Top 2020 Blockchain Hacks (and what you can do about them in 2021)

Many companies were affected by malicious cyber activity throughout 2020, and blockchain attacks are becoming more prominent.  New attack strategies for targeting enterprise blockchain security will continue to emerge, and these nefarious activities can be quite damaging (and costly) for those that are compromised. In 2020, attackers stole $3.8 billion -- in just 122 attacks. For many, blockchain is critical to decentralized applications, wallets and other business operations. Blockchain technology also provides the underlying data structure for smart contracts, which free up the processing of money, property and other value-driven exchanges.

Blockchain technology is regarded for its resistance in the face of a cyber attack, but like any other data structure, it still needs to be monitored, assessed and secured against potential threats.

The top blockchain hacks of 2020 serve to highlight the sophistication of new-age attackers. Blockchain technologies offer reduced costs in supply chain processes, simplified financial processes that are easier to audit and less costly to conduct. However, blockchain security protocols need to evolve in order to keep up with enterprise growth and to mitigate new security risks that may arise. Securing blockchain implementation requires critical steps such as monitoring, analysis and threat prevention. Modern tools can help streamline the process of securing blockchain technology more effectively.

 

1. Compound loses $100m to flash loan exploit

In November 2020, Compound lenders saw $100 million get liquidated in a flash loan attack. In the decentralized finance sphere, flash loans are a significant source of malicious activity and opportunistic exploitation. By capitalizing on vulnerabilities in oracle data, contract code and liquidity pools, attackers can acquire significant funds from unsuspecting targets.

BeingCrypto reports:

In summary, the attacker took a 46 million DAI flash loan and swapped the same for 2.4 billion cDAI. Converting the 2.4 billion cDAI yielded 46.2 million DAI.

The attacker then repaid the flash loan of 46 million DAI and was left with 170.9million cDAI which is equivalent to $3.5 million in profits. In another tweet by Alex Svanevik, the CEO of on-chain data analytics outfit Nansen, one other COMP farmer lost $17.5 million in the exploit.

Manipulating oracle data to alter the price feed allowed an attacker to profiteer off of forced liquidation caused by under-collateralization. In a blockchain, an oracle is a third-party source of data. Data from the oracle is then used to execute business logic using pre-programmed protocols. An indirect blockchain attack can be launched by compromising oracle data. Oracles are a common part of blockchain technology and smart contracts. Regular monitoring and assessment can help ensure that oracle data is accurate.

 

2. $25m stolen in Lendf.me, Uniswap hack

Lendf.me, a decentralized lending platform, suffered a blockchain attack in April 2020. Hackers exploited vulnerabilities in the underlying structure of Ethereum, stealing an approximate $24.5 million from the lender.

The second company, Uniswap, was using theLendf.me protocol and was also affected. It estimated that Uniswap lost between$300,000 and $1.1 million in the blockchain hack.

Silicon Angle reports that the attack on Uniswap exploited ERC777, an underlying technology on the Ethereum blockchain, and launched a “reentrancy” attack. “That attack exploits a function that makes an external call to another untrusted contract before it resolves any effects, allowing an attacker to take over control flow of the smart contract.” Lendf.me was victimized further through a second reentrancy.

Attackers will continue to come up with new ways of exploiting blockchain technology. Smart contracts are often deployed over blockchain -- but these contracts can be vulnerable to a reentrancy attack. As Medium explains:

A reentrancy attack can occur when you create a function that makes an external call to another untrusted contract before it resolves any effects. If the attacker can control the untrusted contract, they can make a recursive callback to the original function, repeating interactions that would have otherwise not run after the effects were resolved.

This simplest example is when a contract does internal accounting with a balance variable and exposes a withdraw function. If the vulnerable contract transfers funds before it sets the balance to zero, the attacker can recursively call the withdraw function repeatedly and drain the whole contract.

Identifying functions that may be untrustworthy can help prevent reentrancy attacks. Following best practices for mitigating the risks of potentially vulnerable functions which underlie blockchain structures is key. Maintaining oversight across enterprise blockchain technologies is a necessary checkpoint. Reentrancy attacks can occur when functions are compromised; implementing content security policies can help reduce the risk of function-based attacks on smart contracts.

 

3. KuCoin hacked for $281 million

In September 2020, Singapore-based KuCoin suffered one of the most costly hacks in cryptocurrency history. The theft of $281 million was attributed to an attack which resulted in malicious actor(s) gaining access to private keys for hot wallets -- allowing them to seize control of various digital currencies.

