en
Back to the list

Interview: Why hackers continue to hit DeFi protocols, solutions

source-logo  cryptopolitan.com 14 November 2021 04:08, UTC
  • Spate at which hackers hit crypto and DeFi protocols continue to surge.
  • Over $130M lost to attacks on crypto industry in 2021.
  • Why hackers continue to target Crypto industry.

The spate at which hackers hit the DeFi space and cryptocurrency industry by extension has continued to be a source of concern for the industry.

Reportedly, 169 blockchain hacking incidents have taken place in 2021, with nearly $7 billion in funds lost to hackers. Over the past month, not lesser than five crypto hack cases were reported with DeFi protocol Cream Finance the latest to be hit by these hackers. Over $130 million was said to have been stolen.

In lieu to these, Cryptopolitan spoke with Dmitry Mishunin, CEO and Founder at HashEx an R&D company focused on blockchain integration in business processes and cyber security. Dmitry has a strong technical background in cybersecurity and decentralized applications as well as impressive experience in developing information security systems.

Below are excerpts from the interview

Q: Are you surprised by the number of hacks and exploits that users are facing lately?

Unfortunately, not. We are seeing that more and more people are writing their smart contracts. But often they do not have sufficient programming nous and a good understanding of Solidity – currently the only programming language compatible with Ethereum. Having a good understanding of the programming language is a must for creating a reliable DeFi protocol, and not knowing some of its nuances may easily lead to exploits and stolen funds.

Q: How can accepting or signing a smart contract that contains malicious code lead to your assets being stolen?

Every user should know that blockchain transactions are irreversible: once you approve a certain amount of an ERC-20 token to an ERC-20 smart contract, it will be irreversibly transferred to it. A contract may have verified source code without exploits but can also have some unverified library as a dependency. Approving tokens to such a contract is a big risk because you cannot check how the library works.
That was the case in the StableMarket project, when at least $27 million worth of users’ funds were stolen. The StableMarket project contracts had an audited code but were deployed with an unverified library. This library was malicious, and it stole the users’ tokens stored in the protocol.
Another risk for the users is approving tokens to an upgradable smart contract: such a contract may be automatically upgraded with malicious code and steal the approved tokens.
Often frontend apps approve maximum amounts of tokens to a contract, not just the token amount that is going to be used. It is done for paying for the gas in a single transaction. If a user deposits tokens to a contract, he will need to additionally pay for the gas. But if a contract acts maliciously, in that case it can withdraw any amount of tokens from the wallet.
So, the best practice for maximum security is always checking the approval amount and approving only the amount that is required for the contract operation.

Q: Are hackers getting smarter or are cryptocurrency users becoming less cautious with their cybersecurity procedures?

Both statements are true. Hackers have made serious progress in exploiting flash loan platforms in tandem with different protocols to create and exploit vulnerabilities. On their own, those other platforms are safe most of the time, but flash loans create more structural complexity, which makes vulnerabilities more frequent.
Such attacks are very complex. Even their analysis takes a lot of time. And also there are a lot of hacks of projects that just have poor code with simple bugs in it that would be most likely eliminated if tests were done or the code was properly audited.
Part of the blame also lies with the users, because many of them know about the safe practices that minimise the risks, such as cold storage, for instance. But they often disregard them, losing their heads over an opportunity that can bring them multifold ROI. Sometimes, they end up simply losing their money.

Q: How can users better protect their assets on Metamask and associated dapps such as OpenSea and DeFi?

The best protection is not storing all assets in hot wallets but sending them to cold ones: the latter do not have Internet access. It is best to store only a small amount of assets needed for operations in hot wallets and keep the rest in cold storage.
On top of that, users should follow standard security rules: make use of antiviruses, avoid opening suspicious links in emails and use two-factor authentication when possible.

Q: Do you think hacks and exploits will become more common as the industry grows?

As the industry grows and more projects get launched, more of them will face the risk of getting hacked. You cannot eliminate all the bugs in all projects, but blockchain security companies are constantly working on minimising them. That does not only include audits of projects’ source code but also developing analytical tools that will help to prevent the bugs from appearing altogether, or, at least, to find them at the early stages of development.

