You’ll learn the ten most important blockchain hacking techniques compiled by security experts. They cover a wide range of vulnerabilities – from exploits of smart contracts to problems at the infrastructure level, including errors in compilers. The review highlights the importance of awareness of these threats for developers and users of blockchain technologies.
The vulnerability consisted of unreliable verification of users’ balances during order completion, which put the assets of users who created orders on UniswapX at risk. A security researcher discovered that when executing a callback to an order-executing contract, the system incorrectly checked the user’s balance, allowing the user to potentially cheat the check and fail to complete the promised token exchange. The issue was resolved with a quick protocol update that included patching the vulnerability and restarting the contracts. For discovering and reporting this issue, the researcher received a reward of 200,000 USDC from Uniswap Labs.
A critical vulnerability was discovered in enhanced Balancer Pools that allowed exchange rates to be manipulated through the problematic integration of Linear Pools and Stable Pools, turning them into capital efficient pools. The vulnerability was discovered by a white hacker and reported to the Balancer team, which allowed them to quickly react and develop a new version of the Composite Stable Pool to fix the problem, minimizing risks to the ecosystem.
A vulnerability has been identified that allows the manipulation of sender addresses in contracts that use Multicall and ERC-2771. OpenZeppelin has taken steps to identify and minimize the risks, including recommending the shutdown of trusted forwarders and suspension of contracts. The issue has been resolved by releasing an update to the OpenZeppelin Contracts library that allows safe coexistence of Multicall and ERC2771Context.
Describes a vulnerability in the Tornado Cash management system that allowed an attacker to use CREATE, CREATE2, and selfdestruct operations to manipulate contracts. The hacker presented a contract with a hidden self-destruct feature, which after approval was replaced with a malicious contract, giving the attacker full control over the management system. The solution to this problem is not described in the article, but the case highlights the need for detailed auditing and code verification of smart contracts before their implementation.
Details of a vulnerability that allowed attackers to gain complete control over hundreds of validators on several major blockchain networks, potentially leading to direct losses of over one billion dollars in cryptocurrencies such as ETH, BNB, SUI, APT and others, have been revealed. The validators were hosted on the InfStones validator infrastructure. The study revealed a chain of vulnerabilities that allowed attackers to use classic attack techniques on central servers (validators) of blockchain networks as if they were ordinary cloud servers. The attackers used a combination of CREATE, CREATE2, and selfdestruct operations to steal validators’ private keys, which could give them unlimited power over the network.
Analysis of the KyberSwap hack reveals that over $46 million worth of assets were stolen through a vulnerability in the custom code for concentrated liquidity. Hackers took advantage of weaknesses in the liquidity calculation mechanism, tricking the system into doubling the available liquidity. This led to a series of exchanges that drained the pools’ resources.
An analysis of the KyberSwap Elastic case reveals that a vulnerability in the specialized code for concentrated liquidity led to the theft of about $100 million in assets. The identified problem allowed unauthorized doubling of liquidity during trading, which led to significant losses of pool resources. The solution was to temporarily suspend the ability to add new liquidity and make corrections to the code, after which the code was re-audited.
The Euler exploit became one of the largest DeFi attacks outside of cryptocurrency bridges, with losses of nearly $200 million. This incident is characterized by the uniqueness of the bug, which consisted of two elements: the introduction of a seemingly simple service function and the extreme ease of execution of the attack. The donateToReserves function, created to optimize gas usage and support wrapper functions, unexpectedly became a key element in the implementation of this major hack. While a similar attack method may not be directly applicable to other protocols, the Euler incident highlights how small additions can affect the overall security of smart contracts. Due to its simplicity and huge implications, this exploit ranks prominently on the list of the biggest losses in DeFi.
Part 1.
Part 2.
The MEV-boost relay incident on April 3, 2023 exposed a critical vulnerability in the open source mev-boost-relay code developed by Flashbots, which resulted in the loss of about $20 million due to sandwich bot attacks. The vulnerability allowed the relay to transmit the block body to the proposer without validating the signed block header. This was made possible by flaws in most mev-boost relays, which were later fixed. The investigation also identified and fixed a related issue with the timing of the attack, although further research is needed to evaluate this solution.
To address this issue, the mev-boost relay was modified to not return the block body to proposers if the block was not successfully published. Additionally, a potential attack was discovered where a malicious proposer could request a block in a relay too late, which was fixed by introducing a time limit on requests. This incident highlights the importance of careful auditing and security testing in the design and implementation of protocols to prevent similar vulnerabilities in the future.
Several Curve.Fi liquidity pools were attacked on July 30, 2023 due to a vulnerability in the Vyper compiler, especially versions 0.2.15, 0.2.16, and 0.3.0. The bug was identified and fixed in v0.3.1, but it was not properly communicated to those using vulnerable versions of the protocols. The vulnerability consisted in the incorrect implementation of the reentrant protection mechanism, which could be bypassed in certain situations.
Fixing this issue was achieved with an update that improved reentrant protection in the Vyper compiler, including the introduction of a dedicated @nonreentrant decorator for functions. These changes ensured that functions marked as @nonreentrant were not allowed to be re-invoked until they were fully completed, effectively neutralizing reentrant attacks regardless of external calls.
