The State of Blockchain Security - 2023 Edition

welcome to the state of blockchain security in case we have not met my name is Peter and I stumbled upon this field of blockchain security accidentally about five years ago and I'm very excited to share with you like what it is what are the threats what is this why is this so near and dear to me um in case you're not familiar it's a brand new security field with a mission of securing and defending the cryptocurrency ecosystem and you know we can think of cryptocurrency ecosystem where you read about the news you know people buying dogs and jpegs and all sorts of fun stuff but to me it's about the Ukrainian and Russian refugees escaping War zones and you know being

able to preserve their livelihoods even when they're going through you know border control that takes everything away by just memorizing 12 words that's that's all it takes that's not something that my family was able to do that's why to me if I spend my time making the system safe and sound and it saves at least one family out there to preserve their livelihoods it's worthwhile and I invite you to join me I have a whole lot of content for you so talk fast there'll be hopefully some time to ask questions but I really want to give you a map for this brand new industry explain what are the unique threats what are the unique opportunities for you to build on and

let's see maybe you'll find it fun enough to explore more so that first let's talk about what is the difference between cryptocurrency ecosystem and the uh and the traditional security ecosystem the best way to look at it is just look through the economics of it so when we talk about exploitation with traditional security there are about thousand or so incidents that happened in last year on the blockchain side there were about 294. so it's obviously a much smaller industry so there are less hacks where it gets interesting is the dollar amounts involved in those compromises so the 4.6 billion dollar value that I calculated it's pretty hard to find because you can't go to some report of

it from Verizon or maindient or anyone else out there that says you're like this is how much money was actually stolen would they concern themselves more is like this is how many emails were compromised so Social Security numbers there's no actual dollar value they can assign there so I extrapolated based on the report from IBM which counts about four million dollars per incident things are different on the blockchain side where because of the nature of it because it's an open Ledger you know exactly how much was in the treasury of a company that was compromised and suddenly it's not there so from that I could see 3.7 billion dollars that was in treasuries of cryptocurrency businesses and now it's

gone so what that means is that per incident for businesses a single incident is worth not just four million dollars in traditional security but 12 million dollars this is basically it's a life-changing event for a company like if it loses 12 million dollars a large chunk of them shut down after the fact so it is critical for businesses to shore up the security let's look at the attacker perspective why are they so interested in hacking crypto assets same thing on traditional site thousand incidents the way that you can calculate attacker profits that's really hard too the most profitable like Cash Cow of traditional compromises ransomware so ransomware 450 million dollars were stolen according to cheat analysis if you're stealing uh you

know emails and all that stuff we saw in a phishing talk yesterday you're selling millions of records for pennies per thousand or a million records so I would say like I'm giving it like a big chunk like big variance here about two million dollars per Incident That's the attacker profit on the blockchain side it still is 12 million because the exact amount that left the company's treasury now ends up in the attacker's pocket so naturally a lot of Bad actors a lot of traditional Bad actors nation states they did the same math and they said well we can spend all this time trying to go out our way steal steal identity and try to go on the black market try to

sell that or we can just steal the actual cash so it makes sense for them to really Target this this field so that's the math breakdown let's talk about before we dive into specific threats let's talk about on a very high level what constitutes a cryptocurrency ecosystem uh from the defender in the attacker side uh so of course there's the blockchain like that's the underlying technology this is the consensus mechanism that allows you to do transactions in a decentralized fashion with no one being able to say no to you those uh blockchains communicate with notes which are specialized servers which enforce the consensus so that making sure that whatever The Ledger state that appears on one side is the

same on the other wallet software is the client software which communicates with those notes so that's what you and I would install in our machines smart contracts so those are tiny little programs that run on all the nodes and allow you to implement things like Banking and I guess decentralized Banking and loans and all of that good stuff without any central control there are C5 businesses that's centralized Finance so think of exchanges and D5 that's the most exciting part a decentralized finance that's you you're building up whole Banks and whole ecosystems Financial ecosystems without any single entity exerting control on you and of course there are users which interact with all of that with that let's look at what's happening

