By David Janczewski, CEO and co-founder of Coincover
Hackers behind one of the biggest ever cryptocurrency heists have returned some of the $613 million in digital coins they stole, leaving many scratching their heads as to what is going on here.
The theft from the Poly Network, which allows users to transfer or swap tokens across different blockchains, wasn’t a hack in the traditional sense, where someone gains unauthorised access.
But it is all the more alarming because of that. This appears to have been an exploit, where a user runs public code to take advantage of an undiscovered security issue.
Instead of editing the code and/or stealing private keys, this is more akin to a hidden route straight to the Bank of England’s vault being left open when the bank was built and was just waiting for someone to discover it – rather than actually breaking in, trespassing and then stealing it.
According to analysis from SlowMist, in this instance the individuals responsible used code-based relationships between functions in the smart contract to bypass the onlyOwner modifier (a security protocol) – which would normally restrict public access to the functions used for the theft.
There have been 30 confirmed decentralised finance (DeFi) hacks already this year and at least one other DeFi exploit this month. This type of exploit, carried out by as yet unidentified hackers, certainly won’t be the last.
Funds deposited into smart contracts like this are always exposed to risks associated with how those smart contracts are coded.
These additional risks are reflected in the high potential returns available in DeFi, one of the fastest growing areas of crypto technology. Yet such risks make many investors, institutions and regulators uneasy and prevent the inflow of capital into digital assets (crypto) that will truly transform financial services for everyone.
Sadly, hacks and security breaches in DeFi are now so common they are almost normalised. Victims are also being exploited, which is what is really becoming concerning.
Risk is the price of innovation and one we should happily pay, to a point, but there is clearly a need for additional safety and protection options above and beyond smart contract security.
Individuals and organisations will struggle to operate effectively in a space where we have to rely on the good will of hackers to return stolen funds.