1. Home
  2. Hacken

Hacken

Nearly $1,700,000,000 in Crypto Lost Through Private Keys Theft As Access Control Exploits Becomes Major Threat

Nearly ,700,000,000 in Crypto Lost Through Private Keys Theft As Access Control Exploits Becomes Major Threat

New data from cybersecurity firm Hacken reveals that $1.7 billion worth of crypto assets were lost through the theft of private keys in 2024. In its 2024 Web3 Security Report, Hacken says that the theft of private crypto keys remains the most “significant” threat to crypto investors. According to Hacken, the number of smart contract […]

The post Nearly $1,700,000,000 in Crypto Lost Through Private Keys Theft As Access Control Exploits Becomes Major Threat appeared first on The Daily Hodl.

Japan Hesitates on Bitcoin Reserve, While US Debate Rages

Major hack on play-to-earn crypto games a ‘matter of time:’ Report

According to a cybersecurity auditing firm, GameFi projects are putting “profits above security” and pose a great risk to the projects and their users.

“Unsatisfactory” cybersecurity measures among play-to-earn (P2E) crypto games pose a great risk to GameFi projects and their gamers alike, warns blockchain cybersecurity auditor Hacken.

In a Monday report shared with Cointelegraph, Hacken said that data indicates that GameFi projects, the category which P2E games would fall under, often “put profits above security” by releasing products without taking appropriate precautions against hackers:

“GameFi projects [...] do not follow even the most essential cybersecurity recommendations, leaving malicious actors numerous entry points for attacks.”

P2E games often incorporate nonfungible tokens (NFTs) in their ecosystems in addition to crypto. The largest projects, such as Axie Infinity (AXS) and StepN (GMT), use a wide array of products designed to enhance the gaming experience, such as token bridges, blockchain networks or physical merchandise.

Hacken researchers found that based on data collected by crypto security ranking service CER.live.,  there were severe deficiencies in GameFi cybersecurity in particular. It found that out of 31 GameFi tokens studied, none received the top security ranking AAA while 16 received the worst D score.

Rankings for each project were determined by weighting various aspects of their cybersecurity, such as token audits, whether they have a bug bounty and insurance and if the team is public.

Hacken’s report explained that GameFi projects typically scored low as it found that no P2E projects had insurance coverage, which could help projects recover funds immediately in the instance of a hack.

The lack of insurance is partially confirmed by crypto insurance firm InsurAce’s chief marketing officer Dan Thomson, who told Cointelegraph on Thursday that it was not covering any P2E projects.

The report also found that only two projects have an active bug bounty program in place. Axie Infinity and Aavegotchi have bug bounties that award monetary compensation to white hat hackers for finding bugs in the project’s code.

Finally, it found that while 14 projects have received a token audit, only five have completed a platform audit which could find potential security holes in the project’s entire ecosystem. These include Aavegotchi, The Sandbox, Radio Caca, Alien Worlds and DeFi Kingdoms.

The report also pointed to token bridges as a vulnerability for P2E games. Axie Infinity’s Ronin token bridge was the site of one of the crypto industry’s largest hacks ever when it lost over $600 million in tokens in March.

Related: $2B in crypto stolen from cross-chain bridges this year: Chainalysis

As P2E games grow in popularity, there will likely be an increase in the number of security exploits and dollar value stolen from projects, said Hacken. The firm has advised gamers to perform their own security check of projects before sinking a large sum of money into them:

“And, of course, keep in mind that investing in P2Es remains a potentially profitable but quite risky affair.”

On Wednesday, crypto analyst Miles Deutscher asked rhetorically where the next crypto security concern may come from. Deutscher may have his answer. 

Japan Hesitates on Bitcoin Reserve, While US Debate Rages

Solana and Ethereum smart contract audits, explained

What are smart contract audits, how do they work, and how do they benefit the crypto projects who get their code scrutinized? Let's find out.

Do smart contract audits improve crypto's image?

Blockchain technology is becoming a bigger part of all our lives — and auditors like Hacken are ensuring that crypto projects put their best foot forward.

Improving the quality of smart contracts helps reduce those unpleasant headlines about major hacks in the press, and boosts the reputation of crypto projects in the public's eyes.

