Blockchain has enjoyed stardom as an ‘unhackable’ technology for a long time. It is decentralized and distributed, making it difficult for hackers to corrupt it. Given this promise of security, blockchain is used in a variety of applications to process payments, create secure wills and inheritances, conduct safe real estate, land, or auto title transfer, etc. Smart contracts, which are programs stored on the blockchain that execute the terms of a contract or agreement, allow for the creation of all of these possibilities. With the rise of blockchain technology in a variety of applications, cryptocurrency money handled by smart contracts has increased, making it a tempting target for hackers. Hackers have figured out how to tamper smart contracts within blockchain apps, thanks to the prospect of being able to steal crypto. Another aspect that attracts hackers to smart contracts is that the assets are highly liquid, and no one can stop the movement of the funds. The hacks can be converted into money very quickly.
How Do Hackers Attack Smart Contracts?
With some basic blockchain technology know-how, anyone can write a smart contract on blockchains like Ethereum. Hackers seek vulnerable and poorly written contracts to hack into them to steal money. The platforms are also open-source, meaning they are open for everyone to use. A hacker can simulate the attacks on their version of the chain before conducting the same attack on a targeted network.
In most cases, a smart contract flaw is the key for a successful hacking.
For example, a smart contract could have a reentrancy vulnerability that can submit an external call to use the code of an external contract. Attackers can hijack these external calls and forcibly enter a smart contract to steal its tokens.
Hackers also use the self-destruct function to steal from a blockchain network. When a hacker implements the selfdestruct function on a smart contract, all the tokens it stores are sent to a parameter-specified address, which would belong to the attacker. This type of attack is called a self-destruct or suicide attack.
In simple words, the hacker could create a smart contract with the selfdestruct function and ask a party to send tokens as part of the contract. They can then call the selfdestruct function and send all the tokens to their target contract. There is no law of enforcement that can help the victims get their funds back.
Top Three Smart Contract or Decentralized Finance Attacks in 2021
Here are the top three smart contract attacks in 2021.
The attack happened on August 10, 2021. The attacker gained access to the smart contract on Poly Network, a decentralized finance (DeFi) platform, and ended up transferring $610 million to their Ethereum and BSC addresses. The hacker exploited interactions between Poly Network’s smart contracts to set the keeper role to their address. They were then able to perform transactions at their own will, which they decided to return after 48 hours.
In October 2021, DeFi Protocol Cream Finance, a decentralized lending protocol, underwent a flash loan attack, ripping the company off $140 million from its liquidity pools based on Ethereum. The hacker drained the contract by exploiting the reentrancy vulnerability of Cream’s AMP contract.
Sometime later, another hacker used the same vulnerability to steal a smaller amount from the company.
Paid Network, an ecosystem DAPP, offers smart contract-based agreements to businesses. In March 2021, an attacker used one of the network’s compromised private keys to replace the original smart contract with a malicious one that burned all the existing PAID tokens and minted new ones. The hacker then swapped these new tokens with ETH even before the company realized a breach.
How to Protect Yourself From Smart Contract Hackers
Smart contracts are vulnerable to attack, and to ensure that your money is safe, we recommend following a few known protocols to ensure your protection.
Conduct security audits and penetration testing periodically, and get a penetration test report
Download a blockchain security checklist from a trusted source and ensure your processes are aligned with it
Conduct automated security scans once your smart contract enters the network
Auditing a smart contract is beyond the technical capability of ordinary end users. The asymmetry of information may lead to uninformed investment and result in insecure smart contracts. A smart contract audit is the most viable option because it helps identify unexpected and hidden vulnerabilities before exploitation.
Sign up for our newsletter
10 January - Blog
Your Guide to Objective-Based Penetration Testing
14 December - Blog
2022 in Review and Our Predictions for 2023: Cyber-Threat Landscape
05 December - Blog
Choosing a Penetration Testing Company: Methodology & Certifications