At the time, KuCoin was one of the most active cryptocurrency exchange platforms, handling averages of $100 million daily. Coin Desk says that, “One or more hackers obtained the private keys to the centralized exchange’s hot wallets, gaining control over vast quantities of bitcoin, ether, tron (TRX), XRP, stellar (XLM) and various ERC-20 tokens, among others. KuCoin immediately moved to freeze all wallets and disable services.” As Coin Desk reported further:

KuCoin CEO Johnny Lyu said one or more hackers obtained the private keys to the exchange’s hot wallets. KuCoin transferred what was left in them to new hot wallets, abandoned the old ones and froze customer deposits and withdrawals, Lyu said.

Ensuring private keys are being stored properly is a critical element to securing hot wallets, which can be connected to the internet. This is another area where monitoring, assessment and policy implementation can be beneficial.

4. Harvest Finance loses $25million

Another decentralized finance giant, Harvest Finance, was a victim of malicious cyber activity in October 2020. An attacker drained some $25 million from the platform’s finance pools, using an Ethereum obfuscation platform known as Tornado Cash in an attempt to disappear some of the funds that were withdrawn.

In addition to this loss, Harvest Finance’s TVL suffered a significant drop in value -- going from $1 billion to $673 million. Following the attack, investors pulled $350 million from the site.

As reported by CoinDesk:

The attack comes after DeFi analyst Chris Blec claimed Harvest Finance’s administrators held an “admin key that can drain funds” locked in the protocol’s contracts. It’s unclear at this stage in the exploit what role the admin key or the anonymous team behind the protocol have to do with the sudden drain in assets.

According to a report from Bitcoin, the attacker later returned $2.5 million of the stolen funds. To launch their exploit, the malicious actor “manipulated prices on one money lego (curve y pool) to drain another money lego [farm USDT (fUSDT), farm USDC (fUSDC)], many times. The attacker then converted the funds to renBTC and exited to bitcoin.”

5. Pickle Finance takes a $20 million loss

Pickle Finance lost nearly half of its value to a cyber attack in October 2020. Some $20 million in DAI was drained from a Pickle wallet. As CoinDesk reports, the company launched in September and released their new cDAI jar technology with the goal of “maximizing returns from DAI deposited on the decentralized lending protocol Compound.”

This new strategy was then exploited by malicious actors; Pickle Finance states, “This was a very complicated attack and involved many components of the Pickle protocol.”

A report from CryptoTips explains that a malicious actor created a set of their own smart contracts (or “bad” jars) with similar features to existing Pickle Jars. They were then able to swap funds between “bad” jars and “good” jars, skating off with a cool $20 million.

Blockchain is the underlying structure behind typical smart contract technology. Implementing security policies for enterprise blockchain security provides a framework for monitoring, assessment and risk mitigation.

6. SIM-swap attack causes alleged$45 million loss

Cryptopotato reports that a SIM-swap attack was used to steal $45 million in Bitcoin and Bitcoin cash.

As BitCoin Magazine explains:

Using a phone number for identity authentication is a bad operational security practice. Handing over bitcoin to a third party like a cryptocurrency exchange or lending service also reduces security — “not your keys, not your coins” is a security recommendation often shared over Twitter and the Bitcoin podosphere.

Case in point: For the better part of the last decade, the combination of these two practices has given rise to an increasing number of SIM swap attacks ending in the theft of bitcoin and other cryptocurrencies.

Overall, SIM swap attacks are less technical and are not costly to pull off. Cryptocurrency is a particularly attractive option for SIM swaps. Due to the nature of how Bitcoin transactions are recorded in blockchain, it is more difficult for the victim to regain control of their lost assets once they have been stolen. Because of this, SIM swap attacks are definitely an area of concern. BitCoin Magazine identifies SIM swapping as a “persistent problem” in the digital sphere -- particularly when SMS is being used for 2FA. Experts say that using hardware-based wallets and hardware-based 2FA are better options than using  browser-based wallets or mobile 2FA.

7. Attack on Trezor’s passphrase handling

In September of 2020, a ransom attack was launched against Trezor’s passphrase handling. Trezor is a hardware wallet available for computers and mobile devices. As Benma’s Blog explains:

It is important that the hardware wallet validates any input it receives from the computer. In this case, the passphrase should be confirmed with the user on the device before using it to derive the seed. The Trezor and KeepKey did not do this in the case of the passphrase entered on the computer.

As a consequence, a malicious wallet or a man-in-the-middle modifying data transferred via USB could send an arbitrary fake passphrase to the Trezor / KeepKey, and hold any coins received in this wallet hostage. The passphrase entered by the user could simply be ignored, and the actual passphrase used would be only known to the attacker.

