Crypto-hacking: How bad actors are exploiting decentralised finance and smart contract ecosystems

The first half of 2022 has seen a significant disruption to the digital assets ecosystem, with the overall market capitalisation of crypto-assets falling by nearly two thirds since reaching nearly $3tn in November 2021. Regardless of the eventual path the current crypto-assets take, for now they continue to represent a major asset class, and therefore a significant target for bad actors.

In our previous post, we provided some background to how crypto-assets function in general. We then discussed how investors could find themselves at risk of losing control of these assets, focused on where these attacks targeted investors themselves, or the institution that held them on their behalf (e.g. exchanges).

Here, we consider another area that investors should keep in mind beyond the security of the keys to their own wealth: Decentralised finance and smart contracts. 

Crypto exchanges operate much like traditional banks, and share some of the same risks – namely, that they are the ones who protect – and thus control – your assets. Many of the types of hacks that might give an attacker access to crypto-assets held at an exchange could equally give them access to a bank account, but with one key difference: once funds are gone, there is no mechanism for reverting the transactions – your money is gone for good. Unlike ACH or SWIFT transfers, blockchain transactions are both immutable and irreversible, with no other parties to appeal to if something goes wrong. This is both a strength and a weakness of blockchain systems.

That said, decentralised exchanges – and decentralised finance (DeFi) in general – operate in a non-custodial manner, which removes the third party from the equation, but instead introduces a new class of risks. DeFi relies on people holding and controlling their own wallets, rather than exchanges, and facilitates peer-to-peer financial networks to allow transactions to take place directly between people without an institution serving as an intermediary.

The exchanges in these cases, such as Curve and Uniswap, are composed entirely of software code that allow buyers to find sellers (and vice-versa) rather than holding the funds in a bank account. “Smart contracts” – code running directly on the blockchain – are used to execute the transfer directly between participants rather than going through any particular third party. Once deployed, these contracts typically run entirely on their own, devoid of any human maintenance or intervention, meaning Uniswap developers can’t step in to correct a transaction or bad trade.

Smart contracts are purpose-built computer code that is executed by crypto networks, with Ethereum being the most well-known. The code in a smart contract can be used to effectively form a “digital agreement” between parties that is automatically executed when conditions are met. This code is stored on the blockchain, cannot be altered (in most cases), and can be freely viewed by anybody. A recent attack targets how individuals interact with these contracts, tricking people into “signing” or approving a transaction that allows the attacker to spend money on behalf of someone else. Technical complexity, lack of clear user interfaces, and rapid development all contribute to the uncertainty that attackers take advantage of.

In the simplest form, a smart contract would agree to pay an investor a certain number of tokens in exchange for a certain amount of Ethereum. As the code behind the contract is 100% transparent, the investor can be confident that they will receive their funds, assuming they take the time to verify the code. It’s also worth noting that these types of “token swaps” will always be crypto-to-crypto exchanges because this code operates on the blockchain, rather than to or from actual fiat currency.

A slight nuance here is that stablecoins – special cryptocurrencies that represent the value of a fiat money (typically the USD) on the blockchain – are popular swap pairs. This allows participants to remain “within” the crypto ecosystem and not have to continually swap out their digital assets for fiat on exchanges. Stablecoins are the subject of much interest, both from regulators and industry, and are worthy of a post of their own.

This all takes place without a central authority managing smart contracts. Much like existing legal contracts, where the use of legal terms and language has (in theory) an agreed interpretation mutually understood by the legal profession, smart contracts operate using an agreed programming language that has a standard meaning. And unlike legal contracts, the code behind smart contracts can’t be reinterpreted after the fact. This somewhat binary concept is often referred to as “code is law”.

Smart contract bugs 

Readers who have been involved in any kind of contract dispute have probably predicted a potential vulnerability here. In the same way that a poorly-worded legal contract can leave you exposed, smart contracts are only as reliable as the code used to create them, so a poorly-written smart contract can be exploited by hackers. This is particularly important with crypto-assets, as blockchain transactions are immutable and cannot be reversed, so the stakes are higher.

