8 Reasons Hackers And Scammers Can Steal Cryptocurrency Assets

In this article I’m going to show you how users on even the world’s best funded crypto projects and exchanges can and do get scammed & hacked.

 In fact, over 75% of all crypto hacks so far this year have occurred in DeFi.

The rest includes centralised exchanges and hot wallets.

And nearly $2.5 billion in crypto assets have been stolen in the last 10 years.

So, let’s dive right in.

First, why is it so attractive for hackers to exploit exchanges, wallets & DeFi projects?

1. Financial Rewards
2. Bad Code
3. Lack of Regulation
4. Flash Loan Price Manipulation
5. Sloppy Developers
6. Rug Pulls
7. Legacy Security
8. User Ignorance

 

Financial Rewards

The decentralised finance sector has grown at a breakneck pace.

In 2018, the total value locked in DeFi was less than $1 billion. By Q3 2021, this had grown 150x to around $150 billion.

Such rapid growth in the crypto market value has attracted more cybercrime networks and lone hackers.

Often projects are implemented in a hurry because security is considered a lower priority than launching a project on time.

 

Bad Code

Smart contracts are a new concept in the IT industry. 

Although programming for smart contracts is simple, programming languages like Solidity are new to many people and this means developers often don’t have enough experience in coding smart contracts.

Therefore, they can make mistakes that can lead to enormous financial loss.

External code audits do not mitigate the risk, since most auditors do not bear any responsibility for the quality of their work, as they are only interested in getting their invoice paid.

And people lie to auditors too. 

Up to now, more than 100 crypto projects have been compromised simply due to coding errors. 

 

Lack of Regulation

People involved in the crypto industry often complain about how Gary Gensler the chair of the US Securities & Exchange Commission (SEC) is trying to destroy crypto with excessive regulation. 

That’s understandable.

But there is almost no regulation of DeFi projects today.

In fact, except for El Salvador, national governments are laggards in the race to financial innovation and digital currencies. 

But regulation if it is done properly will help the security of crypto. 

Right now, who are you going to call if you lose one ETH from your MetaMask wallet?  Ghostbusters anyone?

If it wasn’t for the Payment Card Industry’s Data Security Standard (PCI-DSS) there would be a lot more credit card fraud and online merchants would simply neglect their security.

So, are we not in need of a Blockchain Security Standard (BSS)?

 

Flash Loan Price Manipulation

If you borrow from a bank, then you normally need to provide collateral.

Not so in DeFi with flash loans.

Flash loans are designed to eliminate the need for collateral by making it impossible for a borrower to default on a loan.

Arbitrage trading is a typical use case for flash loans.

Price discrepancies across different crypto exchanges open a tiny window of opportunity for traders to generate profits quickly.  This is called arbitrage trading.

In a flash loan attack, the attacker creates their own arbitrage by exploiting a vulnerable smart contract.

The attacker artificially modifies the value of a trading pair of tokens by flooding a contract with one token in the pair, using the borrowed tokens.  The resulting difference in price between the exploited contract and the real value of the trading pair is called slippage.

By artificially creating slippage, an attacker can acquire a token very cheaply or sell one at a high price to the exploited contract. 

PancakeBunny DeFi protocol on the Binance Smart Chain recently lost 96% of its value following a $200 million flash loan attack.

 

Sloppy Developers

The most worrying risk is sloppy project developers.

They start a clone DeFi project in search of quick profit.

Many developers are inexperienced in smart contracts but still try to launch their own project.

Because smart contracts are open source, projects are easily cloned.

Because one project may contain vulnerabilities, clones inherit those too.

SafeMoon is a good example.

According to a code audit by blockchain security company HashEx, SafeMoon had 12 vulnerabilities, 5 being classified between critical and high severity.

The same vulnerable gasless holder yield smart contract with the same critical bug has apparently been forked into over 100 other projects, leading to potential losses amounting to over $2 billion.

 

Rug Pulls

With the lure of huge potential gains, there are plenty of scammers waiting to steal from others.

Rug pulls involve many users, often wiping out the entire market cap of a project.

An exit scam is where a seemingly promising project attracts many users.

Then after liquidity flows into the project and the price grows, developers take out all the liquidity they can, destroying the capital of those left holding the tokens at the end.

Developers disappear with everyone’s funds, never to be seen again.

So DeFi projects founded by an anonymous team, should be avoided.

Billionaire Shark Tank investor Mark Cuban was supposedly rug pulled as part of TTTAN project collapse where the price suddenly crashed from $60 to $0,00017.

 

Legacy Security

Centralised exchanges are a big target because a lot of information is publicly available about the value of assets stored.

They typically use legacy infrastructure with hot wallets to make assets available to trade, while the rest of the assets not being traded are offloaded to cold storage.

Most assets are stored in virtual HSM (vHSM) devices that use multiparty computation (MPC) technology, not connected to the internet.

But exchanges aren’t fully transparent about the wallets they own and how they handle funds.

There is lack of security safeguards, security certifications and regulatory oversight.

Exchanges are also in charge of user authentication, multi-factor authentication and often their support service are almost non-existent. 

And mobile phone companies are responsible for SIM swap attacks. 

But users are the ones to lose out when exchanges get hacked. 

Dozens of Coinbase users have experienced account takeovers in the past, where hackers carried out SIM swap attacks or hacked their devices and gained access to their Coinbase accounts

 

User Ignorance

The weakest link in crypto theft is user ignorance. 

Typical users are do not have sufficient security awareness to be able to react to the many different techniques used by hackers and scammers today. 

Therefore, many users lose their assets by clicking on hyperlinks in SMS messages & email or clicking on popups in their browser.

MetaMask browser extension is one potential target. 

It’s not always the users’ fault. 

DeFi protocol Cream Finance had its second hack of 2021. Hackers took over their DNS and redirected users to a fake website, using it to request users’ private keys and seed phrases.

If users had better security awareness, they would not hand over the keys to the kingdom. 

Ignorance is the biggest danger for retail crypto investors today.

 

Conclusion

So, I think you can see that there are so many ways that hackers can steal your coins and tokens from your favourite crypto exchange or projects.