Developers could have prevented crypto's 2022 hacks if they took basic security measures

Published at: Nov. 13, 2022

Users losing funds due to malicious activity is hardly unknown on Ethereum. In fact, it is the very reason researchers recently developed a proposal to introduce a type of token that is reversible in the event of a hack or other unsavory behaviors. 

Specifically, the suggestion would see the creation of an ERC-20R and ERC-721R, which would be modified versions of the standards that govern both regular Ethereum tokens and nonfungible tokens (NFTs).

The premise goes like this: this new standard would allow users to make a “freeze request” on recent transactions that would lock those funds until a “decentralized judiciary system” determined the validity of the transaction. Both parties would be allowed to present their evidence, and the judges would be chosen at random from a decentralized pool to minimize collusion.

At the end of the process, a verdict would be reached and either the funds would be returned or they would stay where they are. This decision would then be final and subject to no further contention. This would open up a practical avenue for victims of hacks and other malicious activity to get their assets back in a direct and community-driven manner.

Unfortunately, this may well be an unnecessary and ultimately harmful proposition. One of the cornerstones of the decentralized philosophy is that transactions only go in one direction. They can’t be undone under virtually any circumstances. This new protocol change would undermine that fundamental precept and in order to fix what isn’t broken.

So how does this work when an attacker steals ERC-20R and cashes out to ETH via a DEX in the same transaction? Or ERC-20R will be incompatible with the current DeFi ecosystem? https://t.co/n5pN82ZBBe

— Roman Semenov ️ (@semenov_roman_) September 25, 2022

There’s also the fact that even implementing such tokens would be a logistical nightmare. Unless every single platform shifted over to the new standard, then there would be huge gaps in the system, meaning that thieves could simply quickly swap their reversible assets for non-reversible ones and avoid the repercussions entirely. This would render the entire asset completely pointless, and more than likely users would simply not engage with it.

Furthermore, the whole idea of a judicial review implies centralization. Isn’t independence from a third party the exact thing cryptocurrency was created for? The existing proposal isn’t clear on how these judges are chosen, other than it will be “random.” Without the system being very carefully balanced, it’s hard to say that collusion or manipulation is impossible.

A better proposal

Ultimately, the notion of a reversible crypto asset may be well-intentioned but is also entirely unnecessary. The premise introduces many new complexities in terms of its actual integration into existing systems, and that is even assuming platforms want to utilize it. However, there are other ways to achieve security in the decentralized ecosystem that don’t undermine what makes cryptocurrency so powerful to begin with.

For one, auditing of all smart contract codes on an ongoing basis. Many problems in decentralized finance (DeFi) arise from exploits present in the underlying smart contracts. Comprehensive and independent security audits can help to find where potential problems exist before these protocols are released. Furthermore, it’s important to try to understand how multiple contracts will interact together when they go live, as some issues only arise when they are used in the wild.

Any deployed contract will have risk factors that should be monitored and defended against. However, many development teams do not have a robust security monitoring solution in place. Often, the first sign that something problematic is happening comes from an on-chain diagnosis. Massive or unusual transactions and other uncommon transaction patterns can point to an attack that is happening in real-time. Being able to spot and understand these signals is key to staying on top of them.

Related: Biden‘s anemic crypto framework offered nothing new

Of course, there also needs to be a system in place for documenting and recording events and communicating the most important information to the correct entities. Some alerts can be sent to the developer team and others can be made available to the community. With a community thus informed, better security can come in a manner that aligns with the decentralized ethos rather than it being relegated to a function of a judicial review.

Let’s look back at the Ronin hack as an example. It took a full six days for the team behind the project to realize an attack had occurred, only becoming aware when a user complained that they were unable to withdraw funds. If real-time monitoring of the network had been in place, a response could have happened almost instantly when the first large, suspicious transaction occurred. Instead, nobody noticed for almost a week, giving the attacker ample time to continue to move funds and obscure their history.