As smart contracts are written using specialised programming languages (Solidity being one used on the Ethereum blockchain), it’s not really feasible for the average investor to create them from scratch. This means that most smart contracts are created from templates, using standard libraries of code, or created by specialists. Again, this isn’t too dissimilar from legal contracts, where most people would retain the services of a lawyer to draw them up.

Therefore, if a bug does exist within a smart contract, it can be used by hackers to obtain substantial sums of crypto-assets, since many of them work in a similar fashion. For example, in December 2021, a hacker stole $31m due to what was described as a “really stupid” bug in a crypto start-up’s smart contracts, and in July, hackers exploited a vulnerability in ChainSwap’s smart contract protocol to obtain $8m worth of crypto-assets. In their 2022 Crypto Crime Report, Chainalysis noted that these types of hacks represent over 50% of all funds stolen from DeFi protocols in 2021. The same type of “logic bugs” and application vulnerabilities we see with traditional IT systems is now impacting millions of dollars.

Investors’ tools for protecting themselves from these sorts of bugs are somewhat limited. Ideally, a security audit from a respected group would be conducted to identify these kinds of vulnerabilities, but even these aren’t foolproof. As this isn’t always available, or even practical for smaller projects, one alternative is to ensure that you use established and reputable DeFi platforms, which have undergone multiple independent security audits, to minimise risk.

Oracle price manipulation 

As discussed earlier, smart contracts are simply computer code that executes across crypto-asset networks. In many cases, these contracts will look to see if a certain condition has been met by the data on the blockchain (e.g. a certain amount of crypto-asset transferred from wallet A and wallet B).

However, some smart contracts might need to make use of data that isn’t stored on the blockchain (e.g. exchange rates or flight arrival times). These would make use of a special kind of smart contract known as an oracle. These contracts act as a bridge to the data from the “outside world”. This would, for example, allow a smart contract to be written that immediately transferred an amount of compensation to all passengers on a flight if the flight was cancelled or delayed, with an oracle providing access to the flight status information.

One use of an oracle contract is for allowing smart contracts to understand the current exchange rate between two crypto-assets. This is important for decentralized exchanges involving two crypto tokens, as the smart contract performing the exchange needs to know which price to apply. Here, there is something of a trade-off between speed and security. The oracle needs to source a price that’s not only sufficiently up to date to protect against arbitrage, but also protected from price manipulation.

If an attacker understands the mechanism by which the oracle is calculating this value, it is possible for them to artificially manipulate this price by executing large transactions on the exchange. Being able to manipulate the price opens avenues for the attacker to make a profit and extract funds from the protocol.

The exact mechanisms can be quite complex, but they include abusing a special kind of smart contract known as a lending protocol, where users can use one cryptocurrency as collateral to borrow another cryptocurrency. For example, a user might use Ethereum to borrow a stablecoin such as Tether for short-term spending, removing the need to sell Ethereum directly. If an attacker is able to manipulate the exchange rate, they may be able to borrow significantly more of the currency, potentially exceeding the value of the collateral asset by many times. In some cases, attackers leverage “flash loans” to execute this attack within minutes or seconds – often within a single “block” of transactions. Chainalysis’ 2022 Crypto Crime report noted that lending platforms lost $923m in 2021 due to thefts of this and similar types.

Conclusion 

With all of the technological and financial advancements in the world of DeFi, there are just as many risks. Sophisticated actors can manipulate a completely unregulated market. These assets are also relatively high-risk investments. However, many of the steps that investors can take to protect themselves remain relatively familiar in concept:

• Do your homework – Before entering into an investment, understand a little more about the asset you’re buying and the team behind it.
  
  
• Use established and reputable platforms – It’s not realistic for the average investor to review smart contracts, so by using DeFi platforms with long track records and multiple security audits behind them you can gain some comfort that they’ve shaken the bugs from their system.
  
  
• Know what you’re signing – Attackers will attempt to trick you into “signing” or approving a different wallet to spend your funds, which can lead to an immediate loss.
  
  
• Diversify – In spite of whatever best efforts an investor might take, there’s no way to remove risk entirely. It’s something of a no-brainer to say it’s sensible to not have all your crypto-eggs in one basket, in the event that one of them should fall victim to an attack.
  
  

Note: This article is not intended to constitute financial advice, nor does any information in this article amount to a full or complete statement of the matters discussed or the investment risks relating thereto.