Once an investigation has taken place, Hacken offers labels to ensure verified projects can declare they're audited by Hacken on an official website. 

Reports are also attached to a crypto project's official presence on major websites such as CoinMarketCap and CoinGecko. 

The most common types of contracts that the company interacts with include token, token sale, exchange, ERC-721, swap farming, staking, ERC-20, BEP-20 and reward pool. 

Already a member of the Enterprise Ethereum Alliance and Solana Foundation, Hacken has its sights set on winning a 20% share of the Web3 cybersecurity market by 2024.

Learn more about Hacken

Disclaimer. Cointelegraph does not endorse any content or product on this page. While we aim at providing you with all important information that we could obtain, readers should do their own research before taking any actions related to the company and carry full responsibility for their decisions, nor can this article be considered as investment advice.

And how long do smart contract audits take?

It's a process that takes several weeks — depending on how quickly a crypto project works.

Hacken says initial audits typically take 2 to 14 days depending on a smart contract's complexity and size… and if it's urgent, these investigations can be expedited. Again, for larger protocols, it might take longer — 30 days in some cases.

At this point, a project will be given recommendations on what needs to be fixed — and how quickly these changes are made will depend on them. Auditors like Hacken then offer a remediation check to ensure all of the vulnerabilities have been patched over to a high standard.

How much do smart contract audits cost?

As you might expect, this depends on how complex a smart contract is.

According to Hacken, this can extend to $500,000 for larger projects where there are more lines of code — not least because of the additional engineering hours it'll take.

The company argues these costs pale into comparison with the economic damage that a smart contract vulnerability can bring.

Hacken cites data showing that, in 2021, 80% of the incidents affecting decentralized applications related to smart contracts — with losses hitting $6.9 billion.

Breaking this down even further, and we can see that the average cost per project stands at $47 million. Somehow, $500,000 looks a lot less expensive now. 

Overall, 60% of its clients have been based on Ethereum so far in 2022.

And here's the difference it can make — after an audit, at least one critical bug was uncovered in 80% of projects. But Hacken says just 75% have fully acted on an audit report in the past — with the remainder ignoring the conclusions, or only taking a small number of recommendations into account. As a result, they had a lower security score.

How do smart contract audits benefit crypto projects?

Audits are vital for ironing out any kinks in a crypto project, and ensuring code is ready to be used by the masses.

Hackers were responsible for stealing $1.3 billion in 78 incidents across the first quarter of 2022 alone, and two-thirds of these attacks were on the Ethereum and Solana blockchains.

But what causes certain projects to be targeted… and how could a smart contract audit have helped them? 

Well, common reasons include crypto projects prioritizing speed — and failing to factor in time for a comprehensive audit from a dependable provider. 

They may also rely on their own in-house teams to perform security checks. And although this looks financially sensible, there's a danger that internal staff may not be up to date on the latest hacking techniques used by malicious actors.

Inevitably, some will also believe that they are too good to fail. But complacency is enemy number one in the crypto space, and even the finest projects can fall victim to a hack.

Are Solana smart contract audits different?

Smart contract audits will vary slightly depending on the blockchain code is based on.

Common security vulnerabilities on Solana can include missed ownership checks, meaning attackers can use fake configurations to bypass access controls.

And while smart contracts can call functions from external smart contracts, validation failures could mean black hat hackers get an opportunity to supply malicious inputs that affect how the code operates.

Top auditing firms will access a Solana smart contract based on documentation quality, security, architecture quality and code quality. Vulnerabilities are assigned a severity level too, meaning business-critical issues can be tackled first.

How does an Ethereum smart contract audit work?

The best security firms will put code through stress tests to see how they perform in a range of scenarios.

Experts say it's important for a project to provide a complete and clear technical specification — and ideally, offer documentation of the deployment process.

These audits aren't just about uncovering issues that black hat hackers could take advantage of, but flaws that could stop an Ethereum smart contract from working correctly.

The attack vectors being scrutinized can get rather technical — but they include replay attacks, where valid data transmissions are repeatedly made by malicious actors in order to execute fraudulent activities. Others include reentrancy attacks, reordering attacks and short address attacks.

Once an investigation has been completed, crypto projects receive a detailed report of the vulnerabilities within their code — alongside recommendations on how to mitigate their impact, or eliminate them altogether. 

