The insiders responsible for the hack – Cointelegraph Magazine
1 year ago Benito Santiago
When a DeFi platform is hacked, suspicion often falls on insiders who are familiar with smart contracts and security procedures and can therefore create exploits. But are insiders responsible for most DeFi hacks?
On the chain, Sleuth Librehas seems to have a big place. In September 2022, UK-based DeFi platform Wintermuth reported that a $160 million hack may have been an inside job.
Wintermute exploited a bug in the smart contract used to create invalid wallet addresses.
In a lengthy analysis of the hack, LibreHash (real name James Edwards) made it clear that relevant transactions initiated by an externally owned address (EOA) that called the compromised smart contract could be internal to the hacker. A member of the Wintermute team.
“The knowledge required to execute this hack precludes the possibility that the hacker could be a random external entity.”
The hack “was the result of an inside job, rather than an external attacker exploiting EOA with a weak private key,” the fraudster tweeted.
But what seemed like an open-and-shut case for LibreHash wasn't easy to prove to the world at large. Wintermuth, an automated market maker (AMM), strongly rejected the idea, saying it had “factual and technical errors related to claims made from unsubstantiated rumors from the Medium page.”
And blockchain security firm BlockSec wrote an analysis of LibreHas, concluding that “the report is not convincing enough to incriminate the Wintermunt project.”
7/ This completes my Wintermutt smart contract ‘hack' clue and why I've come to the conclusion that this is the result of an inside job rather than an external attacker using a weak private key to exploit EOA. Wrong Vanity Addy Generator Tool
— James Edwards (@librehash) September 26, 2022
Table of Contents
ToggleEvidence of inner workings is very difficult
Not surprisingly, the LibreHash report, despite its technical merits, did not emerge without controversy.
Few are certainly considered insiders in the murky world of DeFi hacking. There are many doubts and speculations about insider operations and there have been speculations about how deep the problem is, but to date, hacking an insider is often like trying to pin the tail on a fast-moving donkey.
“The anonymity afforded by blockchain systems, coupled with the misuse of privacy-enhancing services by malicious actors like TornadoCash, makes it challenging to identify these criminals,” said Lei Wu, Chief Technology Officer of BlockSec.
There are some well-known examples of introverts behaving badly. SafeMoon CEO John Caroni and two colleagues were arrested last month for stealing “millions of dollars” worth of tokens from the Utah crypto firm to buy luxury vehicles and real estate. NFT creator Remelia Corp. said in September that it had “taken steps to turn over” more than $1 million in fees generated by a developer who worked on its Bonkler suite.
“There were a lot of projects that weren't very transparent,” said Neville Grech, founder of blockchain security firm DeDaube, referring to the “rolling carpet” for crypto developers to launch their own venture capital projects.
“Besides the carpet pullers, there have been cases where projects were hacked a few hours after a fix was made to the public codebase – but the fix hadn't been made yet – so it was probably a high-profile follower of the project. He was involved.”
DeFi's transparency means that with a little work, any sufficiently skilled cybercriminal can spot the holes in the contract. As Chainalysis points out in its 2023 Crypto Crime Report, this transparency is “what makes DeFi so vulnerable – hackers can scan DeFi code for vulnerabilities and strike at the right moment to maximize their theft.”
But when it comes to taking advantage of such opportunities, insiders have “knowledge advantages such as access to unproven code, security assessments, and deep technical knowledge of the project's operation and potential vulnerabilities,” says Grech.
However, this is a double-edged sword, he adds. Insiders are easy to spot because team members are close to them and can easily predict their actions.
Other hacks where internal organs are suspected
DeFi hacks for insiders include:
In the year In December 2022, the DeFi protocol anchor of the aBNBc smart contract deployer's wallet was compromised, allowing the hacker to withdraw six quadrillion aBNBc tokens, which were eventually converted into $5 million. According to Anker, “A former team member (no longer with Anker) engaged in a malicious social engineering and supply chain attack, injecting a malicious code package that could compromise our private keys after legitimate modification.” made”
Anker said he is working with law enforcement “to indict and prosecute the former gang member.” Unfortunately, internal bad actors can affect any protocol and we are working… to strengthen our security posture going forward. No charges appear to have been filed so far, and Anchor co-founders Stanley Wu and Chandler Song did not respond to requests for comment on the status of the case.
iToken doubts
In October, the blockchain security firm PeckShield warned that the crypto wallet iToken, formerly known as Huobi Wallet, was “suspected of leaking” about $260,000 in user funds, which the hacker converted to about 2.9 million TRX tokens before transferring them to crypto. ChangeNOW and Binance. The public assumed he was guilty because three weeks ago, Chinese media reported that Itoken user mnemonics and private keys were hacked by a former employee, resulting in a loss of $1.39 million. “The employee has been investigated by the police,” according to chain satellite Wu Blockchain.
