Blockchain Security Incident Analysis
OVERVIEW
Cryptocurrency hacks and fraud have reached a record high in 2021 At least 30+ incidents of hacks and fraud for a total value of around $3bn have taken place so far in 2021 Below is an illustration of the largest crypto incidents that occurred this year and in history so far.
BACKGROUND
On August 10th, 2021, Poly Network was attacked by an anonymous white hat hacker, causing over $610 million in digital crypto assets at the price of that date to be transferred to hacker-controlled addresses. Eventually, all assets were returned to Poly Network over the next 15 days. This was the largest security breach in DeFi's history in terms of the value of stolen assets at the time of the incident.
WHAT IS POLY NETWORK
Poly Network is a defi platform that works by facilitating peer-to-peer exchange between several blockchains as users’ trade one cryptocurrency for another, such as trading Bitcoin for Ether. Currently, Poly Network has implemented interoperability between 11 chains including Bitcoin, Ethereum and so on Poly Network operates on the Binance Smart Chain, Ethereum and Polygon blockchains Tokens are swapped between the blockchains using a smart contract which contains instructions on when to release the assets to the counterparties
HOW WAS IT HACKED
The hackers exploited a vulnerability in this smart contract. The hack was made possible by a mismanagement of the access rights between two important Poly smart contracts The first one was EthCrossChainManager and the second one was EthCrossChainData
✔ EthCrossChainData: It can decide who has the privilege of moving the large amount of funds contained within Poly’s Binance wallet, Ethereum wallet, etc.
✔ EthCrossChainManager. It can has the right to trigger messages from another chain to the Poly chain
The hackers appeared to override the contract instructions for each of the three blockchains and diverted the funds to three wallet addresses, which are digital locations for storing tokens
OUTCOME
The so-called white hat hacker claimed they aimed to identify the vulnerability for Poly Network and always planned to return the money. After a week the fund was stolen, Poly Network confirmed the hacker had returned the $610m. During the negotiation, the hacker’s only request was to unlock the USDT. Poly Network offered to hire them as chief security advisor but it was not officially confirmed.
Blockchain Security Incident Analysis
WHAT CAN WE LEARN FROM RISK ASSESSMENT AND RISK CONTROLS POINT OF VIEW?
Blockchain technology is still in its early stage where some challenges we constantly face include but are not limited to:
1 We don’t adopt it quickly enough
2 Technology is difficult to understand
3. Openness can be a liability, i.e. there is no protection by 3rd party institutions or central authorization. Over 140 hacker incidents identified for the past few years, breaches of wallets and exchanges are the most common type of attacks, followed by breach of Ethereum smart contracts However, in my view, such big hacks actually improve and help evolve the overall security of all DeFi services as other projects and applications tend to learn from the errors and failures of others and make their platforms more secure and mature.
RISK CONTROLS AND MITIGATIONS
Below summarizes some controls that can help prevent the blockchain hacks and mitigate the cybersecurity risk for crypto exchange:
● Apply Zero Trust security Some experts speculated that such a hack took time and planning If so could this have been an inside job from Poly Network? Traditional IT network security trusts anyone and anything inside the network A Zero Trust architecture trusts no one and nothing. The crypto exchange can deploy strict multi-factor identity verification for every person and device trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter
● Enhance identity and access management.
● Test internal staff with security exercises
● Consider business and governance risks. I.e. Follow guidelines published by MAS if you're doing business in Singapore.
● Invest into fraud and AML detection tools that specialize in blockchain
● Highlight smart contract security and the potential coding bug
● Request constant and timing progress update from coin issuers listed on Huobi’s exchange. i.e. Review Whitepaper and status update to identify early risk warnings.
● Ask all coin issuers on The crypto exchange for regular updates on its security, technology, application development, and regulatory requirements
● Closely monitor tokens/ turnaround time if they encounter technical or security issues
● Educate Huobi’s end users by applying security tips and increase their awareness
Use separate wallet addresses for DeFi activities
Use 2 factor authentication (2FA) and strong passwords
Check wallet approvals regularly Revoke the access rights for that project to the wallets if no longer required
Be mindful and warn of malicious software and phishing scams
Use a centralized exchange to add more layers of security projection
Enhance ID management Educate users to ensure the private key is securely stored as the owner’s signature is verified directly within the blockchain
Blockchain Security Incident Analysis
● Emphasis on software updates given the open source and decentralised environment make software update difficult
DeFi PROJECT
PolyNetwork is a cross-chain Defi protocol which is a relatively less known Defi project in the DeFi ecosystem Its competitors include SushiSwap, Anysap etc In terms of how it is applied, PolyNetwork is more similar to the category of DEX but it is not the coin issuer and it is not listed on Huobi
In my view, Lending and DEX are the mainstream DeFi projects which will be widely used in various use cases in 2022
- Lending allows individuals to take out a loan without approval from a third party. The majority of lending products use Ether ($ETH) or Bitcoin to secure outstanding loans The top 3 items include Maker(MKR), Aave(AAVE) and Compound (COMP).
- DEX allows users to swap their assets without having to transfer custody of the underlying collateral. The top 3 items are Uniswap(UNI), Curve and SushiSwap(SUSHI)
I have selected one item from each category for demonstration They are both listed on crypto exchange currently.
Compound
Uniswap
Blockchain Security Incident Analysis
