bridges this year: Chainalysis

Coinbase also noted that the first three recipient addresses were funded by Tornado Cash, an Ethereum-based protocol that allows users to transact anonymously. On Monday, the United States Treasury sanctioned all USDC and Ether (ETHaddresses linked to the protocol.

The Nomad Bridge hack has become the fourth largest decentralized finance (DeFi) hack ever and the third biggest in 2022, following the $250 million Wormhole Bridge hack in February and the $540 million Ronin Bridge hack in March. Cross-chain bridges of these kinds have been accused of being too centralized, making them an ideal site for attackers to exploit.

The worst places to keep your crypto wallet seed phrase

A look at the best practices and worst hiding places for what could be the most important and wealthy possession in a home: a seed phrase.

Under the mattress, in the seams of a piece of luggage or even rolled into a cigar, what are the worst and best ways for keeping a seed phrase safe? The key to unlocking and recovering cryptocurrency, a seed phrase, should be secured and safe. 

Especially now that prices are low and the crypto tourists have checked out, it might be time for a crypto security spring clean. Security starts with a seed phrase, sometimes called a recovery phrase.

There’s no denying it: Bitcoin and the crypto space writ large are in the clutches of a bear market. Since Do Kwon’s Terra experiment went up in smoke, a crypto contagion has choked the most reputable of exchanges, causing many self-sovereignty advocates to chant, “not your keys, not your coins.”

Indeed, hardly a day goes by that another “trusted” crypto lender freezes customer withdrawals. From Singapore’s crypto lender Vauld to Thailand’s crypto exchange with 200,000 customers, Zipmex, to the world-renowned Celsius exchange, many centralized lending platforms have suffered similar fates, ensuring heartbreaking consequences for customers in 2022.

These circumstances are timely reminders to look after one’s own keys and to ensure they are in a safe place. So, while prices are low and trust in centralized exchanges (places that claim to look after crypto), also hits rock bottom, there is no better time to up the security of one’s crypto assets.

Seed phrases save lives

A seed phrase, sometimes called a private key, is a list of 12 or 24 words forming a mnemonic phrase. Metaphorically speaking, a hardware wallet, or cold wallet, contains these keys providing a convenient way of sending, or “signing” funds. 

If looked after properly, a seed phrase can save lives, as Alex Gladstein, a human rights activist and chief strategy officer at the Human Rights Foundation, often states. For example, if a burglar steals a hardware wallet but not the seed phrase, it’s no critical issue — the seed phrase can be used with a new wallet. If a government or bad actor forces you to flee, the 12 or 24 words can be used anywhere in the world to access Bitcoin (BTC) or crypto funds.

Goldbug and Bitcoin skeptic Peter Schiff once bungled his seed phrase, confusing it for his pin code. That’s the first mistake to avoid. Now, here are some other examples of where not to store a seed phrase.

Open secrets

The couple in possession of the Bitfinex billions in Bitcoin, who stored their seed phrase on their cloud storage account, take the first prize. As Cointelegraph reported, cybercriminals Heather Morgan and her cybersecurity specialist husband, Ilya Lichtenstein, stored their seed phrase on a cloud storage account. As such, the FBI only had to crack their iCloud password to gain access to over $4 billion in BTC at the time of reporting. The lesson here is to not store let your seed phrase on the internet. That means your Evernote notes, in a draft email or even in a low engagement tweet:

Similarly, as Cointelegraph reported, one must never type a seed phrase into a phone. Why? Because, as one Redditor realized, smartphone text prediction could actually guess a seed phrase. Text prediction, while at times useful for tricky spelling or emojis, is counterproductive when it comes to protecting personal wealth.

