CoinFabrik: Hacks, Exploits, and How to Avoid Them. Podcast Key Takeaways.
The latest episode of the Aleph Zero Podcast finds us meeting with CoinFabrik’s Ariel Waissbeim, who will share his insights into the world of Web3 hacks and what best practices builders should adopt to stay safe.
Listen to the episode on the platform of your choice
TL;DL
Too Long; Didn’t Listen
- Ariel Waissbein has a background in mathematics and has been working in cyber security for over 20 years.
- His primary fascination is finding bugs, researching vulnerabilities, and learning how weaknesses are introduced into code.
- He is part of CoinFabrik’s auditing team.
- As of October 2023, $1.4 billion was lost to hacks in the Web3 space.
- Hacks in crypto occur most commonly in the DeFi space.
- Many exploits occur due to the novelty of the technology and the lack of best practices enforced on an industry-wide scale.
- The sector of the crypto industry which has been subjected to the most significant number of attacks is the DeFi space.
- Retrieving hacked funds is difficult but not impossible. Strategies to retrieve hacked funds include:
- Issuing rewards to the hackers for returning the stolen funds and not pressing criminal charges against them.
- An investigating body tracking down the hackers and forcibly retrieving the stolen assets.
- The traceable nature of blockchain also makes it possible to blacklist certain addresses quickly, making it very difficult for hackers to move stolen assets from these compromised wallets.
- Audits are the final stage of creating a secure product. First, projects should invest as much time and energy as possible to ensure the code is free from bugs before introducing an audit.
- The code should be audited regularly every time significant changes are made.
- CoinFabrik provides not only audits but also has developed a program that helps developers find bugs in smart contracts coded in the ink! language. This program is called Scout.
- Ariel believes that as security practices become firmly entrenched among the large Web3 companies, hackers will move to attack smaller Web3 businesses that cannot afford costly security measures.
The Web3 Security Landscape
CoinFabrik is a Web3 auditing and cybersecurity firm that has been heavily involved in creating novel safety solutions for decentralized products. Cybersecurity in the blockchain space is a hot-button issue as the crypto industry is in need of state-of-the-art security features to prevent hacks and exploits that have cost the space over 1.4 billion dollars as of October 2023. However, as noted by our guest Ariel Waissbein, this is a much lower figure than cybercriminals’ attacks in 2022. The most threatened sector of Web3 is the DeFi space, which is subjected to 70% of all attacks, with many attacks happening on the bridges meant to connect different blockchain ecosystems. Ariel also stressed during the episode that exploits occur as often as they do because of the novelty of the technology and a lack of industry-wide best practices adopted by the space.
What Happens After a Hack?
During the episode, Mateusz Raczynski asked Ariel about the possibility of retrieving hacked funds once an attack occurs, to which he answered that there are several steps a Web3 entity can take if such an event occurs. Namely, many crypto companies offer a reward to the hackers in exchange for dropping criminal charges and returning the stolen assets. Another course of action is involving the authorities who try to locate the hackers and force them to return what was taken. This, of course, can be made more difficult by the international dispersion of black hat hackers. Fortunately, the traceable nature of blockchain technology means that it is possible after an exploit to track the route the criminals took as they attempted to move the money off-chain. This traceability implies a company that has been attacked can blacklist the wallet address to which the money has been moved, effectively limiting a hacker’s options in exchanging the money for fiat. Ariel also noted during the episode that hackers work primarily in groups and are highly organized. Lone wolf hackers are exceptions and are more likely to be found in pop culture imaginings than in real life.
Auditing and Securing the Blockchain
Auditing is one of the most critical steps for a company to take when releasing a Web3 product; however, as mentioned by Ariel, it should be one of the last steps a project takes before product release. Audits should only be done after multiple and thorough internal code reviews, during which the developer team should mop up any apparent vulnerabilities. This ensures that the auditing team does not waste time noting down the most obvious weaknesses. After an audit, the developer team will receive a report on the discovered issues and may receive guidance on how to fix them. This practice should be conducted every time significant changes to the smart contract are introduced. Although this process is costly, it is much less costly than the potential damage inflicted by cybercriminals. Ariel also stressed that, in the end, both internal and external code reviews are conducted by humans, and mistakes still can result in exploitable vulnerabilities. This is why repeated efforts to find mistakes are necessary, which can be bolstered by using linters, developer tools used to find errors in code. One such linter is Scout, designed by CoinFabrik to find mistakes in smart contracts written in the ink! programming language.
Revolutionizing Smart Contract Security With CoinFabrik’s Scout
Over the course of its existence, CoinFabrik has been working hard to protect tokens, crowdfunding campaigns, and decentralized applications and has audited over 200 Web3 projects to date. Recently, CoinFabrik has been working and deploying Scout, a linter whose development was financed by the Web3 Foundation and Aleph Zero Foundation. The process through which it was developed is almost as interesting as the final product itself. Due to ink! novelty, there wasn’t a vast library of errors through which CoinFabrik could build the vulnerability detectors that power Scout. This resulted in CoinFabrik putting forth a lot of effort into creating its own library of corrupted, poorly coded smart contracts that were full of exploitable vulnerabilities. As more audits are conducted, the team learns more about the possible weaknesses hiding in the ink! language and Scout will be modified to reflect this increased awareness.
The Future of Web3 Security
The last minutes of the episode were dedicated to discussing the future of blockchain security. As disclosed by Ariel, as defensive tools become better, so do the ones used by attackers. Also, as rigorous security practices are adopted industry-wide, Ariel believes it will force hackers to refrain from attacking big companies that can afford to adopt a wide range of security features. Their efforts will be redirected toward those firms and projects that may employ less diligent safeguards. An interesting point put forth by Ariel is that the problems we worry about today won’t be the cyber security issues of the future, similar to the way modern cybercriminals don’t employ the same attack vectors used by those circa the year 2000. The space is constantly evolving, and white hat hackers and cybersecurity specialists must always be one step ahead to ensure the safety of web users.
This article was first published on the Aleph Zero Blog on January 25th, 2024. Read the original entry here.