with this model so the slide shows you how much was lost just this quarter in the last three months so on the user uh C5 and blockchain site that's around 200 to uh sorry 20 to 30 million dollars lost the real losses are in the D5 390 million dollars stolen in the last few months and we can give to you this number with Precision because we can observe the act the projects actually getting compromised and losing that exact amount and this is where we we're going to focus for most of the talk this is where attackers are most likely going to focus because they're transitioning from exchanges and other compromises to defy and so we as Security Professionals

should focus on defending as well if we want to contribute to this ecosystem so let's begin with the user and wallet Security First so just on a very high level we have our users who communicate to the client software which is usually a browser extension or mobile app the wall is communicate to depths if you're not familiar it's a just a website within that website there's some embedded code which can talk to those extensions you can talk to your wallet software and then wallets take commands from the DAP like hey I want to swap some Eve and I want to send it over to the blockchain to visualize it imagine a wallet software I'm biased here coinbase wallet

here uh you navigate to adapt so this is uniswap you're trying to switch you can try to swap one eth for some usdc you can't do it's no longer two thousand it dropped in the last couple days um you say go for it your wallet accepts a command you approve that command to perform the Swap and then it shows up on the ledger so that's a blockchain Explorer where you can see all the transactions and that gets us to the first and one of the worst uh user threat vectors out there it's called approval phishing you can imagine that if you navigate to a malicious website and oftentimes they entice you with some kind of with some

kind of airdrop it's a it's a free tokens that you can claim because you are you and just for you will give you some free stuff well little do you know that when you navigate there and you click on hey let's retrieve those tokens you'll be presented with an approval screen but that approval screen doesn't authorize you receiving those tokens because of how limited the ux is oftentimes you approve things which end up sending all your money on The Ledger to the bad guys and then you end up with an empty wallet and a sad face and you say well couldn't users be better well not really like Kevin Rose has won recent hack and if you're

familiar Kevin rolls the Dig Fame he's been he's been in the crypto ecosystem for a while so he's an experienced user OG we call them and he was still tricked into losing a million dollars worth of nfts for the squiggly Alliance yes it's worth a million dollars um but the idea is like what are the limitations of wallet software out there that still tricks uh even more experienced users uh by the way you'll see QR codes I know we are at the security conference and you're not supposed to click on QR codes but you know who I am and you know where to find me this is just a way for you to get more information

and more research on this particular subject so it really sounds interesting check it out let's talk about zero transfer fishing so that's another attack Vector the best way to understand it imagine that you called your bank and then you want to call your bank again and the best way to do this is you look at the phone phone call history right who do you call you remember like the phone number started with 555 something and I'm gonna call this number again well imagine that if attackers could inject a number into your call history which also start with 555 what are the chances of you accidentally dialing the bad number as opposed to the original one and that is exactly what

attackers figured out how to do they inject a a transaction with an address which looks closely like your original one but just slightly different uh you approve a transaction a transfer there and now your money is gone so this is an example of a of a zero transfer fish transaction you'll see the first three characters five EC are the same but then the rest is different so these are called vanity addresses you can Brute Force until you can calculate an address which is similar enough but it it surprisingly it's successful enough that on ethereum blockchain uh almost 20 million dollars were lost to this to this hack in the past few months okay so to summarize the state of user

and wallet security wallet ux needs Improvement um it's a new field people are barely trying to get this going and unfortunately bad guys are also taking advantage of that malicious transaction and address detection is a huge growth opportunity think of it like uh like a firewall or anti-virus product but for cryptocurrency users that tells them like don't go there you know this chrome big red screen that you get when you go to a phishing site we need that if you are Builder you're you want to create something new this is an amazing opportunity the other part is investigations if someone compromises your wallet who are you going to call there are no maintenance or crowd

