• The Informer Post
  • Posts
  • Get Smart – Ending Crypto’s Over-Reliance on Contract Audits

Get Smart – Ending Crypto’s Over-Reliance on Contract Audits

HodlX Guest Post Submit Your Post

Last year was a rollercoaster for crypto. There were aggressive regulatory actions, high-profile criminal convictions and shocking thefts.

And yet – the total cryptocurrency market capitalization rose to over $1.4 trillion in 2023, a year-over-year growth of over 70.7%.

New users and institutions are getting involved.

Throughout 2023, the number of crypto investors grew by 2.8% per month, and Goldman Sachs has called it the year crypto became institutionalized.

The bulls and the bears are both right – there is immense opportunity in the market right now, but also alarming risk.

The risk isn’t merely rooted in market volatility, though, or even the brazen criminal actions of exchange managers – it’s baked into the very mechanisms of crypto transactions.

Smart contacts themselves are a vulnerable and alluring target for hackers, and our methods for securing them are letting us down.

Here’s a quick primer. A smart contract is a self-executing contract used in blockchain transactions. The terms of the transaction are written directly into the lines of the code.

These contracts are a juicy hacking target – they’re used to handle large sums and high-value tokens.

If you can manipulate the contract, you can direct the tokens however you want.

Blockchain entities protect themselves with smart contract audits, wherein independent reviewers inspect the smart contract for design flaws, security vulnerabilities, efficiency and other coding issues.

The auditors issue a public report, listing all the issues found and the steps taken to mitigate them.

So far, so transparent – audits help blockchain companies ensure their smart contracts are secure and help investors make informed decisions.

The process is far from foolproof, though. There are no widely adopted standards for smart contract verification, and no audit can truly guarantee that a smart contract is bug-free.

As a result, lots of vulnerabilities slip through the cracks, often with devastating results.

Here are a few examples from 2023 alone.

LendHub – $6 million exploit – January 2023

LendHub left a depreciated version of the IBSV token in its smart contract during an update. Both the old and new versions were active in the contract at the same price.

Attackers were able to buy the old version and swap for the new, making off with $6 million in additional value.

BonqDAO – $120 million exploit – February 2023

Attackers were able to manipulate the ‘update price’ function in BonqDAO’s smart contract, allowing them to change the price of the AllianceBlock’s ALBT token.

The hackers then minted and swapped large amounts of tokens, eventually leading to the broad devaluation and liquidation of ALBT.

Euler Finance – $197 million exploit – March 2023

A flaw in Euler Finance’s smart contract allowed an attacker to deposit collateral and borrow against it without drawing down the initial collateral.

They used this bug to execute a flash loan attack that allowed them to withdraw nearly $200 million worth of ETH-based assets in moments.

We cannot staunch this bleeding with more audits. Euler Finance’s smart contract underwent 10 different audits from six different firms and still fell victim to one of the biggest single hacks of the year.

Part of the problem is that audits are backward-facing. They focus on known vulnerabilities, missing novel exploits.

Hackers are devious and creative – we need security measures that can anticipate and respond to entirely new approaches.

AI may be useful in sealing up the cracks in the smart contract audit process.

In experiments using OpenAI’s GPT-4, OpenZeppelin was able to use AI to identify vulnerabilities in 20 out of 28 challenges from the Ethernaut smart contract hacking game.

However, real smart contracts are far more complex, and the opportunities to exploit them more varied than anything in a controlled environment like a game.

And what’s more – catching 70% of vulnerabilities isn’t nearly enough.

If your network security team could only stop 70% of attacks, they would all be fired.

We’re going to be waiting at least another generation before AI can seriously assist in smart contract security, and we need solutions now.

These additional measures can be enforced at the wallet level so that transactions are vetted before being sent out on-chain.

Such measures could include addressing inspection to prevent rogue actors from executing contracts, smart contract history that traces any contract changes to their origins or front-running to stop any suspicious transactions before tokens are transferred.

Many smart contact exploits rely on speed. By building more friction into transactions, we can make them safer and less attractive to bad actors.

2024 kicked off with crypto in the strongest position it has occupied in years, but smart contract vulnerabilities have cast a shadow over this progress.

This is an inflection point, where the promise of blockchain meets the realities of its risks.

Now, our task is to get serious about security at every stage of blockchain transactions.

Daniel Chong is the CEO and co-founder of Harpie, the crypto security platform. While pursuing a Mathematics degree at Duke University, Daniel worked as a development and security consultant for a variety of crypto companies, leading award-winning projects to victory at conferences including ETHDenver. He’s dedicated to ending the threat of crypto theft and making smart contracts safe and accessible to all.

Follow Us on Twitter Facebook Telegram

Disclaimer: Opinions expressed at The Daily Hodl are not investment advice. Investors should do their due diligence before making any high-risk investments in Bitcoin, cryptocurrency or digital assets. Please be advised that your transfers and trades are at your own risk, and any loses you may incur are your responsibility. The Daily Hodl does not recommend the buying or selling of any cryptocurrencies or digital assets, nor is The Daily Hodl an investment advisor. Please note that The Daily Hodl participates in affiliate marketing.