5 Security Incidents Involving DAG Networks—and How to Protect Yourself

Directed Acyclic Graphs (DAGs) have emerged as a promising alternative to blockchain technology. Unlike blockchains, DAGs boast a unique structure where transactions are linked in a directed, non-circular manner, with new ways to reach consensus. This innovation promises faster transaction speeds and higher decentralization, making them an attractive choice for crypto enthusiasts. However, they could come with their own set of security challenges.

There are bug bounty programs for a reason, after all. However, so far, we can say that no DAG structure has been hacked. On the other hand, their related services, from social media and even smart contracts, are another story. Cybercriminals will target the most vulnerable points, and that’s usually outside the DAG itself, but targeting its users anyway.

We’ll delve ahead into some attacks involving DAG platforms, recounting five instances when their related services fell victim to hacking attempts. Besides, we’ll explore strategies and best practices to shield oneself from such threats. Whether you're a seasoned investor or a newcomer, understanding these challenges is essential to protect your digital assets in an increasingly complex crypto ecosystem.

Nano + BitGrail

In 2018, the cryptocurrency world witnessed a major security breach involving the Italian cryptocurrency exchange BitGrail and the digital currency Nano (formerly known as Raiblocks). This currency uses a ledger structured like a DAG (more accurately, block lattice), and its consensus system is quite similar to a Proof-of-Stake (PoS) blockchain.

The incident began when BitGrail reported a substantial amount of Nano tokens missing from its platform. The exchange's founder, Francesco Firano, claimed that the hack had resulted in the theft of approximately 17 million Nano tokens, equivalent to roughly $170 million at the time.

The aftermath of the BitGrail hack was marked by a contentious dispute between the exchange's management and the Nano development team. Firano initially suggested that Nano's code was responsible for the vulnerability, blaming the developers for the theft. He demanded a contentious fork (update) to be held by the Nano team (to erase the hack), which they refused.

More investigations later revealed that BitGrail's security measures and internal controls were inadequate, leading to the compromise of user funds. Indeed, the hack happened just in time to see a price rise in Nano, and Firano hid that the breaches had been happening since 2017. BitGrail and Firano received at least two class-action lawsuits, and ultimately, Firano was found to be directly liable for the attack.

In this case, the DAG wasn’t attacked, but the users trusted the wrong company. In centralized exchanges, you don’t have private keys to your funds. Instead, only an account with a password is provided, and the funds are in full custody (control) by that company. If they lose (hacks, bankruptcy, etc.), then you lose too. That’s why it’s important not to use exchanges as permanent wallets.

IOTA + Moonpay

IOTA is a cryptocurrency platform that utilizes Directed Acyclic Graph (DAG) technology to enable faster transactions, and it’s focused on the Internet of Things (IoT) sector. Unlike blockchains, IOTA's Tangle DAG allows users to validate transactions by confirming others, but there’s an ultimate coordinator node to achieve consensus. They intend (since 2016) to get rid of it, but in the meantime, the coordinator is controlled by the IOTA Foundation, and the network is centralized.

That was vastly proved in February 2020, when the whole network was frozen by the coordinator after a major breach. Back then, hackers stole 8.5 million in IOTA's native token MIOTA directly from users —approximately $2 million at the time. The IOTA Trinity wallet suffered a security breach due to a third-party dependency from Moonpay (a crypto payment service), which compromised users' wallet seeds by loading illicit versions of Moonpay's SDK from Moonpay's servers.

The cyber-criminal awaited a new Trinity version to overwrite cached files and eliminate traces. Immediate actions were taken by the IOTA Foundation, including halting the coordinator and creating an incident management plan with public status updates. The attack involved DNS interception, code modification, and API key misuse.

IOTA responded by developing migration tools for affected users, enhancing analytical tools, and collaborating with security experts and law enforcement. Trinity isn’t used anymore, and MoonPay collaborated with them to fix the issue. So, again, it wasn’t a breached DAG but an external service related to it.

Hedera Hashgraph

Hedera Hashgraph is a distributed ledger system that utilizes Directed Acyclic Graphs (DAGs) for consensus. In Hedera's gossip protocol, nodes share new information with each other, gradually reaching a consensus through multiple rounds of sharing. This history of information-sharing events is represented as a hashgraph —a type of DAG. This system is patented, but it’s not error-free.

On March 9, 2023, the Hedera Hashgraph network fell victim to a smart contract exploit, resulting in the theft of various tokens from decentralized exchanges (DEXs) such as Pangolin, SaucerSwap, and HeliSwap. Retail user accounts and Hedera wallets remained unaffected, but the attacker managed to steal tokens valued at nearly $600,000. They included DAI Stablecoin, Tether USD, USD Coin, and Wrapped HBAR.

