In a BNB Chain blog post in early October, the authors announced that about two million BNB crypto tokens were stolen. The value? It was over a whopping $560 million. At the time, the BNB Chain had $5.45 billion in DeFi (decentralized finance) assets. The platform is a part of Binance, the world’s largest cryptocurrency.
The vulnerability was in the cross-chain bridge. This allows for the movement of crypto from one blockchain to another. Essentially, the hacker was able to manipulate the blockchain, which allowed for minting huge numbers of tokens.
But BNB Chain was swift in its response and suspended transactions. The result was that the loss was reduced to about $110 million.
Growing Web3 Hacks
The BNB Chain hack is nothing new. Massive hacks are becoming a more common part of the Web3 ecosystem. Here’s a look at some recent examples:
- Axie Infinity: Sky Mavis, which is based in Singapore, is the developer of this play-to-earn online game. In March, hackers were able to steal over $500 million in crypto assets. The hackers were able to obtain private keys, which allowed for accessing validator nodes. Sky Mavis has taken steps to improve its security. The company also raised venture capital to help reimburse customers.
- The Horizon Bridge: This platform manages transactions across different blockchains, like Ethereum, Bitcoin and the Binance Chain. In late June, Horizon disclosed a hack of the system. The hackers stole about $100 million crypto.
- Nomad: This is also for transactions across various blockchains like USD Coin, Ethereum, and Dai. The hackers were able to make off with $190 million in crypto by swapping account numbers.
According to a report from Chainalysis, there has been about $2.2 billion in stolen cryptocurrency in DeFi (decentralized finance) projects this year. The total assets on these platforms are about $100 billion.
“Threat actors will always prioritize targets with high financial gain and there is a potential windfall in targeting DeFi with the amount of money flowing through it and the increasing pool of victims,” said Tim Choi, VP of Product Marketing, Proofpoint. “The risks are high as it’s a new, loosely regulated industry with many new technologies that may not be fully vetted or secured.”
So yes, Web3 has become a fierce battleground for cybersecurity. So why has the technology proven to be vulnerable? What are the implications?
Let’s take a look.
The Web3 Conundrum
The definition of Web3 is a bit fuzzy. But this should be no surprise. The industry is still in its nascent stages.
Gavin Wood, who is a cofounder of Ethereum, coined (pardon the pun) the term Web3 in 2014 (although, at the time he referred to it as “Web 3.0”). His premise was that the current version of the Internet – of Web2 – was mostly centralized. Much of the power and activity was concentrated on a few platforms like Apple, Microsoft, Facebook, and so on.
For Wood, his vision for Web3 was for a decentralized platform. Many users could control their own data. They could move it to wherever they wanted. There would also be a way for monetization, such as with tokens.
Regardless of the merits of this vision, the fragmentation of the technology has become a problem for security. According to Ryan Lackey, Chief Security Officer at cryptoasset insurance company Evertas: “For example, a system may work one way — though differently than specified — in practice, then a user might design a relying system with the expectation that the altered behavior will continue. However a subsequent update might return it to a matching specification, possibly introducing vulnerabilities into that relying system.”
Besides software issues – which are common for poorly written smart contracts – there are others like private keys not being managed correctly and insider threats from employees or other people with access.
Web3 Security Options
A cybersecurity company that has leveraged its own systems for this category is Proofpoint. They have been able to fend off various crypto and DeFi attacks. “Proofpoint continues to invest in its threat detection engines by incorporating technologies such as AI/ML that help provide nearly 100% efficacy in threat detection,” said Choi.
There are also plenty of cybersecurity startups that are focused on Web3 security. One of the most notable is CertiK. During the past nine months, the company has raised about $290 million from investors like SoftBank Vision Fund 2 and Tiger Global. The company is profitable and revenues have soared by 12X since 2021.
CertiK’s Security Suite has tools to identify and avoid scams. A project will earn either a bronze, silver, or gold badge based on the transparency and legitimacy of the team members.
“Auditing is the core of our business,” said Ronghui Gu, co-founder and CEO, CertiK. “We have a dedicated team of experts who use both manual and automated review to deeply examine smart contracts and uncover any vulnerabilities the developers may have missed. Our post-deployment monitoring tools such as Skynet keep a watchful eye on projects once they’re released into the wild, ensuring that potential risks are picked up on as quickly as possible.”
“Losing billions of dollars a year is not a great look for the industry”-Ronghui Gu, co-founder of CertiK
In the early days of ecommerce during the mid-1990s, there were many problems with security. But the industry was quick in bolstering the systems. No doubt, a key was the impact of Amazon.
Web3 is in a similar stage. But if the industry wants to thrive, there definitely needs to be much more focus on security. If not, there could potentially be an existential threat to the business.
“There’s no need to sugarcoat the matter,” said Gu. “Losing billions of dollars a year is not a great look for the industry. That’s not to say that there aren’t incredible projects out there that take security seriously. But there’s a minority that is either negligent or just plain unlucky and the losses they incur reflect poorly on Web3 as a whole.”
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.