KyberSwap’s $47M Reentrancy Attack: A Deep Dive into the Exploit
Let’s take a closer look inside a $47M reentrancy attack on KyberSwap.
🇺🇦 Hacken stands with Ukraine!Learn more
In 2021, the volume of crypto crime almost doubled compared to 2020 ($14B vs. $7.8B). However, when looking at the total crypto transaction volume, it grew by 567% in 2021 compared to 2020. Thus, an increase in the volume of assets coming to illicit addresses is not so radical to suggest that the state of blockchain security deteriorated. On the contrary, the share of crypto crime in the total volume of crypto transactions declined to just 0.15%, the lowest result ever recorded. In 2020, this indicator was 0.62%.
A significant impact on the state of blockchain security was made by law enforcement bodies. A series of arrests of the members of REvil ransomware group and the recent arrest of a husband and wife presumably responsible for stealing almost 120K bitcoins from the Bitfinex exchange in 2016 demonstrates that crypto has ceased to be a simple money laundering tool in the hands of cybercriminals. That is why the majority of hacks are carried out by highly professional criminals who know how to hide their traces through mixers and other techniques.
Thus, although the share of crime in the crypto world decreases, hacks, especially megahacks, constitute a huge blockchain security issue limiting the mass adoption of virtual assets.
The most disastrous form of blockchain security concerns in 2021 was scamming. Malicious actors stole $7.8B through scams, among which $2.8B were stolen through rug pulls. Rug pulls is a form of cybercrime whereby malicious actors create a project that seems to be legitimate and after collecting investors’ funds, they simply disappear with all assets. However, rug pulls result not only in stealing users’ assets but also in a sharp decrease in the price of projects’ tokens. That is why the sum of overall losses is much greater. Rug pulls are mostly attributable to DeFi due to a high level of hype and the ease of listing fake tokens that are not validated at all. The scope of cryptocurrency theft reached $3.2B, of which $2.3B are the funds stolen from DeFi protocols.
Malicious actors send emails to potential victims containing information about a very attractive airdrop or competition to participate in which a user needs to provide certain personal information. In most cases, the authors of phishing emails offer victims rewards for investing nothing.
Malicious actors create a website resembling the legitimate one. However, the only different feature may be the contract address to which users or investors need to send assets. For example, during the recent IDO of the Hacken Foundation project OneArt, our team in cooperation with disBalancer has blocked a few malicious websites luring users to transfer assets to dark wallets. Malicious actors were trying to exploit users’ willingness to be the first to invest in OneArt.
Malicious actors establish friendly/romantic relationships with a victim using special dating applications or social media. Then cyber criminals may lure victims to get involved in their so-called cryptocurrency business offering very high rewards. After receiving funds, malicious actors suddenly disappear.
Crypto scammers spread fake information or analytics to convince people to buy a particular virtual asset. They provide such information that a token is trading on the minimal possible level that victims do not have another choice than to purchase it. After the price of token skyrockets, malicious actors are the first to sell causing thereby price plummeting.
Malicious actors hijack celebrities’ social media accounts and encourage followers to invest money in a particular project offering very high profits. For example, criminals pretending to be Elon Musk made >$2M in a Bitcoin scam for just 6 months. Hackers can also create pages of celebrities that are very similar to legitimate ones.
The flash loan attack against the project resulted in the loss of $130M by Cream Finance. The hacker exploited the vulnerability in smart contracts attributable to pricing calculations. As a result, the malicious actor managed to manipulate the price of assets used as collateral thereby enabling undercollateralized loans.
The hacker exploited a vulnerability in the smart contract maintaining a large volume of liquidity to enable efficient swap of tokens between different networks. The hacker managed to override the contract instruction to divert the funds to three wallet addresses. The malicious actor initially stole $600M but then returned almost all funds back to Poly Network (only $33M remained frozen).
The DeFi protocol experienced a flash loan attack initiated by an external actor. Hacker made off with $200M. Hacker took a large loan in BNB from PancakeSwap and manipulated the LP ratio of USDT/BNB and BUNNY/BNB. Malicious actor then dumped all BUNNY tokens made causing the crash of BUNNY price by 99%.
