Smart contract exploits are more ethical than hacking... or not?

Published at: April 18, 2021

There has been a lot of talk about the recent “hacks” in the decentralized finance realm, particularly in the cases of Harvest FInance and Pickle Finance. That talk is more than necessary, considering hackers stole more than $100 million from DeFi projects in 2020, accounting for 50% of all hacks this year, according to a CipherTrace report.

Related: Roundup of crypto hacks, exploits and heists in 2020

Some point out that the occurrences were merely exploits that shined a light on the vulnerabilities of the respective smart contracts. The thieves didn’t really break into anything, they just happened to casually walk through the unlocked back door. By this logic, since the hackers exploited flaws without actually hacking in the traditional sense, the act of exploiting is ethically more justifiable.

But is it?

The differences between an exploit and a hack

Security vulnerabilities are the root of exploits. A security vulnerability is a weakness that an adversary could take advantage of to compromise the confidentiality, availability or integrity of a resource.

An exploit is the specially crafted code that adversaries use to take advantage of a certain vulnerability, and to compromise a resource.

Even mentioning the word “hack” in reference to blockchain might baffle an industry outsider less familiar with the technology, as security is one of the centerpieces of distributed ledger technology’s mainstream appeal. It’s true, blockchain is an inherently secure medium of exchanging information, but nothing is totally unhackable. There are certain situations in which hackers can gain unauthorized access to blockchains. These scenarios include:

51% attacks: Such hacks occur when one or more hackers gain control of over half of the computing power. It’s a very difficult feat for a hacker to achieve, but it does happen. Most recently in August 2020, Ethereum Classic (ETC) faced three successful 51% attacks in the span of a month.Creation errors: These occur when security glitches or errors go overlooked during the creation of the smart contract. These scenarios present loopholes in the most potent sense of the term.Insufficient security: When hacks are done through gaining undue access to a blockchain with weak security practices, is it really as bad if the door was left wide open?

Are exploits more ethically justifiable than hacks?

Many would argue that doing anything without consent cannot possibly be considered ethical, even if worse acts could have been committed. That logic also raises the question of whether an exploit is 100% illegal. For example, having a U.S. company registered in the Virgin Islands can also be seen as performing a legal tax “exploit,” though it isn’t considered outwardly illegal. As such, there are certain gray areas and loopholes in the system that people can use for their own benefit, and an exploit can also be seen as a loophole in the system.

Then there are cases such as cryptojacking, which is a form of cyberattack where a hacker hijacks a target's processing power to mine cryptocurrency on the hacker's behalf. Cryptojacking can be malicious or nonmalicious.

It may be safest to say that exploits are far from ethical. They are also entirely avoidable. In the early stages of the smart contract creation process, it’s important to follow the strictest standards and best practices of blockchain development. These standards are set to prevent vulnerabilities, and ignoring them can lead to unexpected effects.

It is also vital for teams to have intensive testing on a testnet. Smart contract audits can also be an effective way to detect vulnerabilities, though there are many audit companies that issue audits for little money. The best approach would be for companies to get several audits from different companies.

The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Pawel Stopczynski is the researcher and R&D director at Vaiot. He was previously the R&D director and a co-founder at Veriori and at UseCrypt. Since 2004, Pawel has been involved in the development of 18 IT projects in Poland and the United Kingdom, focusing on the private sector. He was a speaker at several IT conferences, and the organizer of two TEDx conferences. For his work, Pawel was awarded a gold medal at the Concours Lépine International Innovation Fair 2019 in Paris, and a gold medal of the French minister of defense.
Tags
Related Posts
Immunefi partners with Binance Smart Chain on bug bounties to secure BSC projects
Immunefi, a security service outfit that specialized in decentralized finance (DeFi) projects, has inked a collaboration with the Binance Smart Chain. According to a release issued on Friday, Immunefi will work in collaboration with BSC to improve the security of projects on the Binance chain. As part of the partnership, ethical hackers who take part in a campaign to discover vulnerabilities in BSC-based projects will earn rewards. As a security outfit, Immunefi has reportedly paid more than $3 million in bug bounties to ethical hackers. Major BSC protocols such as PancakeSwap, DODO, and Zapper among others are already deploying the …
Blockchain / July 9, 2021
Elrond Invites Hackers to Stress Test Its Blockchain Network
Blockchain firm Elrond has invited hackers to attack its network during its upcoming incentivized stress test. According to an announcement on Tuesday, the upcoming Elrond incentivized stress test will include a variety of different attacks on the network. Elrond's CEO, Beniamin Mincu, explained to Cointelegraph: "Anything that takes the network down is allowed, as long as it's not breaking the law or social privacy of participants. So DDoS-ing, hijacking rewards, stealing coins, double spending, minting new coins & other similar situations - we will reward every successful attempt to do any of those things.” A blockchain transformed into a cyber …
Technology / June 2, 2020
Tron Discloses Critical Vulnerability Which Could Have Crashed Its Blockchain
The Tron Foundation disclosed a fixed critical vulnerability which could have crashed its blockchain on vulnerability disclosure platform HackerOne on May 2. The disclosure explains that with enough malicious requests, an attacker could have filled up all the available memory and effectively perform a Distributed Denial of Service attack on the TRX network by employing malicious code in a smart contract. The disclosure further explains the impact of such an attack: “Using a single machine an attacker could send DDOS attack to all or 51% of the SR node and render Tron network unusable or make it unavailable.” The cybersecurity …
Blockchain / May 6, 2019
Developers could have prevented crypto's 2022 hacks if they took basic security measures
Users losing funds due to malicious activity is hardly unknown on Ethereum. In fact, it is the very reason researchers recently developed a proposal to introduce a type of token that is reversible in the event of a hack or other unsavory behaviors. Specifically, the suggestion would see the creation of an ERC-20R and ERC-721R, which would be modified versions of the standards that govern both regular Ethereum tokens and nonfungible tokens (NFTs). The premise goes like this: this new standard would allow users to make a “freeze request” on recent transactions that would lock those funds until a “decentralized …
Technology / Nov. 13, 2022
Top 7 cybersecurity jobs in high demand
In today’s digital age, cybersecurity has become a critical aspect of almost every business. Cyber threats are increasing daily, and businesses must take proactive measures to protect their networks and data. As a result, the demand for cybersecurity professionals has skyrocketed. Little Friday humour #meme #cybersecurity @hackurityio pic.twitter.com/MArEpCh03k — Harold De Vries (@devries_harold) February 17, 2023 In this article, we will discuss the top seven cybersecurity jobs that are in high demand. Cybersecurity analyst A cybersecurity analyst is responsible for identifying and mitigating cyber threats to an organization’s network and data. They examine system logs and network traffic to find …
Technology / Feb. 26, 2023