Although it sounds fitting, a fridge is also not the ideal place for the “cold” storage of cryptocurrencies. A Bitcoin enthusiast replied, “Fridge,” to the question “where is the weirdest place to store a seed phrase?” without explaining whether the seed phrase should be stored inside or on top of the fridge. As it turns out, a nonfungible token (NFT) fan had already stored a seed phrase on the fridge:

Cointelegraph’s editor-in-chief, Kristina Lucrezia Cornèr, suggests that the worst place for a seed phrase to be stored is in bad memory. Indeed, unlike dates of historic battles, car keys or the names of acquaintances from passages of life, a seed phrase should be wholeheartedly committed to memory. 

Among the more creative yet memory-exhaustive methods are memorizing “pages, lines and words from favorite books,” which for one Bitcoiner means storing the seed phrase on pages 100 to 112 of a Harry Potter text. Which one of the eight or more books Harry Potter books is anyone’s guess. Fortunately, there are now nifty ways to memorize a seed phrase. MTC, a Bitcoin educator who thought up the Sats Leger savings device, concocted a way to memorize a seed phrase in just 10 seconds through patterns.

Playing it safe

But, what do the experts have to say about seed phrases? Chris Brooks, founder of cryptocurrency recovery business Crypto Asset Recovery, told Cointelegraph that in his experience, human error can eradicate wealth. People should be more worried about leaving their seed phrase or private keys in paper wallets that can be mistakenly thrown out rather than hackers or scammers. Brooks explained:

“You have a far greater chance of moving to a new apartment and losing your crypto password in the process than you do of getting hacked.”

The Brooks family behind Crypto Asset Recovery operated a “seasonal business,” as in every bull market, such as in 2017 and 2021, the crypto crackers are called upon by crypto enthusiasts who have forgotten their passwords or lost their seed phrases. At one point in 2021, they told Cointelegraph they had up to 150 customer calls in a day. Their one big piece of advice for managing seed phrases is to keep it simple:

“So generally speaking, our security tips are pretty basic. Get a $30 safe off Amazon or, you know, build a little wooden box that’s easily identifiable as a place for secure documents and just store your seed phrases there.”

They suggest putting anything important into that box. That way, whenever “you’re doing spring cleaning or when you’re moving houses, you’re not going to throw it out. You’re not going to shred the paper or something like that.”

Related: NFT, DeFi and crypto hacks abound — Here’s how to double up on wallet security

However, because it’s crypto, those of a physical persuasion may be more inspired to store their seed phrases in some even more creative storage “boxes.” Bitcoin advocate, onthebrinkie 3D printed an adult toy suitable for an OpenDime (like a USB key for Bitcoin) or a seed phrase to be hidden away. The inspiring idea is that if an intruder breaks in, they might steal the wooden box full of important documents, but no one in their right mind would steal a sex toy. 

Ethereum will outpace Visa with zkEVM Rollups, says Polygon co-founder

A new scaling solution, zkEVM Rollups, could allow Ethereum to overcome Visa in terms of transaction throughput, says Polygon co-founder Mihailo Bjelic.

zkEVM Rollups, a new scaling solution for Ethereum, will allow the smart contract protocol to outpace Visa in terms of transaction throughput, said Polygon co-founder Mihailo Bjelic in a recent interview with Cointelegraph. 

Polygon recently claimed to be the first to implement a zkEVM scaling solution, which aims at reducing Ethereum’s transaction costs and improving its throughput. This layer-2 protocol can bundle together several transactions and then relay them to the Ethereum network as a single transaction.

The solution, according to Bjelic, represents the Holy Grail of Web3 as it offers security, scalability and full compatibility with Ethereum, which means developers won’t have to learn a new programing language to work with it.

 “When you launch a scaling solution, you ideally want to preserve that developer experience. Otherwise, there will be a lot of friction,” explained Bjelic. 

According to Sandeep Nailwal, Polygon’s other co-founder, this solution will slice Ethereum fees by 90% and increase transaction throughput to 40–50 transactions per second.

As Bjelic pointed out, if further upgraded, ZkEVM Rollups could one day handle thousands of transactions per second, thus outpacing mainstream payment systems like Visa.

Watch the full interview on our YouTube channel and don’t forget to subscribe!