While 2022 witnessed a significant surge in crypto adoption, with global ownership increased by 39%, crypto-related crime also reached an all-time high. Hackers stole a record $3.9 billion from crypto fund owners and businesses. Smart contract attacks, in particular, accounted for 47.5% of all cryptocurrency stolen last year. In this article, we’ll discuss the most significant smart contract threats and how you can secure your smart contracts proactively.
What Are Smart Contracts?
Smart contracts are self-executing computer programs stored on a blockchain that automate actions when specified conditions are met. They are essential components of decentralized applications (dApps) such as decentralized finance (DeFi), enabling automated, trustless transactions without the need for intermediaries. However, vulnerabilities or exploits in smart contracts can lead to significant user fund losses and damage the credibility of the platform and the project team behind it.
A reentrancy attack is one of the most destructive attacks. It occurs when an attacker recursively calls a function in a smart contract before the first call has been completed, potentially draining the contract’s funds. Functions can be vulnerable to reentrancy attacks if they give up program flow to another contract or update state after giving up program flow.
The reentrancy attack was infamously exploited in the DAO Hack in 2016, which led to the loss of over $50 million USD worth of ether (ETH). The DAO, short for Decentralized Autonomous Organization, was a decentralized investment fund that raised more than $150 million from more than 11,000 investors. However, a vulnerability in the DAO’s code allowed an attacker to recursively call a function, ultimately causing the DAO to lose roughly one-third of its total funds.
Private Key Leak
Private key leaks happen when a smart contract’s private key is exposed, either accidentally or intentionally. Private keys are used to sign transactions and verify the sender’s identity. If the private key of a contract that implements a form of access control is leaked, an attacker could control the smart contract, potentially stealing funds or performing other malicious actions.
A private key leak occurs when a smart contract’s private key is exposed, either accidentally or intentionally. Private keys are used to sign transactions and verify the identity of the sender. If the private key of a contract that implements a form of access control is leaked, an attacker could use it to control the smart contract, potentially stealing funds or performing other malicious actions.
Private key leak was at the center of a potential multibillion-dollar hack centering pNetwork, a cross-chain bridge provider. In November 2022, a single blockchain address appeared to have minted over $1 billion worth of pGALA tokens out of thin air. pGALA is a BNB Chain-compatible version of GALA, the Ethereum-based utility token of web3 gaming network, Gala Games. The unusual activity detected was apparently a security measure to safeguard it from a potentially devastating vulnerability – private key leak. The plaintext private key for the proxy owner address of pGALA was exposed and publicly viewable by anyone on GitHub for more than two months. Anyone with access to the private key could have manipulated the pGALA contract at any time.
The lack of monitoring on the owner smart contract delayed the detection of the loss of ownership over the pGALA smart contract. In fact, the issue was noticed while performing maintenance work on the pNetwork protocol — should real-time monitoring have been in place, the issue could have been spotted much earlier.
Broken Access Control
Access control regulates who can access and modify a smart contract’s data and functionality. If not properly implemented, an attacker may gain access to sensitive data or even modify the contract for malicious purposes. This vulnerability can be exploited to steal funds or execute malicious code.
The 2021 Poly Network hack, which resulted in the loss of over $600 million worth of cryptocurrency, was a result of poor access control. Poly Network is a cross-chain decentralized finance (DeFi) platform that allows users to swap tokens across different blockchain networks. A vulnerability in the platform’s code allowed the hackers to gain control of the platform’s admin privileges, giving them the ability to modify transaction records and steal more than $600 million worth of crypto.
Improper Proxy Upgrade
Proxy upgrades are a popular mechanism for upgrading a smart contract’s code because they eliminate the difficulties associated with contract migration. However, proxy upgrades can introduce critical flaws if not properly implemented.
There are two main risks associated with improper proxy upgrades:
- If an attacker gains access to the account that is allowed to upgrade the contract, the attacker can:
- Upgrade the contract to remove safeguards, including removing access controls from functions, thus allowing anyone to mint tokens, not just specific minters
- Upgrade the contract to grant themselves full access control
- Deploy code that contains malicious functionality
- If the owner of the contract doesn’t understand the proxy upgrades well, there could be a potential risk of messing up the contract and making parts of it inaccessible or unusable.
As the technology and threat landscape evolves, vigilance and proactivity are essential in identifying and addressing potential smart contract threats to safeguard the integrity of smart contracts and maintain trust in the web3 ecosystem. By staying current with the latest security measures and working with trusted experts, businesses can ensure that their smart contracts remain secure and their assets are protected.
AnChain.AI offers comprehensive web3 security and risk management solutions with best-in-class smart contract intelligence for identifying and addressing potential vulnerabilities and ensuring ongoing vigilance and security. Contact us today to learn how we can help you achieve greater security and confidence in the rapidly evolving world of DeFi and blockchain technology.