In Zhejiang province, China, a criminal gang exploited digital yuan accounts to illegally cash out over 200,000 yuan (,566) within four days. The digital yuan, or e-CNY, is the People’s Bank of China’s (PBOC) central bank digital currency (CBDC), which has experienced substantial growth in usage. Adoption has reached 260 million wallets across 25 cities, […]
Bitcoin News
Protocols Must Deploy “Asymmetric Countermeasures” to Counter Code Vulnerability Exploiting Hackers — Spherex CEO
While both attackers and smart contract auditors are motivated to find vulnerabilities in code, according to Eyal Meron, the co-founder and CEO of Spherex, the former “is always more incentivized as the protocol’s total value locked (TVL) grows.” To overcome this challenge, Meron told Bitcoin.com News that decentralized protocols will need to put in place what he called “asymmetric countermeasures.”
Human Error and Smart Contract Vulnerabilities
The Spherex boss also suggested deploying an exploit prevention solution as another way protocols can prevent attackers from using errors in code to steal digital assets worth millions. Meron, a senior veteran of the elite Israeli 8200 cyber unit, nevertheless admits that most smart contract vulnerabilities are often the result of human error which in many cases is “inevitable.”
One common error, which according to Meron is almost impossible to detect, often occurs when developers “overlook how every code line affects the contract depending on the different states it might be in.” It is these errors that criminals often take advantage of before successfully siphoning digital assets worth millions of dollars. Many players in the Web3 space including Meron insist that when users lose funds through such incidents the entire industry suffers.
Meanwhile, in his written answers sent to Bitcoin.com News, Spherex’s chief product officer Ariel Tempelhof touched on how the collaboration between blockchains and onchain security providers can help turn the tide against code exploiters and other cyber criminals. He also offered his thoughts on some critics’ contention that an exploit prevention solution may eventually be used as a censorship tool.
Below are both Eyal Meron and Ariel Tempelhof‘s answers to all the questions sent to them via Telegram.
Bitcoin.com News (BCN): Smart contract vulnerabilities are often caused by human errors. What are some of the common mistakes developers make that give hackers an opportunity to look for and exploit weaknesses in smart contracts?
Eyal Meron (EM): There are a lot of common mistakes that, in our eyes, stem from the fact that a deployed smart contract is a state machine that grows exponentially with the code base and transaction volume. Due to this, human errors are inevitable, both on the developers’ part and the auditors’. The most common mistake is to overlook how every code line affects the contract depending on the different states it might be in (which is honestly impossible).
BCN: Once deployed, smart contracts become immutable and the vulnerabilities become a permanent part of the code. Therefore before they are deployed smart contracts are audited and in some cases, multiple times. However, it appears that has not helped to bring down the number of exploits. In what ways do the existing solutions for smart contract protection like auditing fall short?
EM: The fact that protocols are being audited multiple times proves that audits are best-effort and not enough. Audits are like playing on the attacker’s court. Both parties look for vulnerabilities in the code while the attacker is always more incentivized as the protocol total value locked (TVL) grows, while the auditors have limited resources. Protocols need to put asymmetric countermeasures in place to win this race.
BCN: Your company Spherex recently launched an exploit prevention solution for smart contracts called Spherex-Protect. Can you tell us how it works and whether blockchain protocols or applications have to compromise on decentralization to make it work for them?
EM: Sure, Spherex-Protect is essentially the missing piece in the Web3 security paradigm. Instead of looking at what’s wrong in your code, we look at how your protocol operates and make sure this line of operation stays the same. The protection is actually being done on-chain which has two important properties: The protection is verifiable – everyone (the protocol owners and customers) can look at the protection code and understand how it works.
The protection can be completely decentralized – The owners of the protection can be configured. It could be Spherex, the protocol owners, the assigned security council, the DAO, or completely revoked.
In that sense, Spherex-Protect is the most decentralized Web3 security a protocol can have. Moreover, this platform was planned with modularity and openness in mind. Everyone can write protection modules for the ecosystem to be audited and verified by the whole community.
BCN: How does Spherex differentiate between legitimate user transactions and suspicious ones and what happens to a suspicious transaction — including the false positive detections — once it is flagged?
Ariel Tempelhof (AT): This has been a year-long research by our research team. Finding the best way to distinguish between malicious and legitimate transactions, during transaction execution while maintaining a very low gas footprint.
We look at multiple data points, accessible from the contract itself, and gather them during the execution of the transaction. Those might be gas consumption, storage changes, input parameters, etc. When enough data is gathered, a decision is made whether to allow the transaction or revert it. The results were astonishing, we were able to prevent most of the hacks we’ve analyzed while maintaining a <0.1% false positive rate.
