Two crypto heists this week caused nearly $200 million in losses. Seemingly every week there are stories about similar incidents. But is there a security problem with the blockchain itself, or with the software and systems designed to facilitate its use?
On Wednesday, 3 August, a “malicious actor” stole nearly $6 million (£4.9 million) from wallets on the Solana network. The hack affected 7,947 accounts and was apparently carried out by a single attacker.
According to crypto asset compliance company Elliptic, victims lost approximately $2.6 million in USD Coin (USDC), $1.8 million in Solana (SOL) and $1.4 million in other assets (including NFTs).
That was Wednesday. The day before, a series of attacks on the Nomad token bridge, which allows users to shift their crypto assets between certain blockchains, drained nearly $190 million (£152 million) from accounts.
These recent hacks are just two examples of an increasing number of security incidents affecting blockchain assets.
Blockchain’s People Problem
“The whole point of using a blockchain is to let people—in particular, people who don’t trust one another—share valuable data in a secure, tamperproof way,” writes Mike Orcutt in MIT Tech Review.
“But the security of even the best-designed blockchain systems can fail in places where the fancy math and software rules come into contact with humans…”
Perhaps security issues are inevitable in a loosely-regulated market where novel software facilitates billions of dollars in payments.
Like most such attacks, Wednesday’s Solana incident appears not to have resulted from a security flaw on the blockchain itself. Instead, hackers targeted the third-party software providing wallets in which users stored their cryptocurrency.
“This does not appear to be a bug with Solana core code, but in software used by several software wallets popular among users of the network,” a spokesperson for Solana said via Twitter.
“The attacker somehow obtained the ability to sign (i.e., initiate and approve) transactions on the behalf of users,” Eli Tan and Sam Kessler write for CoinDesk, “suggesting a trusted third-party service may have been compromised in a so-called supply chain attack.”
While the Solana hack appears to have been perpetrated by one actor (or team), Tuesday’s Nomad Bridge attack seems to have involved hundreds of people—some of whom were supposedly “white hat” hackers who have promised to return the funds.
“…this event so far has hundreds of addresses receiving tokens directly from the bridge,” writes Brian Newar for CoinTelegraph.
Blockchain bridges like Nomad enable users to move cryptocurrency from one blockchain to another. A person wishing to send bitcoin to an ethereum wallet, for example, can deposit bitcoin with a bridge and receive a “wrapped” bitcoin token compatible with the ethereum blockchain.
Bridges require high amounts of reserve currency to back the value of these wrapped tokens. The largest blockchain bridge by market cap is reportedly Wrapped Bitcoin (WBTC), at $5.4 billion (£4.46 billion).
The biggest crypto heist on record also targeted a blockchain bridge: the Ronin Network, which enabled players of the mobile game Axie Infinity to convert in-game tokens into cryptocurrency, was drained of around $615 million (£506 million GBP) in March.
The hack occurred when Axie Infinity experienced an unexpected surge in users and opted to downgrade security measures to manage demand.