When the notorious cryptocurrency exchange Crypto.com, of which NBA superstar Lebron James has become the face, discovered on Jan. 17 that it had been hacked, the alert did not come from its monitoring tools. 

The firm, an inside source told TheStreet, was made aware of the intrusion into its system by actor, investor and crypto enthusiast Ben Baller. 

In a since-deleted tweet, Baller said his account had been compromised and that he had lost nearly $14,000 worth of ethereum, the second most popular digital currency. He also claimed that he had enabled two-factor authentication. In a word, the error did not come from him.

Three days after the hack, the Singapore-based company admitted in a blog post that more than $35 million worth of cryptocurrencies had been stolen by the hackers.

Yet on its website, Crypto.com trumpets that: “Security First. Always.”

The firm declined to comment.

Crypto.com’s setbacks reflect the astonishment of a young industry that thought itself immune to cybersecurity problems because of its founding principles: open source, transparency, decentralization.

A few days after Crypto.com, the decentralized finance (DeFi) protocols, which promise to make legacy banks obsolete by eliminating middlemen, Qubit and Wormhole in turn suffered hacks. In the case of Wormhole, a hacker stole over $323 million worth of crypto.

Wormhole and Qubit offered bounties to the hackers.

Cyber risk is a risk that investors in crypto assets can no longer ignore. “Everyone’s talking about it. It has really become a pinpoint, or even a bottleneck that prevents mainstream companies from embracing it,” Ronghui Gu, an assistant professor at Columbia University and co-founder of Blockchain security firm CertiK, said in an interview.

He points out that in 2020, financial losses related to software bugs in the blockchain industry were valued at $500 million, a number that tripled in 2021. “And that number may increase again this year,” Gu warned.

Industry sources are unanimous on one point: blockchains, especially the more established ones (bitcoin and ethereum), have never been hacked.

“Bitcoin has been around since 2009. And, it’s never been hacked. I think you could say it’s one of the most security design computer systems that’s ever existed. It’s completely open and transparent and unencrypted. And it contains very highly valued assets,” said Dr. Owen Vaughan, the director of research at nChain, Europe’s leading data integrity and blockchain development. “So there’s a big honeypot there, but it’s never been hacked. So it’s designed very, very securely from the beginning.”

Failing to hack the blockchains themselves, hackers target wallets in which users keep their crypto assets on trading platforms. To understand the process, let’s take a car, in this case the blockchain. If you lose the key in a restaurant or elsewhere and discover later that the effects left inside have been stolen, it is not the car that was badly secured. Such hacks happen on crypto exchanges, because they contain a huge amount of assets controlled by private keys.

The hacks that are on the rise are those targeting DeFi protocols and in this case the smart contracts, a piece of computer code that determines the terms of a transaction (loans, trading, etc.) and don’t rely on any third party. Things are done automatically and follow the rules that people have agreed on. 

TheStreet Recommends

But because smart contracts are open source and publicly available for the community, anyone can read the source, find bugs if there are any, and exploit them because it’s hard to modify a smart contract. There is no centralized authority like a bank that could suspend or cancel the transaction. You often have to rewrite a new smart contract once you have identified the loophole to notify the rest of the community.

“The good thing about decentralization is a world computer no one can stop. That’s also the bad thing about it,” said Gu.

Bridges Between Blockchains Are Very Vulnerable

The hackers exploited a weakness to attack Qubit and Wormhole, who have developed an infrastructure that wants to make different blockchains speak to each other. It is this bridge connecting the Solana system to Ethereum that the hackers have targeted in the Wormhole case.

The way bridging works is that assets are locked on one blockchain and then replicated on another blockchain. You basically have this synthetic or wrapped version, or clone version living somewhere else. This asset can’t ever be used twice at the same time. So you need to effectively make sure that there’s a one-to-one calculation on each blockchain.

“Bridging attacks often occur, because people can falsify or, you know, fudge the quantity in and so that’s what happened with this Wormhole bridge. So it wasn’t actually an issue with the Solana blockchain,” said ethereum scaling project Skale Labs CEO Jack O’Holleran.

