The blockchain landscape has bad PR with security; there's news of a hack every month, and it defies what the technology touts itself as. In theory, blockchain is one of the most secure technologies and is supposed to be unhackable.
However, high-profile hacks this year have a comment on that. This year has seen the security breach of Crypto.com, IRA Financial Trust, Cashio, Fei Protocol, Qubit Bridge, Harmony Bridge, Beanstalk, Wormhole, Axie Infinity Ronin Bridge, and the most recent BNB hack. Bridges happen to be a regular, and we'll get to why pretty soon.
According to
Blockchain's security is a tough argument to defend and especially seeing as traditional finance does not experience as many security issues. The hack reports mentioned in the article so far only cover the funds lost by protocols and institutions.
Users' statistics may be much worse, but there's no way to tell the exact figure crypto users may have lost to fraud and hacks. With security breaches on the rise, it's logical to argue that crypto and blockchain adoption might take longer than we imagine.
Most of the recent security breaches have affected DeFi protocols, with cross-chain bridges suffering the most. The recent BNB hack resulted from a vulnerability in the network's cross-chain bridge that facilitates seamless asset transfer between the BNB Beacon Chain(BEP2) and the Binance Smart Chain.
The initial damage was reported to be about $570 million. But efforts from node contributors mitigated the loss to about $100 million, another situation that has spurred debate about the network's true decentralization nature.
Bridges have had the highest frequency of these security breaches because their frameworks are still developing. Cross-chain bridges are essentially protocols that enable seamless value and asset transfer across different networks. For example, you cannot spend BTC on the Ethereum blockchain, so bridges offer you a wrapped version of BTC(wBTC) which will be in the token standard you need it for; in this case, ERC-20.
Your BTC is locked on the cross-chain bridge, and this actually makes them a prime target for attacks because they hold a lot of capital on-chain. The recent bridge hacks have resulted from flawed security design and mostly smart contract vulnerabilities.
It is generally believed that over the next few years, we'll perfect the best practices to write smart contracts for bridges and have more capable hands writing and analyzing these codes. However, the collateral damage is costly, and it's pretty easy to see how this will pull the landscape back.
My earliest understanding of what a smart contract vulnerability came from minting an NFT project sometime in 2021. This project intended for its whitelisted members to mint 3 NFTs each before moving to the public mint. However, there was something wrong with the smart contract that a few users with coding experience had already spotted.
The smart contract allowed only whitelisted addresses to carry on with the mint. But, if a user mints 3 NFTs with their whitelisted wallet and sends those three items out, they can return to mint another 3; rinse and repeat. It was highly rewarding for users to keep up with this because the NFT was already selling for 10x its mint price on the secondary market. At the time, that was a situation that had already happened several times with other projects that you'd call a rookie mistake.
However, recent bridge hacks have shown that these vulnerabilities are there for those who look hard enough to exploit. It is basically about tricking the computer, subjecting it to a condition that the smart contract does not explicitly cover, and you'll be able to carry out malicious activities on the network. Blockchain itself is very secure in theory, but until we can write near-perfect smart contracts, these are perilous times.
Blockchain networks can be attacked in various ways– attacks like DDoS attacks, software misconfiguration exploits, blockchain-specific malware, or performing transaction-based injection attacks usually target blockchain nodes. The blockchain landscape is, however, more familiar with phishing attacks, Sybil attacks, routing attacks, and 51% attacks. Fraudsters and hackers are always lurking to get the best of platforms and users.
The threat this poses to institutions has seemed like the bigger evil until one discovers how bad it can get for an average user. This has been easy for malicious users because the blockchain is also an enabling ecosystem to steal money and cover your tracks.
The threat this poses to institutions seemingly has greater significance because they are in the best position to create systems that can mitigate and control thefts and hacks. However, a random survey would suggest that millions of dollars switch hands from users to fraudsters daily.
The CEO of FTX, Sam Bankman-Fried, recently tweeted how FTX has been helping users tackle phishing attacks, including a recent phishing attack with mitigation plans to support affected users.
A renowned on-chain sleuth with the Twitter username ZachXBT uncovered a phishing scammer named Monkey Drainer, who has reportedly stolen over 700 ETH worth over $1 million from several users.
It gets worse when you find out there's a lot of this going around daily. Scammers take advantage of users' edginess to solve specific issues or make a trade to trick them into signing malicious smart contracts that drain their wallets or inputting their private keys into a phishing site.
There are no official numbers on the amount users have lost to scams, but the speculations are pretty scary when you imagine they are people's life savings. Users have had to learn basic security tips to keep themselves safe. Users have had to understand that security is solely their responsibility; there are no support or customer service lines to report issues to, which might be something to get used to.
Blockchain enables a system that makes finance completely custodial; users will be responsible for storing their funds and keeping them safe from bad actors who would always try to take them maliciously. On the other hand, the traditional finance system does not give users total control of their money, but there are existing frameworks that protect users against fraud. Besides, the system is not quite as enabling for fraudsters and scammers.
The blockchain landscape has been blessed with users who are dedicating effort and time to help other users trace their stolen funds and work towards recovering the funds. However, there's only a short window for when their effort is significant. Blockchain is transparent, but crypto scammers already know the best methods to launder money and obscure their transaction history.
According to
Considering how easy it is for fraudsters to trick the average user, it's a scary endeavor for newbies without knowledge of the best security practices. Blockchain is very secure in theory, but with the landscape still developing the best implementations for its framework, users have some responsibility on their hands.