strikes or anyone else that you can call it's volunteers volunteers right now sit down and spend hours and hours of their personal time to investigate and shut down these hacks so again there are opportunities for more Professional Services there no talk about blockchain Security will be complete without exchanges so let's talk about exchange security again I'm not going to focus on more traditional hacks like you know your server gets compromised or someone somewhere downloaded malware we'll talk about blockchain specific threats and for that just think of users communicating with some kind of exchange backend over API the key element and then the exchange will forward on whatever it needs to to the actual blockchain so they're

intermediary the key thing to keep in mind are the kind of uh asset storage that is embedded inside we distinguish them between hot storage hot wallets and cold storage hot wallets think of them as live data that is accessible for users to immediately quickly retrieve Swap and so on and then you have cold storage Cold Storage was introduced because exchanges get hacked so if you do get hacked you probably don't want to lose everything you probably want to keep the majority of your assets somewhere offline which is very difficult to retrieve requires all sorts of steps that that is the common practice at least for most exchanges this gives you just some idea of how

exchange compromises go over time and 2022 would have been amazing if that's for this one exchange which I'll cover in detail shortly you can probably guess who it was but first the attack vectors on exchanges hot wall compromise is by far 500 500 million dollars stolen in the last uh year and year and a quarter other things like server compromise credentials theft credential theft is more like API key theft that was popular last year where One exchange like Ira Financial was relying at API Keys stolen from it from they were used to access Gemini for Cold Storage server compromise is more related like incidents with uh Bitcoin ATM machines like their whole info got hacked private

key stolen application logic misconfiguration there are smaller attack vectors they're more concerned with like incorrectly said exchange rates that attackers took advantage of to Arbitrage okay let's talk about FTX um if certain someone was not thinking about re-hypothetication they would have at least implemented cold storage and as we found out from the bankruptcy docs those 432 million dollars that were stolen would maybe some portion of them would have stayed uh from chapter 11 bankruptcy docs no security staff not using Cold Storage Keys private Keys stored in clear text multi-sig multi-sick wallets stored in the same text file in clear text so like really wild like I I can't believe this was happening stolen assets were

extracted went through chip mixer North Korea favorite not sure who it was but one of the indicators and it's gone so this is an extreme example of an actor who was extremely careless uh let's talk about North Korea threat actor apt-38 North Korean Lazarus group was attributed to stealing 1.7 billion dollars so far in the last I guess five years or so that they did the math that I showed you early and said like wow we should really start stealing crypto um their techniques that they use are more traditional like they they don't create like all day vulnerabilities and do all sorts of like crazy stunts same old malware spear fishing supply chain attacks their latest invention is that

they apply for jobs at uh crypto companies saying like hey hire me I'm an American developer uh malicious Insider you wanna anyways people have like all sorts of weird YouTube recordings of the conversations I invite you to research that ah so overall the state of exchange security hundreds of millions are lost that said those hundreds of millions are still 14 of total losses in the crypto ecosystem so you you definitely should if you're interested as a career within the space exchange security is great what I'm going to talk about next is where the real losses occur though supply chain attacks spearfishing traditional attack vectors are very much applicable and whatever security profession you're going to talk to like who is their

Boogie person that they wake up in the middle of night sweating it's North Korea they're thinking of Uncle Kim so uh the state of protocol security protocol security uh here we're talking about blockchains the actual blockchain protocols um again on a high level you have a bunch of notes they all communicate the current state to each other they uh like this is this transaction occurred everyone should be notified they get rid of bad states by implementing variety of consensus mechanisms from proof of work proof of State I invite you to learn more about that but the key element for the for our purposes are the layers there's the execution and consensus layer the consensus layer concerns with making

sure that the larger state that they obtain is legitimate and valid across the ecosystem this is agreeing on what transactions are present and then we have the execution State and I mentioned smart contracts previously this is the layer that makes sure that you execute those tiny little programs in a secure fashion and no funny business occurs because it does if we look back in history let's go back to 2021 the majority of attacks were on the consensus layer so raise of hand saw many are familiar with 51 percent reorg attacks quite a few okay for those you're not sure about it's basically the ability to trick the system make a deposit to an exchange is

