1. Home
  2. HashEx

HashEx

Why DeFi should expect more hacks this year: Blockchain security execs

One reason is that “hackers have gotten smarter, gained more experience, and learned how to look for bugs,” according to the founder of a crypto auditing firm.

Decentralized finance (DeFi) investors should buckle themselves up for another big year of exploits and attacks as new projects enter the market and hackers become more sophisticated.

Executives from blockchain security and auditing firms HashEx, Beosin and Apostro were interviewed for Drofa’s An Overview of DeFi Security In 2022 report shared exclusively with Cointelegraph.

The executives were asked about the reason behind a significant increase in DeFi hacks last year, and were asked whether this will continue through 2023.

Tommy Deng, managing director of blockchain security firm Beosin, said while DeFi protocols will continue to strengthen and improve security, he also admitted that “there is no absolute security,” stating:

“As long as there is interest in the crypto market, the number of hackers will not decrease.”

Deng added that many new DeFi projects “don’t go through complete security testing before going live."

Additionally, a significant amount of projects are now exploring the use of cross-chain bridges, which were a prime target for exploiters last year, leading to $1.4 billion stolen across six exploits in 2022.

The comments mirror those of blockchain security firm CertiK, who told Cointelegraph on Jan. 3 that it doesn’t “anticipate a respite in exploits, flash loans or exit scams” in the coming year.

In particular, CertiK noted the likelihood of “further attempts from hackers targeting bridges in 2023” citing the historically high returns from attacks in 2022.

Crypto auditing firm HashEx founder and CEO, Dmitry Mishunin, said “hackers have gotten smarter, gained more experience, and learned how to look for bugs.”

“The crypto industry is still relatively new, and everyone is growing with each other, so it’s difficult to get too far ahead of bad actors.”

He added the amount of value in some DeFi projects made the industry “very attractive” to malicious actors, and that the number of hacks “is only going to grow going forward.”

Mishuin said these attacks may even spread outside of DeFi, with attackers setting their sights on “crypto exchanges and banks” that enter the market offering “more secure solutions for storing digital assets.”

Related: Crypto’s recovery requires more aggressive solutions to fraud

Smart contract security and auditing firm Apostro co-founder, Tim Ismiliaev gave a more hopeful take, however, as he expects the space to “mature over the next five years, and new best practices for securing decentralized finance protocols will emerge.”

Too long; didn’t read

Interestingly, both Mishunin and Deng noted that many of the post-incident reports provided by blockchain security firms often fail to reach their target audience — blockchain developers.

“The people that read such analyses are average investors that are concerned about their money. Actual blockchain developers are too busy coding; they don’t have time to read stuff like that,” said Mishunin.

Meanwhile, Deng said the reports are usually about “event-based vulnerabilities and related recommendations,” so doesn’t often help other developers as they might still be vulnerable to other exploits.

He admitted, however, that reports on “general vulnerabilities” in DeFi “tend to do a good job of ramping up protection.”

“The reentrancy vulnerabilities are now not as common as they used to be.”

SEC Unveils Plan to Compensate Investors in Mila Kunis’ Stoner Cats

How HashEx is developing new auditing methods to outsmart hackers, as told by founder Dmitry Mishunin

Hackers often manually try to find exploits in underlying smart contracts, and mass AI simulation of attacks in contract auditing may just be enough to outsmart such tactics.

As the cryptocurrency market has grown, so too have the number of bad actors looking to exploit vulnerable decentralized finance, or DeFi, protocols, and projects for their own gain. Earlier this month, the Ethereum-Solana Wormhole token bridge suffered the biggest hack of 2022, with $321 million lost due to a signature verification vulnerability. Such exploits have gotten increasingly sophisticated over the years.

But blockchain security firms like HashEx are keeping up the pace just as hackers upgrade their tactics. During the past few years, HashEx has audited more than 700 DeFi smart contracts that secure over $2 billion worth of investors' funds. One notable project that utilizes HashEx is Trader Joe, a popular decentralized exchange on the Avalanche (AVAX) blockchain. In an exclusive interview with Cointelegraph, Dmitry Mishunin, CEO and founder of HashEx, explains just how the firm is upgrading its auditing process to protect crypto enthusiasts against possible breaches.

The old-fashioned auditing method consists of a manual check and an automatic test of the underlying code. As Dmitry told Cointelegraph:

"Traditionally, a group of auditors manually tests the logic of contracts; they're trying to imagine some inputs values which can break their logic. It's like an Olympic Games for programmers. But this is only good when your auditor is experienced enough."

