Crypto Attacks of 2022

Dec - 17
2022

Crypto Attacks of 2022

whl

Crypto hacks of 2022 focused almost exclusively on DeFi protocol. Attacks didn't target the blockchain technology itself. Instead, they targeted cross-chain exchanges where crypto of one blockchain could be exchanged for crypto of another. The damages are astonishing: almost 3bn stolen in crypto in 2022 !

Cross-chain exchanges or crypto bridges function as way to exchange crypto in between different blockchains. Normally the credit is issued on the destination blockchain and funds are placed in the special address on the source blockchain. This is where the concept of wrapped crypto originates. Wrapped BTC is a token on Ethereum blockchain that holds the value of BTC and could be used to exchange for ERC-20 tokens.

Major Incidents of 2022

Name Amount Stolen Month Weakness Exploited
Ronin Network $625MM March Lack of decentralization, Interconnected validators
Wormhole Bridge $325MM February Lack of input validation
Nomad Bridge $190MM August Deployment mistake
Beanstalk Farms $182MM April Protocol governance flaw
Wintermute $162MM October Weak wallet address generation algo
Mango Markets $100MM October Price manipulation via Flash Loans

Ronin Network

Ronin's proof-of-authority system, centralized in just nine validator nodes, is the key to its ability to provide a higher volume of transactions at a much lower cost than the proof-of-work ethereum network. Ronin network only had 9 validators instead of the entirety of nodes on the blockchain. An attacker was able to compromise 4 Ronin validators and find a backdoor to an external validator, having the majority to approve 2 illegitimate transactions that resulted in a loss of over $625MM.

Wormhole Bridge

Attacker cleverly exploited the lack of validation on auxillary input field of a signature validation function to execute its own code that minted out-of-blockchain wETH coins to be later converted to real ETH blockchain currency. The root problem was in usage of deprecated 'load_current_index' function that would skip input validation, instead of using 'load_current_index_checked' function that included validation.

The intent to patch the issue became public in form of commited GitHub code right before the attack. It can be inferred that the attacker kept a close eye on a GitHub repository to look for any upcoming security patches before they got deployed.

Nomad Bridge

Nomad Bridge was hacked due to a mistake in the code that allowed anyone to take a valid transaction and change the recipient to attackers address. That would result in wrapped crypto being transferred in the attackers account. First attack transferred 100 BTC, others followed since everybody discovered vulnerability. The bridge was drained in a matter of days.

Replica contract was mistakedly initialized with `commitedRoot` value of zero. That allowed anyone to validate transactions by calling process(byte memory _message) function with an arbitrary "_message" to bypass the verification.

acceptableRoot function would always return true and let the function succeed instead of failing.

Beanstalk Farms

The attacker used a flash loan to accumulate a large amount of Beanstalk's native governance token STALK, which he then used to pass his own governance proposals (BIP-18 and BIP-19). These proposals asked the protocol to donate funds to Ukraine, but instead sent the funds to the attackers wallet.

Wintermute

Wintermute was a subject to an attack that resulted in 162.5MM in losses. The exploited weakness seem to have been the tool that generates Wallet addresses: Profinity. Due to security flaws of Profinity it was possible to decipher the private key from the wallet address. Attacker redirected funds using a brute-forced private key from Profinity generated wallet address.

Mango Markets

Solana DeFi Platform Mango Markets has been exploited by its primary function: Loans. DeFi platforms allow for taking out Flash Loans that have to be repaid before the end of block. That gives lenders about 10 minutes to repay them. DeFi is no stranger Price Oracle Manipulation with Flash Loans exploits, this is one of them.

The attacker made a substantial deposit of $5MM USDC and bought MNGO-PERP token. The prices of MNGO-PERP rose drastically in just few minutes which lead to collateral value of his account to go up. Attacker then took out massive loans and withdrew the funds.

We are currently investigating an incident where a hacker was able to drain funds from Mango via an oracle price manipulation. We will be disabling deposits on the front end as a precaution, and will keep you updated as the situation evolves.

The attack was made possible by a combination of lack of liquidity of token markets that are susceptible to manipulation and the fact that a volatile token can be considered a collateral for a loan.

Other typical crypto hacks

Reentrancy

Reentrancy is when a procedure can be interrupted mid-way and "re-entered" or executed from the start in again, with the condition that both interrupted and re-entered execution complete successfully.

Business Logic Flaws

Most of the DeFI hacks are made possible by flaws in the business logic represented in code. It may be lack of input validation or ability to call any method of the DeFi platform by reference or ability to use the same token on both sides of the transaction, like it was demonstrated in 2021 MonoX Finance hack:

Conclusion

Crypto infrastructure is experiencing growing pains due to one of its virtues: Automation. Code is written by humans and when a human makes a mistake in code, it leads to exponential risk exposure of millions of lost funds. There are processes to prevent that, like SAST, DAST, SDLC. The bottom line, code updates require a review by other humans who will look at it from the perspective of an attacker.

Crypto holds real value, however many perceive it to still be somewhat of a game currency.

P.S.

If you need a risk assessment for your Smart Contract, Crypto Platform or Exchange, don't hesitate to request a quote from us here