swap it out for something else and then cheat and somehow that deposit like as if never happened no vulnerabilities back then were only five million dollars it was just starting out I was afraid it's going to happen but it did the vast majority of compromises today are as a result of node exploitation so 700 million dollars and then the on the consensus side there's still consensus level exploits but they changed they evolved into something called Mev vulnerabilities I'll talk about it in a second so let's let's talk about first uh attack Vector on the on the protocol side Mev boost block leakage exploit what is Mev mmev stands for maximally extracted value it was previously called

minor extractable value but it's not as politically correct so we don't we don't say that anymore think of it this way forget about crypto let's talk about General Finance you're familiar with Flash Boys the book where people were buying data servers close to exchanges to make sure they can front-run legitimate Traders same story Advanced traders in the cryptocurrency they figure hey if I'm going to pay this little bribe to a node operator and I'm going to ask them to include my transaction just before another transaction or right after or around this go to sandwich attack I'm going to make some profit and the whole industry was immediately born where professional Traders would bribe their way to include a transaction a

strategic place now when it was disorganized in the beginning you can imagine that node operators could also front run the front runner Traders like if they see a profitable trade why not include your own or why not drop that suggested trade and keep all the money for yourself so it was a mess and to address that a more democratic system was introduced where there's a proposer node which is completely blind to those highly profitable blocks that are proposed by builders and proposers their only job is to see hey what's the biggest bribe from this particular block I will choose that one and forward onto a relayer a relayer now can unwrap that block and forward onto a

note to actually mine and all this works great proposers cannot produce malicious blocks based on what input they get as long as they're not aware of what are the transactions in that obfuscated block except for April 3rd on April 3rd someone found a vulnerability in this package that facilitates this called Mev boost where they figured out if they transmit a broken block the relayer will take it fail but it will still expose all the transactions so what this one malicious proposer did effectively they leaked the contents of the block they included their own transactions in there rearrange the transactions and stole 25 million dollars from these Advanced Traders meds and by the way we're not

talking about people manually putting together blocks these are actual machine code fully automated Bots that generate those every few seconds on the Node execution side so node exploitation BSC token Hub is is a perfect example the way that it works is that you can imagine like you don't want to implement everything as a as a virtual machine you want to probably embed some highly optimized code like to calculate hashes Merkle tree verification or other things deep inside the node itself so it's running in go code not in some kind of virtualized machine so you can run it fast was the case with the binance smart chain where they decided to implement iavl Merkle tree verification

key element this is used to produce like a claim ticket to the uh to the node say hey someone is asking me for 100 million dollars and they're offering this verification receipt is this thing legit and the note is supposed to say yeah it is legit go ahead give it give it the uh give them the money well someone was able to find an exploit and if you look carefully at the source code here this if else statement this is a case where both sides of a tree are defined they were expecting only one side effectively I'll give you some more time to look at it but effectively you can sneak in an extra proof in next door to

the legitimate one that's exactly what the attackers did they were able to steal 586 million dollars half a billion dollars this is a down Market this if we were it happened a year ago that would have been the first billion dollar hack um from from the binance uh smart chain token Hub they effectively created a ticket a claim ticket that said hey you owe me 2 trillion binance tokens and the smart contract here obliged because the node was uh the no proof verification was vulnerable so to zoom out state of protocol security no one does 51 of reorg attacks anymore that's in the past I really was wondering if governance and staking uh proof of stake attacks would

take over but that didn't really happen the real game here our virtual machine and node exploitation so if you want to spend time researching for vulnerabilities um that's where you're going to find the most deadly bugs and that gets us to the state of defy security this is by far the largest field so let's spend more time on this so just to give you a mental picture uh D5 protocols we have users they're interacting with dapps so these are these web applications where you can talk to let's say a lending protocol uh daps talk to wallets so that's your interface to the blockchain and then you have blockchains that communicate with smart contracts this is where this is

