Much has been said about recent “hacks” in decentralized finance, particularly in the cases of Harvest FInance and Pickle Finance. This talk is more than necessary, given that hackers stole more than $ 100 million from DeFi projects in 2020, which represents 50% of all hacks this year, according to a report from CipherTrace.
Related: A roundup of crypto hacks, exploits and heists in 2020
Some point out that the events were just exploits that shed light on the vulnerabilities of the respective smart contracts. The thieves didn’t really break into anything, they just went through the unlocked back door. By this logic, since hackers exploited loopholes without actually hacking in the traditional sense, the act of exploiting is ethically more justifiable.
But is it true?
The differences between an exploit and a hack
Security vulnerabilities are at the root of exploits. A security vulnerability is a weakness that an adversary could take advantage of to compromise the confidentiality, availability, or integrity of a resource.
An exploit is specially crafted code that adversaries use to take advantage of a certain vulnerability and to compromise a resource.
Even the mention of the word “hack” in reference to blockchain might confuse an outsider in the industry less familiar with the technology, as security is one of the centerpieces of the general appeal of distributed ledger technology. It’s true that blockchain is an inherently secure medium for exchanging information, but nothing is completely unassailable. There are certain situations in which hackers can gain unauthorized access to blockchains. These scenarios include:
- 51% attacks: Such hacks occur when one or more hackers take control of more than half of the computing power. This is a very difficult feat for a hacker to achieve, but it does happen. Most recently, in August 2020, Ethereum Classic (ETC) faced three 51% successful attacks within a month.
- Creation errors: These occur when security issues or errors are ignored while creating the smart contract. These scenarios have flaws in the strongest sense of the word.
- Insufficient security: When hacks are carried out by gaining undue access to a blockchain with poor security practices, is it really that bad that the door is left wide open?
Are exploits more ethically justifiable than hacks?
Many would argue that doing anything without consent cannot be considered ethical, even though worse acts could have been done. This logic also raises the question of whether an exploit is 100% illegal. For example, having a US company registered in the Virgin Islands can also be considered a legal tax “exploit”, although this is not considered externally illegal. As such, there are certain gray areas and loopholes in the system that people can use to their own advantage, and an exploit can also be seen as a loophole in the system.
Then there are cases like cryptojacking, which is a form of cyber attack in which a hacker hijacks the processing power of a target to mine the cryptocurrency on behalf of the hacker. Cryptojacking may or may not be malicious.
It is perhaps safer to say that the exploits are far from ethical. They are also completely preventable. In the early stages of the smart contract creation process, it is important to follow the highest standards and best practices in blockchain development. These standards are set to avoid vulnerabilities and ignoring them can lead to unintended effects.
It is also vital for teams to perform intensive testing on a test network. Smart contract audits can also be an effective way to spot vulnerabilities, although there are many auditing companies that issue audits for little money. The best approach would be for companies to get multiple audits from different companies.
The views, thoughts and opinions expressed herein are the sole ones of the author and do not necessarily reflect or represent the views and opinions of TUSEN.
Pawel Stopczynski is the researcher and R&D director of Vaiot. He was previously R&D director and co-founder at Veriori and UseCrypt. Since 2004, Pawel has participated in the development of 18 IT projects in Poland and the UK, focusing on the private sector. He has been a speaker at several IT conferences and organizer of two TEDx conferences. For his work, Pawel received a gold medal at the Concours Lépine International Innovation Fair 2019 in Paris, and a gold medal from the French Minister of Defense.