Smart Contract Security Overview for the Web3 Community
Intro to Smart Contract Security: A Brief History of Cybersecurity
In 1989, the first ransomware attack was recorded in history. With the intention of extorting people for their money, Joseph Popp created a malware called the AIDS Trojan, which was distributed through his postal mailing lists using a floppy disk. While the 1989 AIDS Trojan suffered from poor design and was easily removable, both cyber-attacks and cybersecurity have evolved significantly in complexity since then.
The first major breach in the crypto world was when Mt. Gox, a Tokyo-based bitcoin exchange handling more than 70% of bitcoin transactions globally, was hacked several times in 2011 and 2014 for a total of ~$460M at the time. The CEO of the exchange, Mark Karpeles, did not use any version control software for the site’s source code, so any coder could accidentally overwrite the site’s code, leaving the entire system vulnerable.
2022 Web3 Hacks
Nearly $2bn has been lost due to hacks during the first half of 2022, according to Blockchain security firm Beosin. This figure is up 60% from H1 2021. The chart below exhibits the largest hacks this year.
Beosin’s report noted that the most common hacking techniques are smart contract vulnerability exploitation and flash loans. It also noted that only 52% of the attacked projects were audited.
Although DeFi accounts for 79.2% of attacks, hackers are also targeting individual crypto and NFT users. Recently, an experienced DeFi user lost approximately 500k USDC by interacting with a malicious smart contract that drained their entire address. @korpi gives a breakdown of how this happened in the below twitter thread.
So What Can Be Done About All This?
There are several measures Web3 projects can take to prevent attacks. Auditors provide smart contract security assessments and scores to notify founders, investors, and the crypto community of how secure a project’s code is before using or investing in the project. Testing tools run comprehensive, in-depth attack simulations in a safe and controlled environment to expose weak spots and complex vulnerabilities. Bug bounty programs partner with ethical hackers to discover and report bugs in websites and web apps that are available to the general public in exchange for a monetary reward. They are relatively cheaper than pentest programs since the hackers are paid per bug found. There are also online tools for wallet users to check the validity of smart contracts they’re interacting with.
Auditors strive to identify vulnerabilities in blockchain code and recommend ways to fix them. One of the ancillary benefits for projects to get audited is gaining trust within the industry. It is now commonplace for venture investors to ask for audits as part of their due diligence, not only to ensure the project’s security is sound, but also because trusted projects with audits are likely to see more community adoption. There are several different types of audits including smart contract, blockchain protocol security, and dApp security audits. The most notable auditors are Hacken and Certik.
Automated testing tools are available to smart contract developers to uncover common vulnerabilities, although projects are still encouraged to obtain an independent smart contract audit for thorough analysis. There are three different types of penetration testing: black, gray and white-box testing. During black-box testing, the tester is given minimal knowledge of the target system. This test is the quickest to run and determines vulnerabilities that are exploitable from outside the network. Gray-box pentesting examines security inside the perimeter as it simulates an attacker with longer-term access to the network. Lastly, during white-box testing, the tester is given a large amount of knowledge and granted full access to the system. This test provides a comprehensive assessment of both internal and external vulnerabilities. Projects often test all three methodologies to identify vulnerabilities in different situations, as less informed hackers could exploit the project in a different way than a hacker with full system access. Some testing tools are offered by audit companies like Certik, Hacken, and Consensys.
Companies select bug bounty services based on three main criteria: size and trustworthiness of ethical hacker community, pricing, and reputation/track record. While companies like Hacken and Immunefi both have a 10% performance fee (charged on top of the payout) for vulnerabilities found, Certik offers a 0% fee model that reduces payout pressure for projects and allows ethical hackers to receive the full bounty, incentivizing them to continue partnering with Certik. Other players in the space include SlowMist and Code4rena.
Hack / Scam Prevention For the Web3 Community
While there are auditors and testing tools for developers to help make their projects safe from attackers, the landscape is different for individual crypto and NFT users. Wallet users must rely on their own smart contract knowledge, or various tools that are able to instantly scan a contract to detect honeypot scams or rug pull risks, i.e. TokenSniffer, RugScreen, and RugDoc. Even with these tools available, there is a dire need for wallet features that prevent users from interacting with nefarious smart contacts. Luckily, there are a few startups working on just that!