Web3 Surge: New Openings for Cyber Attacks on the Financial Sector

The rapid growth of Web3 has created new opportunities for cybercriminals, especially in decentralized finance (DeFi). North Korea’s APT38 has been a prominent actor in this space, orchestrating large-scale heists like the 2022 Ronin Bridge attack. 

They are not alone; hundreds of Web3 heists have been reported since 2020, resulting in billions of dollars stolen, which often involve social engineering, crypto drainers, rug pulls, and frauds, but the most significant incidents typically exploit vulnerabilities in crypto wallet keys, smart contracts, or web frontends.

Fake job opportunity

DPRK cybercriminals are targeting crypto exchanges through social engineering and supply chain attacks by sending fake job opportunities with malware to compromise developers’ or financial personnel’s machines. 

Once a foothold is established, they steal credentials, conduct reconnaissance, and pivot to cloud storage to steal hot wallet keys and drain funds. 

Researchers observed a case where attackers used AWS SSM parameters to steal wallet credentials and passwords, resulting in a $100 million loss. Early threat detection is crucial to preventing such heists.

Smart contracts, while transparent and decentralized, are vulnerable to exploits, whose open-source nature allows attackers to scrutinize code for vulnerabilities. 

Common exploits target flaws in programming logic, such as arithmetic overflow or underflow, reentrancy attacks, and improper access controls, which can lead to significant financial losses for users and developers. 

To mitigate risks, developers must adhere to rigorous security practices, including using secure libraries, conducting thorough code reviews, and employing automated testing tools.

A reentrancy attack exploits a vulnerability in smart contracts that allows an attacker to execute a function multiple times before the original call completes, which occurs when a contract sends funds to an external contract without updating its internal state first. 

The attacker can then create a recursive loop, repeatedly calling the original function and draining funds from the vulnerable contract, which has been used to steal millions of dollars worth of digital assets from various smart contracts. 

 Description of the Tornado Cash Malicious Proposal

The Curve Finance reentrancy attack exploited a vulnerability in the remove_liquidity function, where the attacker manipulated the external call to self.coins[1] to recursively call the function before the state variables were updated, which bypassed the balance check and allowed the attacker to withdraw funds from the pool multiple times. 

The @nonreentrant modifier, intended to prevent reentrancy, failed to protect the function due to the faulty contract layout, which resulted in the loss of $70 million from the Curve Finance protocol.

Changing of Locked Token Balance of Attacker-Controlled Contracts to 10,000

An attacker exploited a vulnerability in Euler Finance’s smart contract to perform a flash loan attack by borrowing DAI via Aave, depositing it in Euler, and leveraging it to borrow ten times its value. 

By manipulating the donateToReserves function, they triggered a self-liquidation at a discount, stealing a large sum. In a separate incident, an attacker gained control of Tornado Cash DAO by proposing a seemingly harmless governance change that included a hidden emergencyStop() function. 

According to Google, after the proposal passed, the attacker invoked this function to destroy the existing contracts and grant themselves control, allowing them to drain Treasury funds.  

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here