Sometimes, Dmitry continues, "problems cannot be conjured then tested, as they are do not arise mistakes in the logical flow of code, but from minor errors such as in the Ethereum Virtual Machine, which happens quite often." To overcome this fault, HashEx has derived a new "stochastic (random) testing" method. Using AI, its software generates 1,000 to 100,000 randomized transactions with different trends and parameters to stress-test the smart contract. 

"With random transactions, it looks like a simulation of a person with a crazy idea [commonly descriptive of hackers] creating something to break the contract."

When asked about whether or not there have been any breaches in smart contracts audited by HashEx, Dmitry was very humble in his response. In 2020, none of the firm's audited projects experienced any hacks. But in 2021, two minor incidents occurred out of hundreds of projects that went on to be secure. One project on the Avalanche network had a critical issue in the audited contract and lost about $100k. Meanwhile, Dmitry explained that the other incident wasn't a hack per se, as the contract had a bug that prevented the withdrawals of fees. "It's the real world; sometimes we miss it," says Dmitry.

SEC Unveils Plan to Compensate Investors in Mila Kunis’ Stoner Cats

Critical $20M SafeMoon vulnerability? Project devs say no cause for alarm

One blockchain security firm says its audit of the SafeMoon smart contract has unearthed a potential $20 million vulnerability within the viral meme coin.

Popular TikTok viral “meme coin” SafeMoon could be vulnerable to malicious exploits by hackers on account of purported security vulnerabilities in its smart contract code.

According to a smart contract audit by blockchain security firm HashEx, SafeMoon currently has 12 of such vulnerabilities with five being classified as ranging between being of a “critical” and “high-severity” nature.

As part of its findings, the HashEx audit alleges that SafeMoon is vulnerable to a “Temporary ownership renounce” attack and a subsequent rug pull to the tune of $20 million. According to HashEx, the SafeMoon contract owner is an externally owned account, or EOA, that controls a significant proportion of the coin’s liquidity.

In the event of the EOA being compromised either by internal or external rogue actors, an attacker can drain the liquidity pool. Indeed, the HashEx team alleges that a hacker can temporarily override any attempts by the SafeMoon devs to send the tokens to the burn address.

However, the SafeMoon team has countered HashEx’s findings, telling Cointelegraph that contract ownership is securely held. One SafeMoon developer said that the team was aware of the issue has policies in place to ensure that the owner wallet is never connected to any third-party decentralized applications.

Apart from the potential for a $20 million rug pull, HashEx also identified a few reportedly problematic contract set functions that can allow an attacker to exclude certain users from receiving rewards or distribute rewards to a specific wallet.

Under normal conditions, each SafeMoon token sale attracts a 10% fee with half of that sum distributed as rewards for existing holders. However, HashEx alleges that an attacker can set contract functions like fees, and maximum transaction amounts to any value and siphon 100% commissions from each sale.

In effect, during a possible attack, a hacker can steal proceeds from each token sale and redirect same to specified wallets. Indeed, with all of these alleged vulnerabilities in mind, the blockchain security firm says an attacker can synergize these purported loopholes to launch an elaborate chain attack.

Responding to the HashEx audit, Thomas Smith, chief technology officer at SafeMoon said that the team was aware of the issues having already been intimated by its smart contract auditor Certik.

According to Smith, a hard fork will be required to solve many of the concerns raised by HashEx. Echoing the sentiments shared by the previously quoted SafeMoon dev, Smith stated:

“Addressing these other issues, such as ownership renounce being able to be taken back by the contract deployer, we are never going to renounce and have made our stance on that clear in the past. Internally we have policies and procedures around how the contract operates to alleviate risk of mishandling values, however, you will never see us modify fees or maxTx.”

SafeMoon is currently about 69% down from its April all-time high. Indeed, back in April, Cointelegraph reported that market commentators believed the parabolic price rally of the Binance Smart Chain-based project was unsustainable.

BSC-based projects have increasingly become victims of hacks and exploits as decentralized finance protocols sought to make a home on the Binance chain after sustained periods of high transaction cost on the Ethereum network.

As previously reported by Cointelegraph, BSC DeFi protocol PancakeBunny recently tanked 96% following a $200 million flash loan attack. In April, Uranium Finance — another BSC-native protocol — suffered a $50 million malicious exploit.

SEC Unveils Plan to Compensate Investors in Mila Kunis’ Stoner Cats