After the Boy X Highspeed decentralized chain exchange revealed that it had been hacked for $139 million in October 2021, CEO Neo Wang said the hack was likely an inside job where an employee compromised the BXH platform and compromised the administrator's private key. Virus and then used the key to enter the BNB Smart Chain address. According to Wang, BXH filed a complaint with the Chinese police department that investigates digital crime. The outcome of the case is not yet known.
Read more
Main characteristics
DeFi vs. CeFi: Decentralization for the win?
Main characteristics
Billions spent on crypto marketing for sports fans – is it worth it?
DeFi hacking is a growing business.
There is no doubt that DeFi platforms have generally been a happy hunt for crypto hackers. According to Chinalysis, Diffie projects to account for 82.1%, or $3.1 billion, of the record stolen by hackers in 2022, up from 73.3% in 2021.
DeFi hacks outnumber non-DeFi hacks by a 3.5:1 ratio, with the gaming-focused Ronin Network Bridge being the biggest by far with $625 million in exploits.
The proliferation of DeFi hacking partly reflects the explosive growth of the sector. Before the fall during the bear market, the total value locked in DeFi protocols rose 1,222% to $247.8 billion in 2021, according to analysis platform Defillama.
So who is doing these hacks? Hackers with ties to North Korea, such as those in the Alazarus Group cybercriminal syndicate, are a big factor. North Korea She is one behind the DeFi hacking trend that will intensify in 2022,” reports Chainalysis.
And, of course, there are many shady coders capable of attacking the protocol.
In a recent foreign hack, U.S. authorities in July charged former Amazon security engineer Shakib Ahmed with using his technical skills to steal millions in assets from a decentralized crypto exchange in 2022. Millions of cryptocurrency and up to five years in prison.
Vulnerabilities in self-executing code or smart contracts on DeFi blockchain platforms “range from logic bugs unique to DeFi protocols, such as integer overflow and re-entry bugs,” Wu says. Insiders are familiar with many of these vulnerabilities, but the vulnerabilities can also be discovered by external actors.
By insiders, the most obvious cybercrimes come in the form of “carpet pulling.”
“Almost every day there are small ‘carpets,'” said Richard Ma, CEO of blockchain security firm Quantstamp.
“The media and crypto twitter want to talk about the big hacks but not the small hacks in the tens of thousands of dollars.”
In such hacks, a project creator “uses a backdoor in the smart contract and sells it to Uniswap or uses a backdoor to steal the money.”
A curious case of Multichain
What could have been one of the biggest rug pulls came to light in July when Multichain, a platform that facilitates cross-chain transactions, announced on Twitter that it was shutting down after user assets were locked in multiparty computing (MPC) addresses. Unusually forwarded to unknown addresses.
In a somewhat cryptic announcement, Multichain said it lost access to MPC node servers last May after CEO Zhajun He was arrested by Chinese police. He said the servers were running under Zhaojun's private cloud server account, and no other member of the Multichain team had logged in to that account.
“Since the launch of the project, all operating funds and investments have been controlled by Zhaojun,” Multichain said. “This means all [Multichain] Group funds and access to the servers are with Jajun and Police.
According to Multichain, Zhaojun's sister was arrested and allegedly “guarded” by transferring the rest of the user's assets to a wallet she controlled. “The status of the assets it has retained is uncertain,” Multichain said.
Chainalysis estimates that more than $125 million in assets were lost in the hack. “While it is possible [the MPC] While keys were taken by an external hacker, many security experts and other analysts believe this exploit could be an inside job or a carpetbagger,” added Chainalysis.
But other theories have been developed for Multichain hack. One is that Zhaojun was arrested and his assets seized as part of China's anti-money laundering crackdown. Alternatively, Grech says, “a plausible explanation is that the project founder lost his private keys to (allegedly fraudulent) law enforcement officers after he was arrested.”
Chinese authorities have not shed any light on the Multichain mystery, and there have been no updates on the status of Zhaojun and his sister.
Whoever the Multichain perpetrators are, the DeFi carnage is showing some signs of abating. In the first six months of this year, cybercriminals stole $480 million through smart contract DeFi hacks. Compared to the same period in 2022, it is down 75 percent, Peckshield said. In a recent report from blockchain analytics provider Elliptic, Lazarus Group said that “recent activity has shifted its focus from decentralized services to centralized services since last year.”
But the insider threat is particularly insidious for the DeFi sector. And LibreHash stands by its analysis of the Wintermute hack. He said in a Telegram post.
“Nothing gets deleted because this channel doesn't publish conspiracy theories or push for half-assed, poorly researched clicks, views or anything else.”
Subscribe
A very engaging read in Blockchain. It is given once a week.
Matthew Heller
Former news agency reporter Matthew Heller now works as an investigator and freelance journalist.