the Divide where the D5 ecosystem begins those smart contracts can Implement all sorts of things from uh Landing borrowing protocols swaps you can leverage your Investments and Flash loans all sorts of fascinating things I invite you to explore contracts do not exist in vacuum in fact it's a feature that they all stack and interact with each other it's called composability one particular type of smart contracts that I want to talk about are called oracles they provide the ability for blockchains to receive external data or they provide information like what is the current exchange rate like you know if you're trying to swap eth for usdc or what's the current price and of course we have to talk about

admins so if you compromise administrative Keys which happen that control Smart contracts you can empty whatever treasuries are inside those smart contracts or do all sorts of interesting things so this is kind of a limited model I just included just enough to talk about a couple of use cases that I'm going to discuss so let's talk about Chain Bridge hacks and the reason why these particular hacks are so relevant is that there's just a few of them but they're so costly you saw that binance smart chain uh compromise that was a bridge compromise and it was immediately half a billion dollars poof gone the reason why Bridges exist is that we no longer live in a world where there's

a Bitcoin Network an ethereum Network and that's about it maybe a couple more there are hundreds of chains out there so if you're a user and you purchase some token on let's say ethereum but you want to do transactions on another chain maybe they offer cheaper transaction fees or different security characteristics or different speed of transactions whatever the reason you want to transfer your tokens from one chain into another you do this using Bridges the way the bridges work imagine that you have some usdc on the ethereum network you will use bridges on both sides of the network in this case it's polygon to transfer that asset the way that it works you send the usdc to the bridge

the bridge takes in your usdc holds on to it in the liquidity pool and then from there it mints a new usdc token on the other side which is sent to you now you'll immediately see wow those bridges they hold on to all that usdc and other tokens that they receive from users you can see why attackers are interested in this because they hold on to a lot of it that's where the huge liquidity pools holding on to all the user tokens there and that gets us to the first exploit the Wormhole compromise and this one is just so fascinating from so many directions similar to the binance smart chain hack that we discussed earlier there was an

issue with the proof verification someone was able to craft an account with a specific characteristic check out the QR code for more details effectively they were able to cheat and claim more assets from the bridge that they were allowed to in this case 325 million dollars worth they stole it on the Solana Network transferred over to ethereum but this is where it gets really interesting so on the Wormhole a year later normally when you see what attackers do after those compromises they use tornado cash or they find some exchange without a kyc requirement and they start swapping it laundering and so on not this one this guy was really really wanted to extract maximum value so what

they did as a true DJ and DJ like just people who are like doing crazy things on on these uh on these networks is a true d-gen they decided to take 120 000 eth and put it up as collateral on Oasis Network they took that as a collateral and then they borrowed whole bunch of our eth and staked eth and if you're not familiar these are just ethereum tokens but they're interest-bearing ethereum tokens so not only did they steal 120 000 eth now they're earning interest on what they stole so they're like really cashing in here except because they did this lending thing there's always a risk of your loan going underwater and we'll cover lending

protocols shortly if your loan goes underwater you may get liquidated that means you may lose all of your collateral and to prevent that there exists specialized Bots they're called stop loss Bots which you delegate access to your token so if your loan is just about to go underwater these Bots will step in liquidate your loan before you lose anything the one thing the attackers did not figure for is that the stop loss Bots were also controlled by the Oasis Network in the Oasis Network had admin keys for that bot that means they could potentially change it in such a way that they could reclaim those funds and that's exactly what happened they upgraded a white a bunch of white hats

figured out that hey these guys are going full DJ and they just deposited and they delegated access to their tokens to this new contract which you have admin keys for could you maybe hack your contract and you know steal those back sure upgrade went through they stole those assets from the attacker who was probably sitting there what the hell just happened I got hacked they restored the loan took back the original Eve plus actual 17 000 extra e that they earned in interest and gave it back to the Wormhole protocol this type of stuff only happens in D5 this is the this is the wild west guys this is just one example of white hat

