The crypto world is on edge after a string of hacks

The First Art Newspaper on the Net    Established in 1996 Thursday, March 28, 2024


The crypto world is on edge after a string of hacks
More than $2 billion in digital currency has been stolen in hacks in 2022, shaking faith in the field. Saiman Chow/The New York Times.

by David Yaffe-Bellany



NEW YORK, NY.- Not long after dropping out of college to pursue a career in cryptocurrencies, Ben Weintraub woke up to some bad news.

Weintraub and two classmates from the University of Chicago had spent the past few months working on a software platform called Beanstalk, which offered a stablecoin, a type of cryptocurrency with a fixed value of $1. To their surprise, Beanstalk became an overnight sensation, attracting crypto speculators who viewed it as an exciting contribution to the experimental field of decentralized finance, or DeFi.

Then it collapsed. In April, a hacker exploited a flaw in Beanstalk’s design to steal more than $180 million from users, one of a series of thefts this year targeting DeFi ventures. The morning of the hack, Mr. Weintraub, 24, was home for Passover in Montclair, New Jersey. He walked into his parents’ bedroom.

“Wake up,” he said. “Beanstalk is dead.”

Hackers have terrorized the crypto industry for years, stealing Bitcoin from online wallets and raiding the exchanges where investors buy and sell digital currencies. But the rapid proliferation of DeFi start-ups like Beanstalk has given rise to a new type of threat.

These loosely regulated ventures allow people to borrow, lend and conduct other transactions without banks or brokers, relying instead on a system governed by code. Using DeFi software, investors can take out loans without revealing their identities or even undergoing a credit check. As the market surged last year, the emerging sector was hailed as the future of finance, a democratic alternative to Wall Street that would give amateur traders access to more capital. Crypto users entrusted roughly $100 billion in virtual currency to hundreds of DeFi projects.

But some of the software was built on faulty code. This year, $2.2 billion in cryptocurrency has been stolen from DeFi projects, according to the crypto tracking firm Chainalysis, putting the overall industry on pace for its worst year of hacking losses.

Many of the thefts have stemmed from flaws in the computer programs — known as “smart contracts” — that power DeFi. The programs are often built hastily. And because smart contracts use open-source code, which provides a publicly viewable map of the software, hackers have been able to orchestrate attacks on the digital infrastructure itself, rather than simply infiltrating someone’s account. It’s the difference between robbing an individual and emptying an entire bank vault.

“DeFi has introduced a whole other level for hackers to be able to access a platform,” said Erin Plante, vice president of investigations at Chainalysis. “It’s putting a lot of pressure on the space and restricting the innovation that’s possible.”

The breaches have shaken faith in DeFi during a grim period for the crypto industry. An epic crash this spring erased nearly $1 trillion and forced several high-profile companies into bankruptcy. In August, thieves exploited a coding issue to drain $190 million from a company called Nomad. Last week, the crypto firm Wintermute said its DeFi division had been hacked, leading to losses of $160 million.

Tracking the movement of stolen crypto is fairly straightforward. Transactions are recorded on public ledgers called blockchains, which anyone can analyze to find patterns. But it’s significantly harder to regain access to lost funds.

The hacks have prompted many DeFi start-ups to explore preventive measures, recruiting auditors to examine their code for vulnerabilities. Even as other types of crypto firms cut costs during the downturn, security and auditing companies have seen a huge surge in business.

“This year was a good year for attackers,” said Goncalo Sa, a founder of ConsenSys Diligence, which conducts code audits. “That has definitely ingrained in the minds of people that security is something that they should take seriously.”

From crypto’s inception, companies have struggled with security. In 2014, the first major Bitcoin exchange, Mt. Gox, was breached in a damaging attack that eventually led to the company’s bankruptcy and the loss of billions of dollars in digital currency.

At the time, the industry was relatively small and uncomplicated. Now hackers can attack a wider ecosystem, including an experimental economy of crypto-based video games, decentralized lending projects and newfangled coins. Last year, a hacker stole $600 million from the DeFi platform Poly Network; the thief eventually returned the money after negotiations with the project’s leaders.

This year’s hacks have caused far more damage. In March, a group sponsored by the North Korean government stole $620 million in digital currency from the Ronin Network, a DeFi platform that powers the video game Axie Infinity. Around the same time, a hacker exploited a software flaw in a DeFi project called Wormhole to abscond with $320 million.

“Many people are putting up platforms with a known vulnerability,” said Chris Tarbell, a former FBI agent who now runs the cybersecurity firm NAXO. “In a target-rich environment, criminals are going to be opportunistic.”




The Wormhole hack exploited vulnerabilities in a novel element of crypto technology known as a cross-chain bridge, which allows investors to switch back and forth between digital currencies built on separate blockchains. Some DeFi platforms facilitate these conversions to help people capitalize on trading opportunities; a trader who owns lots of Ether, for example, might want to use an application on another currency’s blockchain without having to sell the Ether and buy the other currency.

The sheer amount of crypto flowing across these cross-chain bridges makes them valuable targets. A total of 10 hacks this year have involved bridges, leading to losses of $1.3 billion, according to Chainalysis.

The technology is “highly complicated, and complexity is the enemy of security,” said Steve Walbroehl, a founder of the crypto security firm Halborn.

Beanstalk wasn’t built as a cross-chain bridge. But it had other vulnerabilities baked into its code.

