How blockchain security experts investigate hacks | Interview
Crypto.news talked to the co-founders of Dedaub, a blockchain security firm, discussing their experiences and new measures to protect funds.
Recent reports show that during the third quarter of 2023, the number of crypto hacks and scams surged, resulting in the loss of approximately $700 million in digital assets. This figure surpasses the losses seen in the previous two quarters, indicating a rising threat to the safety and security of crypto investments.
To explore these challenges, crypto.news sat down with Neville Grech and Yannis Smaragdakis, co-founders of Dedaub, a blockchain security firm, at the SmartCon conference by Chainlink in Barcelona. We delved into the realm of crypto security, discussing the most notable hacks, emerging strategies for protecting your funds, and what it means to be a modern, crypto-era Sherlock Holmes.
Crypto.news: Could you remind me of the most interesting recent cases you investigated?
Neville Grech: The most interesting case we were involved in was MultiChain from about a year and a half ago. They had a potential vulnerability. At that time, we were conducting white hat hacking, examining contracts for vulnerabilities.
My co-founder, Yannis, came up with a rather unconventional approach to exploit that vulnerability. To make a long story short, we could have stolen a billion dollars from Multichain.
We talked to the company’s founder and provided him with the report. There are six stages of acceptance: first, there’s denial, and at some point, acceptance. So, finally, they addressed the issue.
Crypto.news: What happens behind the scenes when you initiate an investigation or deal with a hack?
Neville Grech: Many investigations are conducted post-hack. The first step is to quickly grasp the protocol, which requires highly skilled engineers, often the most competitive ones we have. These people excel at tasks like Capture the Flag (CTF) challenges and competitive hacking.
Initially, you’re operating on pure adrenaline, so the immediate goal is to figure out how to prevent a potential second hack. We spare no effort and utilize our extensive network of contacts and various tools, some of which we’ve developed specifically for these situations. We go all-in, striving to inform the community about the incident, delving deep into root cause analysis and similar aspects. Unfortunately, there isn’t much that can be done after a hack has taken place.
Crypto.news: To what extent is it currently possible to trace hackers?
Neville Grech: Sometimes, if the hacker is incompetent, we can trace their origin back to a centralized exchange.
Significant steps can be taken, but they often rely on the hacker’s level of competence. For instance, if they use a service like Tornado Cash, which anonymizes transactions, it becomes challenging to trace their activities. While you can check with RPC providers or explore sharing data with law enforcement, they might not share it with us. Other than that, options are limited.
You can also correlate timing, as Tornado Cash doesn’t guarantee 100% anonymity if used rapidly. If assets go in and immediately come out, there are ways to make connections, but it involves a fair amount of guesswork. It’s akin to detective work at that point.
Yannis Smaragdakis: Generally, I believe that a small to medium-sized hack executed by a skilled hacker is unlikely to be traceable. You might be able to find them in five years, perhaps because they made a mistake or due to technological advancements that could expose what is currently private. However, for now, when we talk about hacks under a million dollars, perhaps half a million, it’s a significant amount but not large enough to consistently reveal itself when attempts are made to anonymize the funds.
It becomes increasingly challenging to anonymize funds when dealing with amounts in the tens of millions. Extracting such substantial sums from the blockchain is an exceptionally difficult task. This is where traditional law enforcement comes into play, rather than smart contract technology.
Neville Grech: In the real economy, law enforcement agencies are often more effective when it comes to money laundering.
Crypto.news: Have you ever tried investigating North Korean hackers?
Yannis Smaragdakis: We haven’t directly experienced any hacks attributed to the Lazarus Group, the North Korean hacking organization.
Neville Grech: However, I recall an incident when the Lazarus Group attempted to hack a person who had previously hacked Euler Finance. It was essentially a hacker trying to hack another hacker. The Lazarus Group sent him a link to a vulnerable project to establish communication.
Yannis Smaragdakis: Unlike hacking laptops or mobile devices, smart contract hacking lacks a marketplace where you must spend money to be competitive. Hacking laptops or cell phones benefits from national organizations like Israel, the U.S., or Russia due to their ample resources and the ability to buy hacks. These organizations are highly organized, almost like military operations.