It seems fairly obvious that reversible tokens wouldn’t have helped this situation much, but monitoring could have. By the time it was noticed, many of the stolen coins had been transferred repeatedly across wallets and exchanges. Could all of these transactions just be reversed? The complexities introduced, as well as the possible new risks created, mean that this endeavor simply isn’t worth the effort. Especially when you consider that powerful mechanisms already exist that can offer a similar level of security and accountability.

Instead of messing with the formula that makes crypto so powerful, it would make much more sense to implement comprehensive and continuous security processes across Web3 so that decentralized assets remain immutable but not unprotected.

Stephen Lloyd Webber is a software engineer and author with diverse experience in simplifying complex situations. He is fascinated by open source, decentralization and anything on the Ethereum blockchain. Stephen is currently working in product marketing at Open Zeppelin, a premier crypto cybersecurity technology and services company, and has an MFA in English writing from New Mexico State University.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Tags
Related Posts
Don’t blame crypto for ransomware
Recently, gas has been a hot topic in the news. In the crypto media, it’s been about Ethereum miner’s fees. In the mainstream media, it’s been about good old-fashioned gasoline, including a short-term lack thereof along the East Coast, thanks to an alleged DarkSide ransomware attack on the Colonial Pipeline system, which provides 45% of the East Coast’s supply of diesel, gasoline and jet fuel. In cases of ransomware, we generally see a typical cycle repeat: Initially, the focus is on the attack, the root cause, the fallout and steps organizations can take to avoid attacks in the future. Then, …
Technology / May 30, 2021
Uranium Finance developer suspected of ‘leaking’ information leading to $50M exploit
The $50 million exploit of Uranium Finance, a decentralized finance protocol on Binance Smart Chain, may have been an inside job, according to a member of the project’s development team. The theory was put forward in Uranium Finance’s Telegram channel by a user named “Baymax,” who appears to be listed as an administrator. In a pinned post, Baymax explained that the security flaw leading to the exploit happened just two hours before version 2 of the protocol was launched. The suspicious timing of the exploit narrows down the list of potential perpetrators significantly. Baymax explained: “There are a total of …
Blockchain / April 28, 2021
Smart contract exploits are more ethical than hacking... or not?
There has been a lot of talk about the recent “hacks” in the decentralized finance realm, particularly in the cases of Harvest FInance and Pickle Finance. That talk is more than necessary, considering hackers stole more than $100 million from DeFi projects in 2020, accounting for 50% of all hacks this year, according to a CipherTrace report. Related: Roundup of crypto hacks, exploits and heists in 2020 Some point out that the occurrences were merely exploits that shined a light on the vulnerabilities of the respective smart contracts. The thieves didn’t really break into anything, they just happened to casually …
Technology / April 18, 2021
Crypto hacks are set to hit all-time highs in 2022, analyst explains
Reducing the amount of hacking by improving cybersecurity should be considered a top priority for the crypto industry, said Kim Grauer, director of research of blockchain intelligence firm Chainalysis. As pointed out by the firm, this year could outpace 2021 in terms of crypto stolen through hacks. The vast majority of these exploits have been targeting the field of decentralized finance. “This can't go on in the industry because people are going to lose faith in investing in DeFi platforms”, Grauer said in an interview with Cointelegraph. Unlike centralized exchanges, which have improved their resiliency to crypto hacks, decentralized protocols …
Blockchain / Oct. 19, 2022
Top 7 cybersecurity jobs in high demand
In today’s digital age, cybersecurity has become a critical aspect of almost every business. Cyber threats are increasing daily, and businesses must take proactive measures to protect their networks and data. As a result, the demand for cybersecurity professionals has skyrocketed. Little Friday humour #meme #cybersecurity @hackurityio pic.twitter.com/MArEpCh03k — Harold De Vries (@devries_harold) February 17, 2023 In this article, we will discuss the top seven cybersecurity jobs that are in high demand. Cybersecurity analyst A cybersecurity analyst is responsible for identifying and mitigating cyber threats to an organization’s network and data. They examine system logs and network traffic to find …
Technology / Feb. 26, 2023