Hackers are also exploiting new financial instruments being created, for example, flash loans that are a new type of loan where you don’t need any collateral and you pay back the loan almost instantly. 

Cybersecurity experts recommend having smart contracts thoroughly audited before validating them on the blockchain, but Amir Sternhell, chief strategy officer at Sertainty Corporation, a technology firm, says “the miners that are in the Genesis block can manipulate so whatever goes in.”

“They can manipulate in their favor. This is one of the biggest flaws. And since we are talking about China today, China has the most miners that have processing capabilities. They also have a very strong chunk of the infrastructure in terms of 5G as well as devices. So in general, they have the ability to process more than anybody else in the world,” Sternhell argued. 

Bored Ape Yacht Club

NFT Prices Can Be Easily Manipulated

In the world of very popular non-fungible tokens, typically pieces of artwork which are created and then traded on the blockchain, scams abound. One particularly attracts attention: wash trading because it causes price manipulation by inflating the value of assets and plays on FOMO (Fear of missing out), one of the mantras of the crypto sphere.

Wash trading is where the seller is on both sides of the trade in order to paint a misleading picture of an asset’s value and liquidity. In the case of NFT wash trading, the goal would be to make one’s NFT appear more valuable than it really is by ‘selling it’ to a new wallet the original owner also controls.

In theory, this would be relatively easy with NFTs as many NFT trading platforms allow users to trade by simply connecting their wallet to the platform with no need to identify themselves.

“If I see a NFT being sold for $10s or $1,000s of dollars on the blockchain, it might be me selling it to myself, How do I know someone actually parted with that money? And how do I know that its value is that? How do I know the markets are not being manipulated?” warned Vaughan.

Chainalysis, a blockchain analysis firm, said that NFT popularity skyrocketed last year, with a minimum $44.2 billion worth of cryptocurrency sent to ERC-721 and ERC-1155 contracts — the two types of Ethereum smart contracts associated with NFT marketplaces and collections–up from $106 million in 2020.

Privacy vs. Accountability

To determine NFT scams and manipulations, Law Enforcement use the same method used to track money laundering activities. They try to follow patterns of behavior and each time ask the question of what is the utility of this or that NFT.

“One of the key words we miss is utility, right? I understand when I say Bruce Springsteen makes a song right. There’s utility to protect that song,” said Bill Callahan, a law enforcement veteran now working at Blockchain Intelligence Group. “I think as the law enforcement, the private sector, business industries like ours and businesses like what we do, we were always playing catch up because the bad guy gets a head start. The money launderer gets a head start on us, because they have the ideas. They’ve got the money. They don’t have the restrictions of borders.”

One of the things that encourages hacks and scams in the cryptosphere and the web3 is paradoxically the anonymity and privacy granted to the actors, which is at the core of these new technologies. 

At the end of January, for example, it was revealed that the chief financial officer of the popular DeFi project Wonderland was an ex-convict.

There’s a lot of web3 and blockchain projects that are anonymous. This started with Satoshi Nakamoto, the person or persons who developed the bitcoin. Their identity remains unknown as of today. 

The most common argument in the community in favor of pseudonyms is that to develop a decentralized internet and financial services by taking back power and control from Silicon Valley and Wall Street to give users privacy must be the cardinal rule. Because, say the defenders, requiring to reveal or present one’s identity is what makes the strength of centralized systems. And this is what allows them to exclude a large number of populations. Privacy must therefore apply to all in the new paradigm.

Although, O’Holleran disagrees.

“I think there is a lot of value in working with open source web3 products that do have non anonymous founders because there’s more accountability. And I do think for us to get to a point where we have billions of users connecting to the web3, the more accountability we have, the better,” O’Holleran said.

The post In Code We (Lose) Trust: How Hacks Became the Achilles’ Heel of Crypto – TheStreet appeared first on ICO Battle News.