HackerOne

Hacker-Powered Security and DeFi: How Human Intelligence Improves Cryptocurrency Security

HPS and DeFi

Decentralized Finance, or DeFi, is a relatively new application in the world of blockchain—the technology behind bitcoin—financial applications intended to recreate traditional financial systems. Over the last year, DeFi has grown significantly—billions of dollars of cryptocurrency are now locked into smart contracts. Smart contracts are self-executing code that run at a specific address on the Ethereum blockchain. As the complexity of these contracts increases, so does the risk. As a result, DeFi funds are lucrative targets for malicious actors.

 

How DeFi Expands Cryptocurrency

One of the main advantages of cryptocurrency is its privacy and accessibility. Users don’t need bank accounts and are identified instead by public/private key pairs rather than their real identities. Cryptocurrency transactions also offer low transaction fees and speedier processing compared to fiat currency transactions. Cryptocurrency transactions can be conducted by those who are unbanked as well.

DeFi expands cryptocurrency from value transfer to more complex financial use cases.

The three most common examples are: 

  • DeFi derivatives - DeFi derivatives can represent real or virtual assets and gain value based on the performance of an underlying entity such as a crypto asset, fiat currency, or commodities like gold, stocks, or bonds.
  • Lending and borrowing - Individual borrowers and organizations can easily access DeFi lending platforms, earning interest in the form of crypto coins on their deposited funds, all without third-party interference.
  • Asset management - DeFi asset management helps customers secure and manage financial assets with tools for exchange platforms, portfolio asset diversification, and investment tracking across multiple platforms.

Hacker-Powered Security DeFi Use Cases

HackerOne recently spoke with an anonymous hacker who goes by the handle samczsun, an expert in the blockchain space. A former security engineer at Trail of Bits and currently a Paradigm research partner, samczsun is well-known for cryptocurrency disclosures and findings that have saved users significant funds. samczsun hacks the open, online, global digital economy of Ethereum technology offerings, including digital money, global payments, and applications.

In our Q&A with samczsun, we learned more about his experience.

 

How much money have you saved DeFi users through your disclosures?

That’s hard to say. I’ve reported over 30 vulnerabilities to unique protocols, but not all vulnerabilities can easily be assigned a monetary value. At the time of writing, I would estimate I’ve saved over $450 million.

Most of that value came from a recent SushiSwap bug I found. You can find the write-up here, where I discuss bug discovery and issue remediation. 

I also found an Authereum smart wallet bug that would have allowed an attacker to hijack ownership of any wallet. It was almost identical to the first Parity multi-sig hack—a bug that put over $200 million at risk. I reported the smart wallet bug just a few days after launch, so there weren’t yet significant funds at risk.

How did you get started hacking for good and what motivates you to hack Ethereum projects?

My first serious entry into information security was reverse engineering Java apps, although the learning process was painful since I decided to dive straight into things. With Ethereum most people open-source their code, and code review is infinitely easier than reverse engineering. 

When faced with any critical vulnerability, choosing to disclose it responsibly is a no-brainer for me.

What are the differences between hacking Ethereum smart contracts and hacking more conventional assets? 

Hacks on companies take a long time and attackers usually leave traces, like making API calls or renting servers. Depending on the kind of attack, the company can also get law enforcement to help recover stolen assets. 

On the other hand, blockchains are pseudonymous by design, and law enforcement can't sanction an address for transferring the dirty money. There aren't any logs to consult since the attacker doesn't need to connect to any privately-owned servers. Ethereum security carries a sense of urgency that you don't have with traditional security.

How would you describe the security maturity of DeFi and what do you think it will look like five years from now? 

DeFi's security posture is almost bimodal. Low-quality projects are launching quickly to capitalize on the latest bull runs and make quick money. High-quality projects are taking what we’ve learned over the past few years and building products with a solid security foundation. 

I think in five years, we'll have a better understanding of different vulnerability classes and more tooling to help developers secure their code without hiring expensive auditors. Hopefully, this all translates to less money lost per year.

What smart contract vulnerability type do you think is especially interesting?

The vulnerabilities that arise from complex business logic are the most interesting because they can’t be discovered by following a checklist. The Pickle Finance hack is a great example of this. Each component worked almost as designed, but when combined, resulted in a devastating vulnerability that caused the loss of nearly $20 million.

What red flags do you look for when evaluating a project’s security (other than reading the source code)?

Not much else. As the unofficial motto goes, "Code is law." Assuming the source code is available, that's all I care about. 

You are known for focusing on source code when reviewing a project. Are there any tools you think are essential in a smart contract hacking workflow?   

The essentials are something to navigate the code with and something to test with. I usually make do with GitHub, but for some larger protocols, GitHub doesn't scale, and I'll clone it into VSCode or IntelliJ. 

How important do you think bug bounty programs are for DeFi projects?

Bug bounties are incredibly important in crypto. Even if you can't afford to pay out big bucks, having an officially sanctioned method of reaching out and reporting security issues shows that you've thought about the issue. 

What advice would you give to the next generation of hackers? 

Don't underestimate the power of coming back to a codebase a second time. I've found so many bugs in projects I thought were secure the first time I looked at them. Sometimes all you need is to take the time to digest all the information.

What are the biggest challenges for getting started with hacking smart contracts? Any tips for overcoming them? 

The biggest challenge is knowing what to look for. You could theoretically derive everything from first principles by reviewing smart contracts. However, it's more efficient to search for the top 10 smart contract vulnerability compilations. You can review my list of vulnerability writeups here. I also helped host a smart contract CTF at Paradigm. The files are here. But be warned, some of the challenges are truly evil.

The 8th Annual Hacker-Powered Security Report

HPSR blog ad image