The project’s inner workings were almost comically obscure. A white paper outlining its mechanics consists of 61 pages of graphs, charts and mathematical equations (as well as a quote from Alexander Hamilton’s letters).

“The number of Pods that grow from 1 Sown Bean is determined by the Temperature — the Beanstalk-native interest rate — at the time of Sowing,” reads one passage from a guide to the platform called the Farmers’ Almanac.

In essence, Beanstalk allowed people to deposit tens of millions of dollars in virtual currency into a software system, which generated interest and helped maintain the value of a stablecoin called a bean.

The project didn’t operate as a traditional startup. Like many crypto founders, Weintraub and his collaborators — Brendan Sanderson, 25, and Michael Montoya, 24 — kept their identities secret, calling themselves Publius, an homage to the authors of the Federalist Papers. When the software was released in August 2021, users who deposited their crypto got votes in an investor collective called a decentralized autonomous organization, or DAO, which had to agree to make changes to the software.

Beanstalk’s collective governance was ultimately its undoing. In April, a hacker borrowed $1 billion of cryptocurrency from another DeFi project, Aave. The transaction was a so-called flash loan — a lightning-fast process in which a crypto user borrows funds without posting any collateral, makes a trade and then immediately pays back the loan, keeping any profits generated from the series of near-simultaneous exchanges.

The code that Weintraub and his partners had designed did not have a mechanism to stop someone from using a flash loan to take over the platform. So the hacker used the $1 billion to claim a huge stake in the Beanstalk DAO, taking total control of the software’s governance. Then the hacker transferred everyone’s funds — a total of nearly $200 million — out of the Beanstalk system.

Panic ensued. “I lost $1 million today,” one Beanstalk user declared on YouTube. “It happened through beans.”

Some users suspected that Weintraub and the other founders were behind the attack — a classic “rug pull” in which a team of developers flees with investors’ funds.

“The pitchforks were out,” Weintraub said. “It felt like death.”

Ultimately, he and the other founders decided to continue the project. They reported the theft to the FBI and held calls with Beanstalk enthusiasts to find a path forward. In an April post on the chat forum Discord, they also revealed their identities for the first time. It was a risky move: Even though the project wasn’t a traditional business, they could be vulnerable to lawsuits from users or regulatory scrutiny.

Over the last few months, the Beanstalk DAO has worked to restart the project, recruiting blockchain analysis firms to help track down the lost crypto. The group also hired Halborn, the security firm, which is reviewing the code to eliminate any vulnerabilities. Beanstalk officially reopened last month.

Such comeback efforts are increasingly common in crypto. “We’ve always been so transparent with the community that this is an experiment,” Weintraub said. “We’re all figuring this out together.”

The stolen funds remain missing.

This article originally appeared in The New York Times.










Today's News

September 29, 2022

British Art Fair launches SOLO CONTEMPORARY

Rare Artemisia Gentileschi painting acquired for Norway's National Museum

Lark Mason Associates sale of furniture, fine and decorative arts now live on iGavelAuctions.com

Christie's celebrates contemporary art during Paris+ by Art Basel

Modern Art opens an exhibition of new work by Peter Halley

Freeman's Asian Arts Auction offers coveted huanghuali furniture

Villanova University will open a campus-wide exhibition of new work by Cole Sternberg

In Vienna, taking to the hills for wine

Ray Edenton, 'A-Team' studio guitarist in Nashville, dies at 95

On the edge of Delhi, a dynamic cultural scene takes shape

Sylvie Patry joins kamel mennour as the gallery's Artistic Director

Be wary of King Charles III "pretender" coins, cautions Professional Numismatists Guild

Christie's appoints Gillian Gorman Round CMO

Greg Anderson appointed as Auckland Art Gallery Toi o Tāmaki Deputy Director Operations

Milwaukee Art Museum appoints Chief Curator and Chief Development Officer

Summers Place Auctions to sell a selection of sculptures by Misti

Garment District Space for Public Art presents "Window of Opportunity"

Blood and Tears: Portrayals of Gwangju's Democratic Struggle on view at The Anya and Andrew Shiva Gallery

Guillaume Désanges presents Myriam Mihindou's solo show "ÉPIDERME”

First UK institutional solo show for artist Hannah Lim opens at Edinburgh Printmakers

David Blandy presents new exhibition at Towner Eastbourne

Lizzo plays new notes on James Madison's crystal flute from 1813

A vanishing craft reappears

The crypto world is on edge after a string of hacks

N1Bet Betting in India

Josh Groban - A Star Who's Reached a Global Audience




Museums, Exhibits, Artists, Milestones, Digital Art, Architecture, Photography,
Photographers, Special Photos, Special Reports, Featured Stories, Auctions, Art Fairs,
Anecdotes, Art Quiz, Education, Mythology, 3D Images, Last Week, .

 



Founder:
Ignacio Villarreal
(1941 - 2019)
Editor & Publisher: Jose Villarreal
Art Director: Juan José Sepúlveda Ramírez

Royalville Communications, Inc
produces:

ignaciovillarreal.org juncodelavega.com facundocabral-elfinal.org
Founder's Site. Hommage
to a Mexican poet.
Hommage
       

The First Art Newspaper on the Net. The Best Versions Of Ave Maria Song Junco de la Vega Site Ignacio Villarreal Site
Tell a Friend
Dear User, please complete the form below in order to recommend the Artdaily newsletter to someone you know.
Please complete all fields marked *.
Sending Mail
Sending Successful