attacks again there are a lot of volunteers that sit there and they constantly Monitor and watch for attacks on it's a public ledger so you can see the attack live happening in front of your eyes so a lot of white hats what they started doing is that they actually the second they see the first transaction of a hack they will swoop in and start hacking the protocol themselves and then they'll give whatever money that they recovered back to the protocol um so there's there's a whole interesting and the best part is that once again you can see all this happening live in front of your eyes transaction after transaction pretty fascinating okay um let's talk about lending protocols uh

so lending protocol I guess why do lending protocols even exist first like imagine you have one million dollars worth of Eve and you want to buy a house not in San Francisco far away um so your one option is you take your 1 million each and then you sell it you pay 30 40 in taxes now you have around like maybe 600k so you got your down payment you got a mortgage cool the other way you can do this is you can take your million dollars worth of wheat eat and uh well uh and you can put it up as collateral and you put out as a collateral and withdraw one million dollars worth of usdc so now

instead of paying your interest rates to some mortgage company Fannie Mae or whatever you can actually pay to this lending protocol which is probably a few percent it's decentralized they're not going to confiscate your your mortgage if they're pissed at you or something like that um and that's great you just got a house million dollars that's cool uh lending protocols when they give you this uh loan internally they keep your collateral and they also keep track to make sure that the the ratio between the uh the collateral and how much usdc they gave you remains at least a one to one ratio the reason they need to do this is because this is all permissionless they

don't have your kyc there's neural mechanisms that they can go and find you like hey give me back my loan or Institute a legal action that's not the whole point of D5 but imagine a scenario that within this ratio what if eth drops like it did in a couple days and now your loan is underwater while lending protocols they implemented a mechanism where they get rid of bad loans once they go underwater and the way that the smart contracts cannot call themselves so the what they invented is they created a liquidation Market where they incentivized Bots the smart contracts or individuals to come in with some of their own usdc pay off the um the collateral uh pay off the loan

for for uh for that user and then reclaim the uh the collateral so a liquidator comes in gives some usdc take over all of the users collateral and now we are solid you may ask what's the incentive the incentive here is that they obtain the initial collateral at a discount so instead of putting up million dollars worth of usdc to purchase that million dollars worth of if they put in maybe 99 or 98 and that's their profit now the more underwater is the loan the more incentives The Lending protocol must give in order for someone to swoop in and give up that loan and that's where that's something like you can imagine like normally this this

whole action occurs just the second the loan even approaches a um a liquidation point um and then that discount is basically compensated but whatever fees are involved when you first originate the loan so the lending protocol is made whole Liquidator makes some money user uh keeps their initial like borrowed assets everyone is happy but imagine there is a Black Swan event and it really drops under now the Liquidator comes in gets a huge let's say up to 20 discount on some protocols that we'll discuss shortly gets that huge discount but what happens with 20 percent discount on the lending protocol side they have to hold on to it because no one's going to buy it and

it's called Bat debt lending protocols hate accumulating bad debt so with that knowledge in mind uh let's talk about Euler protocol compromise on March 13th Euler Finance a landing protocol lost 197 million dollars and the reason they were able they lost all of that is that they introduced a function and Method called donate to reserves the method allows you to take your collateral and effectively burn it and burn arbitrary amounts of it so they created this feature because as you do borrowing and Landing you slowly start accumulating all sorts of uh junk and you want to get rid of it just it was a cleanup function what they didn't realize and account for what happens to the to the loan if you

start burning the collateral and arbitrary amounts of collateral you can force your loan to go severely underwater so you have this million to million loan and you just burned half a million off collateral now your loan is underwater Oh what are you going to do with that well you're going to say well Liquidators are going to come in they're going to take a cut but what's the benefit what's the profit to the attacker there is none they just burn some of their collateral and they lost lost all of it now except the Euler protocol introduced another feature which is called minting or leveraging you can take your initial million dollars and you can leverage it up to 20 times