Swift action was taken to mitigate the attack. DEXs and bridges collaborated to halt the token flow over the bridge within an hour of being alerted to the breach. The Hedera team disabled proxy access to the Hedera mainnet (thanks to the network being centralized, like IOTA), preventing further access by users and the attacker. A fix was swiftly developed, tested, and implemented within 41 hours of discovering the vulnerability.

Unlike previous attacks in other DAGs, this time, the native system was actually the one compromised, specifically, its smart contract layer. The team acted quickly to mitigate it.

Sui Network + Discord

Sui Network is a distributed ledger launched in May 2023. It splits transactions into simple ones (like sending money) and complex ones (like online auctions). Simple transactions don’t require consensus, but complex transactions use Proof-of-Stake (PoS) validators and a high-throughput DAG-based consensus protocol called Bullshark.

This network has proved that prevention is important, especially when it comes to new technologies. Just before their mainnet release, the security firm CertiK found a critical bug in the system. The flaw was an infinite loop bug within Sui's code that could be triggered by a malicious smart contract. This type of attack, known as the "HamsterWheel attack," doesn't crash nodes but instead keeps them endlessly running without processing new transactions, rendering the network inoperable.

Once the bug was identified, Sui developers swiftly implemented fixes to mitigate its impact, and CertiK confirmed that these fixes were already deployed. The Sui Foundation awarded $500,000 to CertiK as a bug bounty. However, it wasn’t the only threat faced by this platform.

Even before the potential bug, in August 2022, Mysten Labs’ (Sui creators) Discord server was hacked. The announcement was shared on Twitter, where several users complained about having lost funds due to the event. The incident involved hackers sharing a link to an alleged airdrop on the server's announcement channel. Since then, they reinforced their security and verification processes in the chat.

Avalanche + DeFi

Avalanche is another crypto protocol that uses DAG structures instead of blockchains. It comprises different chains: the Contract Chain (C-Chain) for smart contracts, the Exchange Chain (X-Chain) for fast fund transfers with low fees, and the Platform Chain (P-Chain) for staking and rewards. The X-Chain, in particular, leverages DAG technology to achieve high throughput and rapid transaction finality.

Several DeFi protocols based on Avalanche have faced important attacks over the years. The first high-profile hack was against the lending platform Vee Finance in September 2021. The attack happened because they relied on a single source for their price information (oracle), and this source didn't handle decimal points properly. This allowed the attacker to manipulate prices and execute trades on pairs that weren't supposed to be traded.

That resulted in the unauthorized withdrawal of 8804.7 ETH and 213.93 BTC (around $36 million at the time). The tokens were subsequently bridged to Ethereum and remain in the attacker's possession. Vee Finance suspended platform contracts and related functions (which demonstrated that the platform wasn’t as decentralized as the term DeFi implies), actively pursuing asset recovery efforts. However, this wasn’t all for Avalanche. More attacks would come in time.

Last February 2023, two more DeFi protocols were hacked again: the multi-chain aggregator Dexible and the DEX Platypus. In the first case, the attacker leveraged the app's selfSwap function to move over $2 million worth of crypto from users who had authorized the app to access their tokens. Dexible paused its contracts and advised users to revoke token authorizations.

In the second case, Platypus lost over $8.5 million in a flash loan attack. The hacker exploited the protocol's asset contracts using a malicious smart contract with unverified source code. Now, about the three cases, we can say that some bugs escaped from DeFi developers since the beginning, resulting in the loss of funds.

Protect yourself from DAG risks

For average users of Directed Acyclic Graph (DAG) platforms, several key security measures and protections can be applied to mitigate risks:

• Use Reputable Services: Before using any third-party services, such as wallets or exchanges, do your research to ensure they have a good reputation for security. Also, avoid leaving large amounts of crypto on exchanges for extended periods.
• Secure Your Private Keys: If you have wallets that give you control over your private keys, use them. This means you have direct control over your funds. Cold wallets offer an extra layer of security.

• Use Strong Passwords and enable 2FA: When dealing with any cryptocurrency-related accounts, use strong, unique passwords. Consider using a reputable password manager to keep them safe. Whenever possible, enable Two-Factor Authentication (2FA) on your accounts.

  
  

• Stay Informed: Keep up to date with the latest news and developments regarding the DAG platform you're using. Understanding potential vulnerabilities can help you take preventive action.
• Beware of Phishing Scams: Be cautious of phishing emails, messages, or websites that aim to steal your login information or private keys. Always double-check URLs and sources.

• Regularly Review Permissions: For applications or services that request permission to access your wallet or tokens, review and revoke these permissions when they're no longer needed.

• Diversify Your Investments: Avoid putting all your assets into a single cryptocurrency or platform. Diversification can help spread risk.

  
  

So far, Obyte (also a crypto-DAG platform) hasn’t suffered a high-profile hack on its system or related services. That doesn’t mean they are immune to attacks, though. A bug bounty program is active on Immunefi, with high rewards for skilled developers. However, it’s always important to apply the best security measures on your own wallet and do your own research for each platform!

Featured Vector Image by Freepik