Solana hack and other evils: a short history of the worst DeFi breaches

Image by Darwin Laganzon from Pixabay.

There’s no reason to act like it’s not true — when it comes to technology and finance, security remains a major problem. True DeFi would solve that, but we keep seeing examples of what is not true DeFi. Solana is just the latest example — starting on 2 August and continuing well into the next day, 6 Solana wallets were identified as the reason behind a hack which resulted in close to $8 million in assets being stolen from more than 7900 wallets in total.

It’s still not clear what kind of exploit was used for the breach, but it is distressing for sure, as it paints a grim picture for DeFi. In the first week of August alone we’ve witnessed three major attacks. You can have the best product in the world, the fastest blockchain, the highest-earning token, but all this should be built on a solid foundation — security, security, security.

But many times this hasn’t been the case. The following list showcases just a few examples of how things can go terribly wrong, and how ChangeX approaches the underlying issues that caused them.

The Worst DeFi Hacks to Date

Ronin Network

The Ronin Network holds the medal for the biggest crypto hack in history, where hackers walked away with a whopping $614 million in stolen user funds. Ronin is the network of the Axie Infinity P2W game, which at its height in November 2021 had 2.7 million active users. So how did it happen? Human error coupled with technical imperfections.

The hack occurred on the Ronin bridge, which was used to transfer tokens on and off the network to other blockchains. Ronin validated transactions on the bridge via 9 validator nodes, and in order for a transaction to be validated, 5 nodes needed to sign off on it. The hack was possible because 4 of 9 validator keys were held on Sky Mavis’ (the company behind Axie) centralized servers, thus resulting in a single point of failure — one breach, many burned. But those are still not enough keys — one more was needed.

The remaining 5 keys were held by the Axie DAO validator, which gave said keys to Sky Mavis to streamline transaction authorizations. These keys, however, were again stored on Sky Mavis’ centralized servers, and even after “returning” them to the Axie DAO validator, they were never deleted, so they essentially remained visible to prying eyes. All it took was a single breach in a centralized system to result in the biggest hack in crypto history.

The take out here is clear: centralization and security don’t go together very well. This is why ChangeX owns no data, has no data, can access no data. Our wallet is completely decentralized and all user data lives on the blockchain in a distributed manner. No access to funds, no access to keys — everything is yours, including the responsibility for keeping it safe.

✔️ Decentralization — check.

Wormhole Bridge Attack

Wormhole is a bridge between the Solana and Ethereum networks, allowing users to send tokens between the two chains. To do that, tokens are created on both sides of the bridge — tokens on the Ethereum side (sending side) are locked into a smart contract, and a corresponding amount is sent to the Solana network in wrapped form. The tokens are then released and only exist on the receiving network, completing the transaction.

A decentralized cross-chain oracle certifies that the tokens have been locked on one chain, then the bridge mints or releases tokens of the same value on the other chain. However, in Wormhole’s case, the backend platform didn’t properly validate the oracle accounts, giving the hacker the opportunity to create a fake signature account and mint 120,000 ETH tokens on the Solana chain.

The bridge was targeted precisely because it was the weak point in the communication between the two chains. The attacker was able to mint new tokens on the Solana side of the transaction and then drain the balance from the Ethereum side, resulting in a $320 million sting.

Wormhole is not the only one, though. DeFi bridges have been the subject of attacks on multiple occasions: Nomad, Harmony’s Horizon Bridge, Wormhole, which already forms a pattern of weakness.

But bridges are necessary for adoption and interoperability. So with all this in mind, we chose HydraChain and their Hydra Bridge, which has been built with security in mind, to bridge over to the Ethereum network. The strong security mechanisms of the bridge are explained in the following post, and as can be seen below.

Source: https://medium.com/hydra-chain

✔️ Bridge security — check.

The Mt. Gox Hack

Mt. Gox has turned into something of a legend in the crypto world, but its legendary status lies in infamy. The Japan-based company was at one point responsible for 70% of all Bitcoin transactions worldwide — that alone is pretty impressive and just shows what kind of catastrophe we’re talking about. This was in 2013. 2014 was when things got really bad.

The Mt. Gox hack, which resulted in the theft of 740,000 Bitcoin, amounting to $460 million, was possible due to a major oversight on part of the Mt. Gox management, one that’s kind of hard to believe — Mt. Gox’s own private key was unencrypted and was just sitting there, waiting to be stolen. According to investigators, this happened way back in 2011. Was there an inside man or the key was obtained via a successful hack remains unknown.

There’s a good chance that some 80,000 Bitcoin had actually gone missing some years prior to the attack, so the company was insolvent even before the hack. But how was all this allowed to happen?

Human error almost exclusively. Former employees at Mt. Gox have said that the company suffered from bad management and disorganization. One shocking example is that only one man — the CEO — had the authority to approve security updates to the Mt. Gox website, so critical updates could go unimplemented for weeks on end, and even then — the company lacked version control software, so one change could overwrite a previous one, erasing essential features. Yeah, pretty mind-blowing.

So, large-scale human error is what we can point to as a culprit here, and let’s face it — this factor has always been an unpredictable variable. At ChangeX, even before starting work on the project, we knew that we had to choose very carefully where to build (and with whom).

This is why we chose HydraChain — a tried and tested concept and unique blockchain in itself, with some of the brightest minds as its architects. The team behind Hydra has a track record of successful projects with a $600M total valuation, not to mention their credentials and years of hands-on experience. This, coupled with the ChangeX team’s extensive understanding of fintech, finance, blockchain, crypto, and fiat banking only makes us that more confident that what we’ve set out to work on will be successful.

✔️ Human capital and expertise — check.

Check out the HydraChain whitepaper to see why we chose the chain, why we believe in it, and why we swear by it.

As a continuation to this post, we’ll write another one where we’ll list all the best practices when it comes to DeFi security and how you can stay safe in the space. And we hope you enjoyed this one.

Until next time,

The ChangeX team

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ChangeX

ChangeX

Get $CHANGE in the app and on Uniswap. All-in-one app for crypto, DeFi, and banking, with debit card and leveraged staking. Deflationary, burnable.