Once a transaction is reverted, it is further analyzed by our off-chain module to produce a recommendation of what to do with transactions sharing the same aspects in the future. Of course, it’s up to the protection manager to decide whether to accept the recommendation or disregard it.
BCN: How do you see smart contract security and threats evolving in an increasingly multi-chain future?
AT: A chain is not just a set of blocks, it’s a whole ecosystem of protocols that work together. As most blockchains would like to single themselves out as one of the most secure blockchains out there, they would have to implement a security baseline for the whole ecosystem to adopt. Spherex has already started collaborating with blockchains to incorporate chain-wide security countermeasures in place.
On another note, multi-chain means multiple bridges connecting them. Bridges, as we all know, are the most prone-to-be-hacked protocols out there. SphereX-Protect has already shown great success in preventing even the most sophisticated bridge hacks introduced in recent years.
BCN: Though they have their downsides including smart contract vulnerabilities, blockchain transactions are supposed to be irreversible by design. What’s the possibility of this ability to block or revert blockchain transactions being used as a censorship tool in the future?
AT: The exploit prevention solution is designed not to be used as a censorship tool. The data points we’re looking at are intrinsic to the protocol and are not affected by the entity sending the transaction. Applying such censorship, in our eyes, is futile since changing addresses is very easy on the blockchain.
What are your thoughts about this interview? Let us know what you think in the comments section below.
Chinese Traders are Still Investing in Bitcoin by Exploiting Crypto Ban
Although the Chinese government has hailed their crypto ban as successful, it appears that traders have found multiple ways to circumvent the ban despite tightening scrutiny on crypto by state regulators. Exchanges are also finding ways to avoid being shut down by the government, enabling trading for Chinese citizens.
Chinese state-run newspaper, the Shanghai Securities Times, reported in late August that authorities are moving swiftly to block access to exchanges that are operating illegally, and blocked access to an additional 124 offshore exchanges providing services to Chinese citizens.
The offshore exchanges exploited weaknesses in the government’s ban by frequently changing their domain names in order to avoid detection. They also moved their servers to countries outside of the Chinese mainland, making it incredibly difficult for authorities for monitor and block the illicit exchanges.
Chinese Government Claims that Cryptocurrency Ban has Been Successful
In July, the Central Bank of China released a report that claimed that the country’s cryptocurrency ban had been incredibly successful, reducing Yuan trading activity to under 1%, while the currency once accounted for 90% of global trading volume.
Following the ban, the government moved to shut down as many high-profile exchanges, ICOs and crypto projects as possible, rapidly reducing trading volume and scaring citizens away from the markets.
Although state regulators are frequently shutting down illegal ICOs and blocking access to offshore exchanges, it does not appear that the government will ever be able to fully eradicate access to cryptocurrency exchanges.
Terence Tsang, the COO of TideBit, a centralized crypto exchange based in Hong Kong and Taiwan, said that:
“The latest warning and potentially increased monitoring of foreign platforms is targeted at a batch of smaller exchanges that had claimed to be foreign entities, but are in fact operating in China claiming they have outsourced their operations to a Chinese company. Those exchanges whose website landing pages are in Chinese have drawn particular scrutiny by regulators.”
Following the report that claimed regulators are stepping up their actions against illegally operating exchanging, Chinese trading volume dropped 33%, signaling that traders are likely moving their cryptos to cold storage wallets due to the risk involved with holding their digital currencies on an exchange.
In addition to utilizing illegally operating exchanges, Chinese traders are also using peer-to-peer trading to circumvent the ban, exchanging cryptocurrency between wallets directly, without using a middle-man, like an exchange. These types of transactions are done by converting fiat currency to Tether and sending that as payment in exchange for virtual currencies, with all the online actions being done through a Virtual Private Networks (VPNs).
The government has not yet taken actions to block VPNs, although a ban on the use of these tools would make peer-to-peer cryptocurrency transactions more difficult to conduct.
Some Chinese companies, including WeChat, Tencent, and Ant Financial, have all taken actions to block cryptocurrency trading on their social platforms in an effort to be more compliant with the government’s regulators.
Featured image from Shutterstock
The post Chinese Traders are Still Investing in Bitcoin by Exploiting Crypto Ban appeared first on NewsBTC.
ICE Exploiting Blockchain to Expose Crypto Use in Drug Trafficking
U.S. Immigration and Customs Enforcement is working to expose transactions made by drug traffickers using cryptocurrencies to hide their trails.
CoinDesk
Hackers steal $400m from cryptocurrency startups by exploiting ‘information chaos’
Cybercriminals exploit hype and basic coding errors to target Initial Coin Offerings in phishing attacks, Ernst & Young research finds.
CryptScout #BitFeed RSS – Bitcoin and Cryptocurrency News 24/7