so now you have 20 million dollars of debt and collateral which you need to pay off but you can do this for all sorts of things you can enable Short Selling mechanisms and so on so now you have a 20 million in collateral and the protocol and he forced it to go underwater and the protocol can give you up to 20 discount so you can you can make uh 20 of 20 Millions around four million dollars so uh sorry 200 up to four hundred thousand so you can you can slowly accumulate the profits beyond what you initially uh sorry it is sorry 20 million dollars twenty percent four million dollars four million dollars from the initial million dollar

collateral so you put in one million and you just forexed it pretty profitable so the attackers were able to use that and abuse this feature to effectively go token by token that it was offered by this protocol and empty it 200 million dollars but again there's a reason why I'm talking about this protocol because it's not so much the hack it's what happens next so let's talk about me V bot so briefly mentioned that briefly mentioned that there are these machines that are sitting watching all the transactions on chain for anything profitable and you know it's a really profitable transaction an exploit you run this thing and you generate a whole bunch of profit and such was the case

here so the attacker uh on March 13th 8 50 a.m in 23 seconds deployed an exploit contract four minutes later they perform the actual exploit why do they wait so long what happened in those four minutes well the second they deployed the exploit contract and bought detected at a deployment understood that it's profitable and decided to redeploy it so at 8 50 35 seconds that's exactly 12 seconds after the initial deployment some machine fit simulated the whole thing figured out it's an exploit redeployed the contract and then a few seconds later actually ran the exploit and Fran ran the attacker and all they had to do they automatically went into the byte code just the sophistication of those things

they went into the contract there was some access controls built in they automatically replaced the bike cult to make sure that they can run this code themselves and try to extract The Profit they were not successful in this case unfortunately because the attacker built in all sorts of hard-coded addresses so in the end in this particular case the Mev bot ended up sending money back to the attacker for which they put out Unchained message apologizing profusely but the point is not even attackers are safe from those things they constantly sit on chain and they they attack everyone if it's profitable exploit or not they will Target you but the story does not end there there is a happy end

uh the normal operating procedure after a D5 hack occurs is is that people start communicating with attackers a lot of them are begging like oh this was my entire life savings could you pretty please give me my money back and so on and on so the way that a sample transaction looks like is you can put arbitrary data including ASCII codes in a transaction you can transfer like maybe 0.001 eth to get attention from the attackers in this case it was an ASCII code from Euler deployer so this is the Euler people themselves and they put in message again standard operating procedure hey you hacked us haha good job uh you know if you keep 90 of the

profits sorry if you give us 90 of the profits and keep 10 for yourself you know we promise not to pursue further legal action um and in this case I again invite you to visit this link we just put out a blog post part one which dives into this thing fascinating story involving somehow North Korea and you know backstabbing this is this is defy land this is pretty wild the way there culminates is the attacker put out a message Jacob here I'm sorry I'm not sure what I did I'm sorry for messing people's money and ended up returning all of it um and that's that brings up another interesting point is that this bounty thing works uh again there are a bunch

of volunteers that sit on chain look for those hacks and then they dox the hell out of the attackers if by some mistake an attacker interacted with a centralized exchange where they can extract kyc or in fact if the attackers used metamask so metamask is a common wallet but if you recall back to when I was introducing the model you don't just send messages directly to the blockchain you go through centralized servers and what do centralized service have access to your IP addresses and your addresses and they do collect them so there are a lot of opportunities for the good guys to catch the bad guys um and worst case there are rewards that are that are put up there so in the case