In this instance, an attack can be launched and go unnoticed; the wallet will function as per usual until the victim user is blocked from accessing their funds. After blocking user access, the attacker can then demand a ransom. These kinds of attacks can be launched against multiple users -- and the attacker can “lie in wait” until enough coins have accrued in users’ wallets. An attacker can create dummy passphrases that are given to unsuspecting users until the wallet has enough value to be held ransom. This is another area where policy implementation, monitoring and assessment can help mitigate risk.

8. Multiple hacks cause losses for bZx

bZx, a lending protocol that offers flash loans, suffered multiple attacks during 2020. Two attacks took place in February, while a third was launched in September.

In the first exploit, a malicious actor used several DeFi protocols to leverage the loaning and swapping of cryptocurrencies and manipulate their value and draw profits off the trading. This first attack resulted in a loss of $350,000.  The second attack in February was an oracle data exploit and cost bZx an estimated $635,000.

Additionally, bZx suffered an $8 million loss in September after attackers exploited a potential vulnerability in protocol code. bZx reported that the issue was resolved via a bug bounty and that all stolen funds were recovered.

Flash loans present novel territory for interested attackers. As Hacking Distributed explains, flash loans utilize smart contract technology to generate loans that are only viable for a single transaction. These loans must be repaid by the end of the exchange. Flash loans can be an attractive option for both lenders and customers. As enterprises and individuals venture into the new world of decentralized finance, new security controls may need to be adopted.

Looking at Blockchain Security Solutions

Many enterprises rely on blockchain technology as an underlying structure for decentralized applications, whether these apps are positioned in the financial sector or elsewhere. Blockchain presents a new and unique challenge for malicious actors, and new attack vectors will likely continue to emerge. However, areas of potential risk can be addressed with tight security protocols and increased visibility. Modern tools like AI-powered security platforms for smart contracts and distributed ledger technologies give enterprises more control over smart contract governance, compliance, and security posture through advanced network monitoring capabilities.  

With advanced application security and network monitoring capabilities, organizations can achieve  complete visibility and control over their decentralized applications' governance, compliance, and security posture. AI solutions for dApps give organizations the ability to innovate blockchain technology with speed and security.

Areas of potential risk in blockchain

ctive blockchain transactions are often vulnerable to attacks using known areas of vulnerability. Unmitigated vulnerabilities can be exploited, especially when visibility is low. Increased oversight helps organizations identify and address vulnerabilities before an attack takes place.

As blockchain implementation advances, ensuring that compliance standards are maintained can further help prevent exploitation. Exposed assets and IPs may present an unnecessary risk. Control over visibility becomes crucial here in order to keep up with the security needs of an expanding enterprise. Organizations often develop blockchain applications for internal use, and external viability may be limited due to lacking external security controls.

Leaving assets vulnerable can attract external threats and potential attacks on transactions. Implementing blockchain security protocols effectively.

Tackling Blockchain Security Concerns

Modern tools can help enterprises ensure that all of their blockchain security needs are being met. An AI-based solution like Valid Network provides the monitoring and reporting necessary for confidence in your organization’s compliance alongside advancements in regulatory measures, changes in code and overall expansion.

Additionally, Ai technologies can help enterprises reduce the number of potential threats and vulnerabilities facing blockchain applications. Keeping blockchain applications and transactions secure and updated minimizes an organization’s attack surface, which lowers  the number of active threat incidents and limits  the scope and impact of attacks.

AI-powered blockchain application and network monitoring translates to less time spent on labor and development; this not only reduces the burden of securing blockchain, but creates freedom for addressing other areas of growth.

Blockchain technology is known for being tamper-resistant. Blockchain creates a structure of established records and users receive copies of this data; this reduces the impact of potential security breaches. The overall database will remain protected, even if some user accounts are compromised.

However, attackers are coming up with new attack avenues to target blockchain technologies. SIM-swaps, private key theft and reentrancy attacks are just some of the new-age methods malicious actors are using to exploit blockchain. Combining AI-powered monitoring with necessary security controls and compliance measures helps businesses ensure that their blockchain data structures are protected. Resistance against cyber threats is what drives enterprises toward blockchain -- especially in the decentralized finance atmosphere. Having an established protocol for blockchain security is the next step forward.

Gilad Eisenberger, Valid Network's Co-founder and CTO, said: "2020 has seen a rise in both impact of attacks and sophistication overprevious years. Looking forward towards 2021, companies utilizing blockchain will continue to face these challenges with both known and novel threats in a highly open and visible ecosystem."

Other Blogs

What are CBDC and are Digital Currencies Safe?

Cryptocurrency and DeFi trading platforms have long signified a coming change in the way currency is handled around the world.

Integer Overflow in Ethereum

Many involved in blockchain do not have a full comprehension of the impact of software flaws and how they can enable vulnerability.