Did you miss our Twitter Space session on hacks in the crypto space and safely securing your digital assets? Check out our recap here, and listen to the recording on the @whalefinapp Twitter account.
Here below are some highlights from a discussion with Dr. Chiachih Wu and Ms. Momo Wang.
Dr. Wu is the Head of Blockchain Security at Amber Group and WhaleFin, and he was also previously a Co-founder of the security firm Peckshield. Ms. Wang is the Head of Wallet Security at WhaleFin and Amber.
Question 1 — Another CTF
Another hacking CTF*, the Capture the Flag MOVE 2022 competition concluded today — How did the Amber team do?
We placed 8th out of 305 teams.
Even though our team didn’t have much experience with the Move coding language, though it has similarities to Rust (a programming language), we were still able to do well.
*Capture The Flag (CTF) is an exercise in which “flags” are secretly hidden in purposefully vulnerable programs or websites for participants to find them. CTF sessions are either competitive or educational in nature, and generally serve for honing cybersecurity skills. One of the most well-known CTFs worldwide is the Paradigm CTF, where we ranked 6/445.
Question 2 — Common Attack Vectors
What are common attack vectors* for crypto hacks, and are there takeaways?
Commonly hacks and thefts directed towards individuals are a result of some kind of phishing of social engineering — the hacker getting you to click a link or sign an approval.
There are broadly two types of approvals, especially on EVM chains.
- A Swap on Uniswap — The user approves for Uniswap to spend your token in order to exchange it for another (approvals can be monitored with tools like revoke.cash)
- Signatures common with NFT trading on OpenSea — The user approves a chunk of data starting with 0x…– In this case, nothing happens on the blockchain, the website simply collects your signature in order to make the necessary transaction, so it’s easy for hackers to hide falsified permissions inside
*In cyber security, an attack vector is a path that a hacker takes to exploit cybersecurity vulnerabilities.
Question 3 — Hack Frequency
Hacks seem to be becoming more common. Is that just a function of more money in the industry, and will that trend continue or subside?
We will likely continue to see high profile hacks in the short term because the industry is still in its infancy. As there are new developments, new attack surfaces open up, so it’s a continuous race between hackers and security teams.
Criminality develops alongside technology. Previously you had to rob a bank, then you could rob an ATM, now you can hack online banking infrastructure. However, over time, we can see that cybersecurity incidents in digital banking are not very common these days, and we can probably expect a similar progression for crypto.
Question 4 — The Path to Safety
Is this progression towards security just a slow process of patching holes, or are there technologies that will likely bring significant progress?
Security experts manually auditing code and bug hunting is still a very effective method to insulate protocols from exploits. Beyond that, organizations like ImmueFi, Code423n4 are building new forms of security auditing through platforms for whitehats* to play bug hunting games with incentives.
Fuzzers are also becoming more popular and efficient with AI/ML approaches to attempting to break protocols based on a “hint” or a set of parameters that would lead to a failure that an AI can be directed to search for. A fuzzer can test various “brute force” attempts to cause a protocol to fail that would be impractical for a human to test.
*Whitehats are an ethical security hacks. Under the consent of the owner, whitehat hackers work to identify any vulnerabilities in a given system. The whitehat is contrasted with the blackhat, a malicious hacker
Question 5 — Contingency and Tracking
After a hack happens, how can funds be tracked to catch a culprit?
Fortunately (from a security standpoint) all asset movements leave a footprint on the blockchain, and companies like Chainalysis, Elliptic, Crystal, and our vendors Anchain and Slowmist all provide good tools for tracking on-chain movements to prevent offenders from cashing out. Whenever the hacker deposited the funds into a centralized platform, for example, an exchange, the victim could notify the exchange and ask them to freeze the funds for a while and probably return the funds.
Some smart contracts have contingencies as well, such as blacklists for USDT and USDC, and a nuclear option would be to fork an entire blockchain, such as what happened with the DAO hack in 2016.
Question 6 — Security Best Practices
What steps can regular crypto users take to secure their assets?
Step one is definitely to secure your private keys safely.
When considering investments, you can be sure to DYOR (Do Your Own Research) by checking if the project you are considering investing in has a security audit report and if the verified source code for the blockchain explorer is equivalent to the official github repository.
For users interested in getting more technical, you can further evaluate the project with static analysis tools like Slither and read through the codebase and whitepaper. Furthermore, you can check what parameters that privileged accounts can alter.
If you’re new, it’s wise to stay with a reliable custodian with a clean track record like WhaleFin. Though if you prefer to self-custody, get a hardware wallet and turn off the auto-signing feature.
Also be extra careful with links that you receive, be on the lookout for red flags anytime you sign anything, enable 2FA, and change your passwords every 30–90 days.
Question 7 — Learning More
What steps can people take to learn more about crypto security, or study to work in blockchain security?
Junior researchers at Amber are usually assigned to
- read Mastering Bitcoin and Mastering Ethereum,
- learn the Solidity language, and
- try to build something from scratch with OpenZeppelin templates and libraries.
You can then also work to understand the logic behind common DeFi protocols like Uniswap, Curve, Compound, and Aave from the source code and the design documents.
You can also use programs like Hardhat, Brownie, or Foundry to work on reproducing common exploits to understand attack vectors. Then you can refine your bug hunting skills through bounties and competitions via OpenZeppelin’s Ethernaut, ImmuneFi, code423rn, and Hats Finance.
Question 8 — Legality of Hacking
We often hear of hackers being described as criminals, but is it actually illegal to execute most of the hacks that happen, since they are theoretically doing something that the code allows?
Different regulatory jurisdictions would have different treatments, though generally it is considered a crime. Although the code allows it to happen, it is easy to show that it is overtly not the intention. So, it is common practice to report all hacking activity to the police — they can’t do anything about it on-chain, though typically centralized entities would need legal documentation from authorities to take action with customer funds.
Furthermore when tracking hackers off-chain, information like IP addresses, IMEI, and device fingerprints would be used, which would only be able to be processed by authorities.
WhaleFin, powered by Amber Group, is an all-in-one digital asset platform designed to empower you to diversify, manage and grow your wealth digitally in a secure manner. On WhaleFin, you can buy, sell, trade, and invest in crypto with ease.
Download the app here.
Amber Group is a leading digital asset platform operating globally with a presence in Asia, Europe, and the Americas. We provide a full range of digital asset services spanning investing, financing, trading, and spending, backed by some of the best investors across the world such as Sequoia Capital, Temasek, and Tiger Global Management.
For more on WhaleFin’s announcements and news, please follow us on social media:
- Twitter: @WhaleFinApp
- Facebook: @WhaleFinApp
- Instagram: @WhaleFinApp
- Telegram: t.me/WhaleFinApp
- LinkedIn: WhaleFin App
For support and assistance, please contact us at email@example.com
This material is for informational and educational purposes only. Any information provided is not intended to be and does not constitute financial advice, investment advice, or trading advice. The information discussed is not intended to provide a sufficient basis on which to make an investment decision.
The trading of Bitcoin and other cryptocurrencies has potential rewards, and it also carries potential risks. Trading may not be suitable for all people, and anyone wishing to invest should seek his or her own independent financial or professional advice.