Q: What role does HashEx play in the expansion of the cryptocurrency industry?

We enlighten the people on the transparency and safety of using decentralised applications. The logic of their work is too complex and unclear for an average user to understand. Also, no sensible person would entrust his or her money to something they do not understand, like Pinocchio at the field of Miracles. We explain complex notions in plain terms and bring to light the pitfalls that people should be aware of and try to avoid, and we likewise help potential investors to make a well-informed decision on their funds.
But primarily we are an auditing firm that is centred around DeFi and cryptocurrencies. That means that we do lots of audits of smart contracts and thus help crypto projects gain the trust of investors as investors better trust the projects which are well protected from costly mistakes that could hit their investors financially.

Q: What are your thoughts by both the G7 and US President Joe Biden on his moves to end ransomware, cyber security and frequent crypto hacks?

Constant improvement of security standards is a part of our routine and corporate ideology. We seek to bring trust into the trustless DeFi space. And this issue is crucial in any IT domain, not just DeFi. With the rapid emergence of new software products, the cybersecurity aspect is unfortunately not being paid enough attention, which creates opportunities for hackers to exploit. There are two main reasons for this: ‘mouse-click programming’ and a low-quality labour force that is being offered unnecessarily big wages.
This is a downside of rapidly growing IT businesses. In this dog-eat-dog environment businesses are trying to get ahead of each other, offering new products and oftentimes turning a blind eye to security issues despite their importance. As a result, sometimes we get big systems, which are used by a great number of clients, while still having bugs in them that can lead to the loss of users’ funds. Sometimes, the consequences of these bugs can even be continent-wide.
From this standpoint, governmental interference is completely justified. If it were not for state governments getting involved with these issues, who else would clamp down on greedy business people and convince them to dedicate efforts to security measures and developing software in a sensible manner?
If people start reporting hacks to government agencies it will have a positive effect. Timely information can help minimise the consequences of a potential breakdown by allowing to engage reserve channels (the situation with the supply of oil to the US East Coast can be viewed as a good example of this practice).
Unified security standards across the industry would also do good, if they are developed by experts, rather than outsiders. Even at the current early stage of DApp development, we are seeing such standards being implemented by the leading auditors. The integration of such protocols will help everyone: it will make programming easier, codes safer, and it will protect the users’ funds as well.

Q: These hacks, speak on their impact on the cryptocurrency industry

Feedback for the crypto industry is an attempt to control the stolen funds. I think it is a good thing. Currently, you cannot get all the amenities of the real world via cryptocurrency. This situation is changing by the day, but it is far from being perfect. Therefore, hackers still require a bridge between crypto and fiat funds to withdraw illegally acquired funds. This is the stage at which criminals can be identified. The more of them are found, the fewer will be willing to attempt to do it again. One can think back to how they used to chop off body parts for theft in the Eastern cultures. Such interventions from law enforcement agencies are having a wholly positive influence on the crypto industry and its reputation. These actions make people feel safer.

Q: Bad actors/players behind many of these crypto hacks, what sanctions would you recommend for them to deter others?

As I have said before, I am all for penalising such individuals. I would view such operations as financial fraud of a varying degree of severity, and apply corresponding legal action to them. I would not be trying to work out new laws at this point in time.

Q: A crypto world without hacks is almost impossible to achieve, how can crypto stakeholders, policy makers and all sundry reduce attacks to the barest minimum?

Any IT domain is not conceivable without cyberthreats. But when we are talking about ordinary businesses, we see only the tip of the iceberg, not the whole picture. There are many more hacks taking place that meet the eye because companies could undermine their reputation if such knowledge becomes public. With cryptocurrencies, everything is transparent and publicly known, so the mass media write about these things more often.
Cybersecurity is a multidimensional practice, which includes regulatory frameworks at crypto-to-fiat exit and entry points, user education, cybersecurity teams checking the code, etc. This industry is still young, which provides an excellent opportunity to steer it down the right vectors of development. This way, we can make use of safer practices from the beginning, instead of trying to patch up holes somewhere down the road.

cryptopolitan.com