Big-Budget Hackers Are a New Threat to Web3 Businesses
A popular blockchain game called Axie Infinity has suffered what may well be the biggest security breach in the history of decentralized finance, known as “DeFi”.
Hackers forged withdrawals last week from the game’s Ronin network, which lost an estimated $615 million and said it was working with law enforcement to recover the funds and refund players, many of whom had to pay hundreds of dollars up front to play. It is not known how many players were affected. It is also postponing the launch of a similar play-to-win game. The incident highlights a growing challenge to “web3”, the catch-all term describing digital services based on blockchain technology.
A growing list of flaws that stem in part from web3 code writing errors are shattering one of blockchain’s great promises – enhanced security – and holding back the technology’s progress towards mainstream acceptance.
Last August, hackers stole over $600 million from a blockchain program called Poly Network. Then, in February, around $320 million was stolen from a so-called bridge that allowed people to transfer crypto assets between two popular blockchain networks, Solana and Ethereum.
In both cases, most, if not all, of the funds were returned to the original holders. But DeFi, or the pass of blockchain networks trying to serve as an alternative to traditional financial systems, has become an attractive target for hackers, thanks to the billions of dollars locked away in various applications that are also largely run autonomously. The money stolen in the latest hack had not moved from the attackers’ wallets at the time of writing.
The amounts lost to DeFi project hacks more than doubled in 2021, according to cryptocurrency security firm CertiK. A timeline on security website CryptoSec.Info lists 83 reported breaches of DeFi services, with an estimated $2.3 billion lost between January 2020 and February 2022.
For those who are still ready to invest in web3: Steel yourself, because the hacks will keep coming. An investor in Sky Mavis, the developer of Axie Infinity, says the latest hack should serve as a warning to venture capitalists about the underlying security weaknesses of blockchain services, especially with important devices like bridges. .
One problem with Ronin was that it ran off-chain, acting as another layer on top of the Ethereum blockchain to transact faster and cheaper. The trade-off: a secondary layer isn’t as secure as the blockchain itself.
Ronin Network didn’t go into detail in a blog post about the mechanics of the hack, but the attackers may have taken advantage of a rush on the network to validate a large number of transactions at once, according to Dan Hughes. , founder of British DeFi startup Radix.
In other words, Ronin attackers may have exploited a weakness in network processes, rather than an errant bug, highlighting some of the broader difficulties of building blockchain-based applications including security against piracy can be invoked.
Many developers who create applications for Ethereum use a programming language called Solidity, which is designed for smart contracts, a simple program on a blockchain. But building with Solidity is one of the most complex forms of programming. Coders have to plot their steps carefully and don’t have multiple attempts to get something right. Making a mistake doesn’t just cause a problem, as it might with a site or application on the traditional web. This could lead to a security breach, and with financial services constituting so many Web3 applications, it would put large sums of money at risk.
“Sometimes something as simple as a typo can be exploited by savvy hackers,” Hughes said in a Twitter Spaces chat last week with Bloomberg Opinion. He added on Wednesday that it seemed unlikely that a coding error with smart contracts was the cause of the Ronin Network security breach.
Even so, a recurring series of hacks should serve as a wake-up call for potential investors and for web3 companies themselves to invest more in securing their highly complex systems.
Hughes says there’s a prevalent “move fast and break things” culture in Web3 development. It could become increasingly dangerous as poorly designed algorithms cause financial ruin.
“The problem with hacks is that if you’re building a secure system, there are hundreds of thousands of ways to get it right,” adds Hughes, alluding to a problem that affects Web 2.0 as well as Web3. Everytime. A hacker only needs once to get it right.” ©bloomberg
Download the app to get 14 days of unlimited access to Mint Premium absolutely free!