Oded Vanunu, Head of Products Vulnerability Research at CPST
In October 2021, the US and Israeli IT security company Check Point Software Technologies (CPST) identified security flaws in the world’s largest NFT marketplace OpenSea. Later, it also detected similar vulnerabilities in Rarible, an NFT marketplace with over two million active users.
According to Oded Vanunu, Head of Products Vulnerability Research, CPST, if exploited, the vulnerability would have enabled threat actors to steal users’ NFTs and crypto tokens in a single transaction.
“In terms of security, there is still a huge gap between Web2 and Web3 infrastructure. Any small vulnerability opens a backdoor for cybercriminals to hijack crypto wallets behind the scenes,” he said in an interview with e27. “Marketplaces that combine Web3 protocols still lack a sound security practice. The implications following a crypto hack can be extreme. We’ve seen millions of dollars hijacked from marketplace users that combine blockchain technologies.”
Popular metaverse game Axie Infinity, owned by Sky Mavis, also faced a similar attack last month, resulting in the loss of digital assets worth US$625 million from its Ronin Network platform.
Also Read: Sky Mavis raises US$150M led by Binance to reimburse users hit by Axie breach
“In the Axie hacking incident, we have seen the importance of a decentralisation network. In this case, Axie only had nine validators, although you only needed five of them to verify deposits and withdrawals. However, all these five validators were saved in the same place. Decentralisation could have reduced these points of weakness in the systems,” he noted.
While explaining the modus operandi behind the Axie attack, he said that the Ronin network requires five signatures, known as a multi-sig system, to verify deposits and withdrawals. The validators were held by Sky Mavis, the blockchain gaming platform that created the Ronin network. The hacker found all the five multi-sig signatures they needed to sign off on a transaction when they breached the Sky Mavis servers.
“Blockchain bridges are platforms that connect two different networks enabling a cross-chain transfer of assets and information from one blockchain to another. Attackers are targeting bridges because they are the weakest point in the system. All the complex code creates many opportunities for exploitable bugs, and as these bridges usually hold a large amount of money, this makes them even more attractive to attackers,” he further shared.
Vanunu recommends being careful and aware of sign-in requests even within the marketplace itself. Before approving a request, users should carefully review what is requested and consider whether it seems abnormal or suspicious. If there are any doubts, users are advised to reject the request and examine it further before authorising it.
In his view, crypto exchanges and blockchain/metaverse firms face the same security risks as any other company. In addition, crypto exchanges and blockchain/metaverse firms face the new kind of attack vectors related to the smart contract with all the reentrancy, flash loans and other smart contact security bugs and attacks on user wallets.
Also Read: Play-to-earn: Understanding the popularity of Axie Infinity
“The difference between a regular company and a crypto company is that a regular company is well familiar with the cyber-attacks. There is multiple security protection they can add, like Firewall. On the other hand, Crypto companies have to face new kinds of attacks and pioneer new means of protection from such attacks,” he said.
Vanunu, however, doesn’t think that such cyberattacks will discourage users from joining P2E games. “The users are there mainly for the profits, rather than the technology (that sometimes gets hacked). As long as the games are profitable to the players, they will continue to be there. Also, we can see that from every attack, the game developers improve their security, transfer the users to new contracts and try to protect their systems as much as they can.”
—
Ready to meet new startups to invest in? We have more than hundreds of startups ready to connect with potential investors on our platform. Create or claim your Investor profile today and turn on e27 Connect to receive requests and fundraising information from them.
The post ‘The Axie hacking reminds us of the importance of a decentralisation network’ appeared first on e27.