of the Wormhole they were able to reclaim it a year later and in this case they were able to effectively Force the attacker to return all the assets this happens more often than not that the same scenario played out a couple times since March incident okay I'm not gonna have time to talk about all the different exploit vectors what I do want to point out this is think of as like o wasp top 10 style list uh what I do want to point out is stolen private Keys the North Korean style hack where they go in and get all the keys and extract them from your contract that's probably by far the most painful methods that said the most

frequently occurring method is probably price Oracle manipulation so remember that price Oracle node that gives you price data where people figure out all sorts of ways to manipulate the price data to make sure that they can do interesting uh creative Arbitrage so I invite you to learn more about these attack vectors so overall the state of D5 security we lost 3.7 billion dollars in 2022 I do see the same attack vectors being used again and again so there's definitely a gap in security staff security development processes and tooling when targets when when D5 project gets hacked there's also a lack in incident response and monitoring processes oftentimes these projects recognize that they were hacked because someone tweeted them like

hey project XYZ you may want to look at this transaction um that that's your incident response that's obviously lacking but there there's there's good future in that in building those response capabilities um and then the other concern is just overloaded audit companies there are specialized audit firms that exist they can look for those bugs but there's so few of them the professionals are it's just so hard to bring someone into this field that most of them are booked for months and maybe a year ahead so in the case of the Euler Finance debug that was introduced that resulted in the exploit they added this feature after the audits were done and quite simply because it

takes months to get something audited so they just added it okay let's talk quickly about the state of block SEC ecosystem or if you if this sounds interesting to you what what you could build on uh so I already mentioned audit companies there are hundreds of them I'm only listing just a few most of them popped up in the last year or two so if you want to learn and pick up the skill there's just such lack of them that individual Auditors are making like pretty good living like you can I've seen people pick up this field maybe a few months ago and they're already full-time booked uh tooling could be built there are bug

Bounty programs now like immunify code for arena all exist in the last couple years it's a brand new field um in terms of monitoring there again last year so we've seen some solutions which use machine learning they use uh just the ability to detect that transaction is malicious decode a transaction the risk algorithms that tell you that hey this lending protocol thing that you're building is you probably want to look at again insurance companies deal with inevitable hacks so you can insure yourself in case there's a compromise and so on wallet security exploded seemingly in the last few months and that's basically dealing with how many people are getting fished so they're creating these crypto firewalls if you will to alert

user that something is amiss forensics companies and incident response are still they're just a few that are fairly old but not not too many new players let's talk about security Community security Community is amazing their Capture the Flag competition they're a dedicated conferences just for D5 and blockchain security their newsletters Shameless plug this one that I'm running block thread.io wrecked and others that go in details over exactly what's happening who was compromised how would they compromised what's the latest research people in the community are warm they share knowledge they welcome new folks joining us foreign that said if any of that sounds interesting to you and you're kind of sick with the same old security stuff

that you do like no more exercises okay yet another exercise that's cool you want to do something completely wild Hunt down people live on chain join explore this ecosystem as a smart contract auditor on chain investigator to figure out who the bad guys are uh security Engineers incident responders are probably much needed and with that I'll give you some time for questions yes

what does that mean but the question is modular blockchain security what does that mean

sure uh Layer Two blockchains effectively ethereum evolved as a primary blockchain but everyone is using it so the fees start going up so people start introducing additional layers where you can offload some of the capacity to those layer 2 blockchains that way you reduce the fees increase the speed there's some trade-offs with security sometimes but um it depends on the protocol some Implement zero knowledge proof switchers very secure but kind of slow some Implement centralized nodes centralized sequences and architecture and that's very fast but very centralized so less secure so all sorts of trade-offs uh there's a resource I'll remember I'll tell you in a bit that measures and Compares them yeah that's that's the future that's

where a lot of stuff is happening right now any other questions

all right there's one coming up uh there's one coming up in France it's called D5 security Summit I would recommend that one that said every um there are like eth ethereum conferences which happening there's one in San Francisco coming up I think in like later in the year and they always have security track talks so I would just go to General crypto conference and just there's always someone talking about different threats in attacks

all right thank you folks