Hackers have compromised more than 14% of the Bitcoin and Ether supply, according to Lex Sokolin, global director of fintech strategy at Autonomous Research LLP.
Many of these disastrous hacks have happened due to vulnerabilities in smart contracts. Smart contracts allow the performance of credible transactions without third parties and are commonly used to facilitate transactions on the blockchain. A study conducted in 2015 by Santander Innoventures estimated that “Blockchain could reduce banks’ infrastructure costs attributable to cross-border payments, securities trading and regulatory compliance between $US 15–20 billion per annum by 2022.”
Let’s take a look at a few famous, smart contract hacks.
The DAO Hack
A DAO is a Decentralized Autonomous Organization or an organization that is run through rules encoded as computer programs called smart contracts. Decisions are made electronically by a written computer code or through the voting of organization’s members eliminating the need for documents and people governing and consequently, a system of decentralized control.
In this case, the DAO comprised a series of smart contracts intended to democratize how Ethereum projects were funded. A hacker, realizing a vulnerability, stole 3.6 million Ether by exploiting the fallback function in the code that was exposed to reentrancy. To recover the funds, Ethereum’s codebase had to be reset through a hard fork leading to the creation of both Ethereum Classic and Ethereum as two separate chains.
Parity’s Multi-signature Wallet Hack
Parity made multi-signature (multi-sig) software “wallets” for the management of Ether cryptocurrency. These multi-sig wallets were smart contracts available on an open source basis that required more than one digital signature (private key) before the Ether associated with them could be approved for transfer.
An unknown hacker stole 150,000 ethers, around $30 million at the time, by exploiting the delegatecall and fallback function in the smart contract library for the multi-sig wallets.
Parity User-Triggered Wallet Freeze
Just a few months after the hack in July 2017, a user called “devops199” accidentally exploited a vulnerability in Parity’ smart contract library code for multi-signature wallets freezing more than 513,774.16 ETH.
Parity later explained that devops199 was the first to call the initialization function of the smart contract library code. Consequently, devops199 became the owner and could implement the self-destruct function of the code, making the multi-sig wallets incapable of transferring any Ether they stored the keys to.
Today, researchers estimate that 45% of smart contracts written in Ethereum’s programming language Solidity are vulnerable. Firmo is committed to building the financial infrastructure necessary to securely execute smart financial contracts on the blockchain.