In the realm of smart contract hacking, all you need are people with expertise. The Lazarus Group’s proficiency in smart contract security is not anything special; they likely have individuals with sufficient expertise. Many organizations worldwide, including small companies, possess a similar level of proficiency.
However, if a hack involves traditional elements like cell phones or executable programs, they might have an advantage. The Lazarus Group is presumed to be well-funded and well-organized, which may make them a potent force. But it’s possible there’s an over-attribution of hacks to them. We cannot confidently assert whether they are as scary in the smart contract space.
In comparison, when it comes to my cell phone, I might be a bit more concerned. The cyber landscape is filled with individuals possessing the right expertise, especially in this anonymous realm, where they can engage in hacking.
Neville Grech: You might even encounter some of them at conferences.
Crypto.news: What can you recommend to protect your funds?
Yannis Smaragdakis: There are standard best practices to follow, especially for smart contract users. Using a hardware wallet is a good idea. It’s crucial to monitor the transactions you sign carefully. Employing strong security measures on your devices, such as cell phones or laptops, is essential to prevent local hacking that may lead to the theft of signatures or keystrokes.
A hardware wallet provides some protection against local hacking, as it’s a separate, less vulnerable device. However, it may show a transaction on your laptop that differs from what you’re signing. You might use your hardware wallet, thinking you’re approving something you should, but the money goes somewhere else. Thus, the threat remains if your local device is hacked.
To bolster security, consider practices such as having a dedicated and well-controlled laptop for financial transactions. Using separate devices for different roles is an excellent security measure, although it can be somewhat inconvenient in everyday life.
Neville Grech: Simulating transactions is an advanced practice.
Yannis Smaragdakis: I believe that in the near future before any transaction is executed, they will be simulated. We already offer transaction simulation in our software, and many wallets like Metamask now provide this feature as well. It allows users to preview the outcome of their transactions before sending them, which can be immensely helpful. In the coming year, we can expect significant improvements in this regard.
Ultimately, the responsibility often falls on the human user because the more power you grant users to manage their private keys and wallets entirely, any misstep on the user’s part can result in a potential security breach. When users have control over their accounts, they become vulnerable to hacks. Granting users privacy is a double-edged sword; it can protect them but also allow hackers to operate undetected.
There are efforts to address this issue; for example, some proposed technologies involve segmented keys where a portion of the key remains with the user, and another part is held by a central entity like a bank or financial organization. Users can separately authenticate and access both key parts as needed. This approach can prevent users from losing everything due to a single mistake. Several major players in the field are exploring such multi-party computation (MPC) wallets.
However, it’s essential to understand that each technology has its trade-offs. For example, in this case, the trade-off involves not having full control of your funds. If a major government requests an account freeze, they can do it. If you give the user full control, they can be hacked if they make a mistake.
Balancing user control and security is a complex challenge, and companies are actively seeking the right equilibrium, where users have significant control over their funds, except when something really serious happens, such as a government request for account freezing.
Crypto.news: It appears that you truly enjoy what you do. Do you ever feel like Sherlock Holmes during your investigations?
Yannis Smaragdakis: Sometimes, it indeed feels just like that. Certain investigations are very fascinating because of this resemblance.
Neville Grech: Our daily job involves examining other people’s code for vulnerabilities, whether it’s through audits or developing software and tools.
Yannis Smaragdakis: We’ve often found ourselves in war rooms, planning how to counteract a discovered hack. Or we find major vulnerabilities in a code and have to communicate with product teams to alert them to the need for fixes.
Crypto.news: A few hours after the BANANA token launch, ChatGPT identified a bug in the smart contract. Is it a valuable tool for spotting such issues?
Yannis Smaragdakis: It’s not particularly competitive at this stage. For every valid bug it detects, there might be 500 it misses. It’s not on par with human capabilities currently. Perhaps it lacks the experience or struggles with unconventional attack vectors that don’t follow established patterns.
As it stands, I don’t consider it competitive with human hackers, not yet. However, this year, we’ve witnessed surprising developments, particularly with GPT-4 and its capabilities in other fields. Who knows, next year, we might be amazed by its capabilities to find vulnerabilities.