Directed Acyclic Graphs (DAGs) have emerged as a promising alternative to blockchain technology. Unlike blockchains, DAGs boast a unique structure where transactions are linked in a directed, non-circular manner, with new ways to reach consensus. This innovation promises faster transaction speeds and higher decentralization, making them an attractive choice for crypto enthusiasts. However, they could come with their own set of security challenges. There are bug bounty programs for a reason, after all. Cybercriminals will target the most vulnerable points, and that’s usually outside the DAG itself, but targeting its users anyway. However, so far, we can say that no DAG structure has been hacked. On the other hand, their related services, from social media and even smart contracts, are another story. We’ll delve ahead into some attacks involving DAG platforms, recounting five instances when their related services fell victim to hacking attempts. Besides, we’ll explore strategies and best practices to shield oneself from such threats. Whether you're a seasoned investor or a newcomer, understanding is essential to protect your digital assets in an increasingly complex crypto ecosystem. these challenges Nano + BitGrail In 2018, the cryptocurrency world witnessed a major security breach involving the Italian cryptocurrency exchange BitGrail and the digital currency Nano (formerly known as Raiblocks). This currency uses a ledger structured like a DAG (more accurately, block lattice), and its consensus system is quite similar to a Proof-of-Stake (PoS) blockchain. began when BitGrail reported a substantial amount of Nano tokens missing from its platform. The exchange's founder, Francesco Firano, claimed that the hack had resulted The incident in the theft of approximately 17 million Nano tokens, equivalent to roughly $170 million at the time. The aftermath of the BitGrail hack was marked by a contentious dispute between the exchange's management and the Nano development team. Firano initially suggested that Nano's code was responsible for the vulnerability, blaming the developers for the theft. He demanded a contentious fork (update) to be held by the Nano team (to erase the hack), which they refused. Indeed, the hack happened just in time to see a price rise in Nano, and Firano hid that the breaches had been happening since 2017. BitGrail and Firano received at least , and ultimately, Firano was found to be directly liable for the attack. More investigations later revealed that BitGrail's security measures and internal controls were inadequate, leading to the compromise of user funds. two class-action lawsuits In this case, the DAG wasn’t attacked, but the users trusted the wrong company. In centralized exchanges, you don’t have private keys to your funds. Instead, only an account with a password is provided, and the funds are in full custody (control) by that company. If they lose (hacks, bankruptcy, etc.), then you lose too. That’s why it’s important not to use exchanges as permanent wallets. IOTA + Moonpay IOTA is a cryptocurrency platform that utilizes Directed Acyclic Graph (DAG) technology to enable faster transactions, and it’s focused on the Internet of Things (IoT) sector. Unlike blockchains, IOTA's Tangle DAG allows users to validate transactions by confirming others, but there’s an ultimate coordinator node to achieve consensus. They intend (since 2016) to get rid of it, but in the meantime, the coordinator is controlled by the IOTA Foundation, and the network is centralized. That was vastly proved in February 2020, when the whole network was frozen by the coordinator after a major breach. The IOTA suffered a security breach due to a third-party dependency from Moonpay (a crypto payment service), which compromised users' wallet seeds by loading illicit versions of Moonpay's SDK from Moonpay's servers. Back then, hackers stole 8.5 million in IOTA's native token MIOTA directly from users —approximately $2 million at the time. Trinity wallet The cyber-criminal awaited a new Trinity version to overwrite cached files and eliminate traces. Immediate actions were taken by the IOTA Foundation, including halting the coordinator and creating an incident management plan with public status updates. The attack involved DNS interception, code modification, and API key misuse. IOTA responded by developing migration tools for affected users, enhancing analytical tools, and collaborating with security experts and law enforcement. Trinity isn’t used anymore, and MoonPay with them to fix the issue. So, again, it wasn’t a breached DAG but an external service related to it. collaborated Hedera Hashgraph Hedera Hashgraph is a distributed ledger system that utilizes Directed Acyclic Graphs (DAGs) for consensus. In Hedera's , nodes share new information with each other, gradually reaching a consensus through multiple rounds of sharing. This history of information-sharing events is represented as a hashgraph —a type of DAG. gossip protocol This system is patented, but it’s not error-free. On March 9, 2023, the Hedera Hashgraph network to a smart contract exploit, resulting in the theft of various tokens from decentralized exchanges (DEXs) such as Pangolin, SaucerSwap, and HeliSwap. Retail user accounts and Hedera wallets remained unaffected, but fell victim the attacker managed to steal tokens valued at nearly $600,000. They included DAI Stablecoin, Tether USD, USD Coin, and Wrapped HBAR. Swift action was taken to mitigate the attack. DEXs and bridges collaborated to halt the token flow over the bridge within an hour of being alerted to the breach. The Hedera team disabled proxy access to the Hedera mainnet (thanks to the network being centralized, like IOTA), preventing further access by users and the attacker. A fix was