As a result, the resources saved through an effective audit can far outweigh the cost… and it can avoid reputational damage, too.

What is a smart contract audit?

Smart contract audits involve scrutinizing the code of crypto projects — highlighting security vulnerabilities.

Smart contracts are a crucial cog of the crypto ecosystem — and they've unlocked a plethora of use cases for blockchain technology.

But for developers who are furiously writing code, safety needs to be a number one priority. Smart contract exploits can put user funds at risk, and we've all seen headlines of high-profile hacks where eye-watering sums of money were lost.

An audit allows an independent organization to kick the tires of a smart contract, and detect vulnerabilities before they're spotted by malicious actors. This can help crypto projects to achieve credibility, all while giving users peace of mind. Audits are typically done before smart contracts are deployed, as they can be difficult to fix once uploaded to a network.

Smart contracts are commonly found on blockchains including Ethereum and Solana.

Japan Hesitates on Bitcoin Reserve, While US Debate Rages

Lack of transparency among project auditors a big problem: Hacken CEO

Dyma Budorin thinks the crypto industry would be much safer if smart contract auditors took responsibility for the code they audited.

Smart contract auditing firm Hacken CEO Dyma Budorin thinks Web3 cybersecurity providers are failing the crypto industry and that “huge blind spots” in market practices are impacting investor behavior.

Budorin believes a lack of accountability and transparency in the audits many providers perform falls short of reassuring users and projects.

Currently, smart contract auditors take no accountability if a token they have audited gets hacked due to a bug in the code. Unsettlingly, most of the largest hack events in 2022 occurred on projects that were audited by third parties.

In a call with Cointelegraph on Apr. 27, Budorin said this makes him uneasy as it compromises the growth trajectory of the Web3 cybersecurity industry which is already lagging far behind non-crypto equivalents according to a report from Hacken.

Web3 auditors take a deep dive into the code of a token in search of threats of varying severity. These audits do not assess other factors like the viability of a business model, team experience, and others.

Budorin explained that “auditors have a lot of responsibility” which is being ignored because the money is coming in and there is no public outcry for better products. However, to him, the services they provide are inadequate, as he says

“They are missing tests, accountability, and transparency in ratings of cryptocurrencies.”

Even in the rare instance that a project wanted a more robust audit, they would not be able to get it from cybersecurity firms in Web3 because Budorin says “currently in Web3 cybersecurity, there are no companies offering recurring audits” that happen monthly and go into much more depth about the project.

“Right now, the best market practice is to get a token audit and that’s it.”

Budorin used token bridges as an example to demonstrate the dangers of an industry without thorough auditing mechanisms. Two of the largest crypto hacks so far in 2022 took place on token bridges Wormhole and Axie Infinity’s Ronin Bridge which lost a combined $920 million.

While hindsight is always 20/20, it is likely that a full scope audit of any of the bridges that have been hacked this year including Wormhole, Ronin Token Bridge, Qubit’s QBridge, and Meter’s Meter Passport, could have prevented disaster.

In addition to apparent bugs in the code, Budorin said that token bridges further illustrate how there are “a huge amount of blindspots” in cybersecurity because “There is no way of knowing who is responsible for the keys, who mints new tokens, if the tokens are properly bridged, and so on with no transparency.”

Related: Plan for $1M bug bounties and double the nodes in wake of $600M Ronin hack

Budorin feels that for the Web3 cybersecurity scene to really change, some onus rests on retail investors. In his view, more transparency with reliable information from accountable sources “requires a paradigm shift from crypto investors,” who tend to invest in hyped-up projects.

This shift could be sparked by greater availability of information from thorough full-project audits that take into account the team, platform functionality, and other technical aspects rather than just the token.

Currently, data aggregators CoinGecko and CoinMarketCap are the outlets of choice for investors to find information about a project. However, Budorin says those platforms are flawed because “projects are manipulating their data” to show very high or very low market caps. He believes that will eventually change as auditors evolve to fill the negative space.

“When there is more efficient information about the accountability of blockchain companies that issue a token, [investors] will start to compare fundamentals rather than hype.”

Japan Hesitates on Bitcoin Reserve, While US Debate Rages