A short history of smart contract hacks on Ethereum
A.k.a. why you need a smart contract security audit
It is a truth universally acknowledged, that a smart contract (about to be) in possession of a large amount of money, must be in want of a security audit.
— ‘Not’ Jane Austen
Last week, in what can only be described as a crypto-comedy of errors, parody pyramid scheme PoWHCoin first somehow racked up over a million dollars in Ether in its smart contract, before losing it all to a hacker who exploited a flaw in the code. Just hours before this, a clone of PoWHCoin—also by the same developers—froze 1 million dollars worth of Ether in its smart contract, thanks to, you guessed it, buggy code.
While PoWHCoin’s creator might have shrugged off the incident chuckling, “everyone is stuck HODLING now,” and you might not care to sympathize with those stupid enough to put thousands into a meme-coin, there is a smart contract security lesson to be learnt here.
In the relatively short history of Ethereum, roughly half of all major disasters have been smart-contract related—Much of the other half has comprised of scams and shady dealings.
1 — The one that looms large, and most recent, is the Parity freeze—when a user accidentally triggered a bug in the smart contract of cryptocurrency wallet provider Parity, freezing more than 513,774.16 ETH.
2 — A few months before that, in June, Parity’s multisig wallet had already been the target of a hack, where a smart contract vulnerability was exploited to steal 150,000 ethers from user accounts.
3—The grandaddy of all Ethereum hacks, though, has to be The DAO: the distributed autonomous organization comprised of a series of smart contracts intended to democratize how Ethereum projects were funded. In June 2016, The DAO was hacked, and 3.6m Ether (15% of all ether in circulation at the time) was drained from its smart contracts, exploiting a code vulnerability that New Alchemy’s Managing Director Peter Vessenes was one of the first to point out. The only way to recover the funds lost in the hack, and effectively go back in time, was for Ethereum’s codebase itself to be reset through a hard fork—leading to the creation of Ethereum Classic, which preserved the original version of the blockchain that included the hack.
Smart Contracts are the crux of all Ethereum DApps and Token Sales. They’re essentially programs designed to execute automatically and enforce a set of rules autonomously. And they’re totally unchangeable once deployed on the blockchain— a quality that makes smart contracts uniquely reliable and trustless, but also a precarious minefield.
Coding for the blockchain is a relatively new field, without many security standards, documentation, or best practices to draw on. It’s also the ultimate test of defensive software engineering—Smart contracts can end up controlling tens of millions of dollars, making them a target for attackers. The usual software development cycle of a continuous write-release-fix loop falls short when it comes to the blockchain. Smart contracts need to be constructed 100% right in one shot, able to withstand years of security attacks with code you can’t really modify. They have to be extensively planned, considering all logical permutations, accommodating all possible exceptions, and meticulously implemented. Get the order of code wrong (as in the case of The DAO hack) or forget to initialize something (as in the Parity Freeze) and you could have an ‘unchangeable’ disaster on your hands, immortalized on the immutable blockchain.
Prompted by this fear, security audits are thankfully becoming the industry de-facto, and a way for projects to gain contributor trust. Any good project worth its code will have done a security audit. Many will have done three. Why? Because, paradoxically, you don’t really know if someone has done a good job on your audit, until you’ve been hacked.
The solution? Get experienced programmers to audit your smart contract. Look at the audits they’ve done in the past. Have any projects they’ve audited been found to have vulnerabilities afterwards? Do they have a track record of spotting holes that others have missed? Are they well-reputed in the field? It’s not about how many folks you get to check your smart contract, it’s about getting the best ones. This isn’t something you want to leave in the hands of Solidity newbies and self-proclaimed experts. As The DAO creator Christoph Jentzsch said, after the smart contract was infamously hacked,“If you don’t know what to look for in a security audit, you won’t find it.”
New Alchemy is a strategy and technology advisory group specializing in tokenization. One of the only companies to offer a full spectrum of guidance from tactical technical execution to high-level theoretical modeling, New Alchemy provides technology, token game theory, smart contracts, security audits, and ICO advisory to the most innovative startups worldwide. Get in touch with us at Hello@NewAlchemy.io