swiftly developed, tested, and implemented within 41 hours of discovering the vulnerability. Unlike previous attacks in other DAGs, this time, the native system was actually the one compromised, specifically, its smart contract layer. The team acted quickly to mitigate it. Sui Network + Discord Sui Network is a distributed ledger launched in May 2023. It splits transactions into simple ones (like sending money) and complex ones (like online auctions). Simple transactions don’t require consensus, but use Proof-of-Stake (PoS) validators and a high-throughput DAG-based consensus protocol called Bullshark. complex transactions This network has proved that prevention is important, especially when it comes to new technologies. Just before their mainnet release, the security firm CertiK found a critical bug in the system. The flaw was an infinite loop bug within Sui's code that could be triggered by a malicious smart contract. This type of attack, known as the "HamsterWheel attack," doesn't crash nodes but instead keeps them endlessly running without processing new transactions, rendering the network inoperable. Once the bug , Sui developers swiftly implemented fixes to mitigate its impact, and CertiK confirmed that these fixes were already deployed. The Sui Foundation awarded $500,000 to CertiK as a bug bounty. However, it wasn’t the only threat faced by this platform. was identified Even before the potential bug, in August 2022, The announcement was shared , where several users complained about having lost funds due to the event. The incident involved hackers sharing a link to an alleged airdrop on the server's announcement channel. Since then, they reinforced their security and verification processes in the chat. Mysten Labs’ (Sui creators) Discord server was hacked. on Twitter Avalanche + DeFi Avalanche is another crypto protocol that uses DAG structures instead of blockchains. It comprises : the Contract Chain (C-Chain) for smart contracts, the Exchange Chain (X-Chain) for fast fund transfers with low fees, and the Platform Chain (P-Chain) for staking and rewards. The X-Chain, in particular, leverages DAG technology to achieve high throughput and rapid transaction finality. different chains Several DeFi protocols based on Avalanche have faced important attacks over the years. The first high-profile hack was against the lending platform in September 2021. The attack happened because they relied on a single source for their price information (oracle), and this source didn't handle decimal points properly. This allowed the attacker to manipulate prices and execute trades on pairs that weren't supposed to be traded. Vee Finance The tokens were subsequently bridged to Ethereum and remain in the attacker's possession. Vee Finance suspended platform contracts and related functions (which demonstrated that the platform wasn’t as decentralized as the term DeFi implies), actively pursuing asset recovery efforts. However, this wasn’t all for Avalanche. More attacks would come in time. That resulted in the unauthorized withdrawal of 8804.7 ETH and 213.93 BTC (around $36 million at the time). Last February 2023, two more DeFi protocols were hacked again: the multi-chain aggregator Dexible and the DEX Platypus. , the attacker leveraged the app's selfSwap function to move over $2 million worth of crypto from users who had authorized the app to access their tokens. Dexible paused its contracts and advised users to revoke token authorizations. In the first case The hacker exploited the protocol's asset contracts using a malicious smart contract with unverified source code. Now, about the three cases, we can say that some bugs escaped from DeFi developers since the beginning, resulting in the loss of funds. In the second case, Platypus $8.5 million in a flash loan attack. lost over Protect yourself from DAG risks For average users of Directed Acyclic Graph (DAG) platforms, several key security measures and protections can be applied to mitigate risks: Before using any third-party services, such as wallets or exchanges, do your research to ensure they have a good reputation for security. Also, avoid leaving large amounts of crypto on exchanges for extended periods. Use Reputable Services: If you have wallets that give you control over your private keys, use them. This means you have direct control over your funds. Cold wallets offer an extra layer of security. Secure Your Private Keys: When dealing with any cryptocurrency-related accounts, use strong, unique passwords. Consider using a reputable password manager to keep them safe. Whenever possible, enable Two-Factor Authentication (2FA) on your accounts. Use Strong Passwords and enable 2FA: Keep up to date with the latest news and developments regarding the DAG platform you're using. Understanding potential vulnerabilities can help you take preventive action. Stay Informed: Be cautious of phishing emails, messages, or websites that aim to steal your login information or private keys. Always double-check URLs and sources. Beware of Phishing Scams: For applications or services that request permission to access your wallet or tokens, review and revoke these permissions when they're no longer needed. Regularly Review Permissions: Avoid putting all your assets into a single cryptocurrency or platform. Diversification can help spread risk. Diversify Your Investments: So far, Obyte (also a crypto-DAG platform) hasn’t suffered a high-profile hack on its system or related services. That doesn’t mean they are immune to attacks, though. is active on Immunefi, with high rewards for skilled developers. However, it’s always important to apply the on your own wallet and do your own research for each platform! A bug bounty program best security measures Featured Vector Image by Freepik