A malicious actor managed to exploit the bug in the project’s smart contract to mint new tokens. Hacker leveraged the smart contract’s upgrade function by accessing the original contract deployer using a compromised private key. The “new” smart contract had the feature enabling burning and re-minting of tokens. The minted tokens value $166M at the time of the attack.
From a technical perspective, the security of crypto exchanges has increased dramatically over the last few years. According to CER.live, the growing number of exchanges pass regular pentests and have ongoing bug bounty programs. That is why hackers were mostly applying creativity by finding approaches to hacking exchanges through their key employees, especially the specialists with access to finances. One of the primary blockchain security issues attributable to exchanges was weak key management. Access to private keys was not strictly regulated resulting in major thefts.
One of the key reasons behind crypto hacks in 2021 was related to the presence of vulnerabilities in smart contracts. Projects neglect the importance of passing independent smart contracts audits before releasing a product. Taking into account the unregulated nature of the blockchain world, malicious actors are not limited in their attempts to crack projects and do not face a high risk of being subject to any punishment for their activities.
Although crypto may bring huge profits to investors, patience and focus on details should be the key elements of users’ behaviour. The majority of scam campaigns simply utilize users’ desire to make easy money. Users should always double-check all addresses and accounts related to transactions before sending assets. So, don’t hurry up and try to validate the information by contacting official representatives of the project. The answer to the question “how secure is blockchain” mostly depends on the behaviour of users putting it.
The biggest share of cyberattacks in 2022 will be targeting decentralized protocols. Exchanges are mostly matured players who are working on blockchain security and are ready to address possible security threats. At the same time, decentralized protocols will accumulate the growing volumes of assets through an expanded customer base. When trying to scale their business, protocols may prioritize speed over security. As a result, there is a risk that new flaws will appear in their smart contracts.
Blockchain security is a continuous process. Projects should pass regular blockchain security audits especially after introducing major updates. It is reasonable to cooperate with more than 1 security auditor since there is always a risk of mistake from the side of an auditor.
Social engineering is becoming the main form of cybercrime. That is why projects should teach their staff the key rules of cyber hygiene. It may be reasonable to test staff’s ability to react to scams in a testing environment.
Projects should not consider that they have 1 most vulnerable element. Depending on the situation, a vulnerability in code or failure of an employee to check the spelling of email address may let hackers penetrate into the project security. Only a comprehensive approach to building security may make the project ready to deal with security risks in 2022.
Chavez-Dreyfuss, Gertrude; Price Michelle (13 August 2021). Explainer: How hackers stole and returned $600 mln in tokens from Poly Network. Reuters. Retrieved 9 February 2022.
Chawla, Vishal (5 Match 2021). Hacker Performs $3 Million Attack On Paid Network. Crypto Briefing. Retrieved 8 February 2022.
Corbella, Alejandra (29 October 2021). What Just Happened to CREAM Finance? The long-lasting effect of security vulnerabilities in DeFi. valid.network. Retrieved 8 February 2022.
“Documented timeline of DeFi exploits”. CryptoSec. Retrieved 9 February 2022.
Georgiev, George (20 May 2021). Pancake Bunny Exploit: $44 Million Stolen as BUNNY Token Crashed 99% in Seconds. CryptoPotato. Retrieved 8 February 2022.
Guevera, George (1 February 2022). Cryptocurrency scams: You must beware of these common crypto frauds. Marca. Retrieved 10 February 2022.
Kilmann, Carter (1 December 2021). 5 crypto scams to know before you start trading coins. Business Insider. Retrieved 9 February 2022.
“Two Arrested for Alleged Conspiracy to Launder $4.5 Billion in Stolen Cryptocurrency”. The United States Department of Justice. 8 February 2022. Retrieved 10 February 2022.
Wang, Nelson (11 December 2021). BadgerDAO Reveals Details of How It Was Hacked for $120M. Coindesk. Retrieved 9 February 2022.