Off-Chain Security: A Rising Reason For Recent Hacks?
By Ayesha Yousuf
Blockchain technology is bringing transformation to the whole system of digitization for industries. Blockchain supports transparency along with the concept of decentralisation. Transparency here suggests the idea that everyone present in the ecosystem can easily witness the public addresses of the accounts carrying out their transactions and deeds. However, since anonymity is one of the supreme functions of blockchain technology, people cannot figure out exactly who is behind that address. Here, transactions can be further broken down into “on-chain” and “off-chain” transactions.
On-Chain & Off-Chain Mechanism:
Many organisations have been using blockchain technology for managing storage of data either on-chain or off-chain. On-chain mechanism basically means that the beneficiary and the guarantee both are eligible to see the transaction done and everything from storage to execution is done on the blockchain. Off-chain does not necessarily mean that it is “not on blockchain” but instead is used to describe something which is not on a publicly accessible service.
Typically, an on-chain transaction is validated when all the nodes affirm the transaction on the public ledger. Being transparent and decentralised, this phenomenon consumes a huge amount of time. The particulars of each transaction is published on the blockchain to be closely looked into and then it is confirmed and executed. This creates a delay, due to which the users can shift towards an off-chain mechanism. On-chain transactions also require high gas fees to execute the relevant tasks, further motivating users to switch towards off-chain transactions.
An off-chain transaction deals with values outside the blockchain and can be completed using a lot of methods. To carry out any kind of transaction, both functioning entities should first be in agreement, after that a third-party comes into the picture to validate it. In order to leverage the implementations the parties have to buy coupons in exchange with cryptocurrency. Here the coupons of the related protocols work differently. The details for the coupons are shared with the third party who claims them. Transaction speed, relative to on-chain, is comparatively faster along with much fewer gas fees.
To maintain the security of the De-fi land along with optimising all off-chain implementations, governance is done. Governance refers to managing and implementing changes to the cryptocurrency blockchain. Blockchain developers propose any possible code changes, through voting of the nodes these changes are accepted or rejected.
An important feature of blockchain is that once the code is pushed on the mainnet, it can never be changed. In order to maintain the functionality of blockchain, governance is done, ensuring that any investment or transaction remains safe.
Focusing on both off-chain and on-chain security is very important. It is often observed that the unwanted cybercriminal finds a loophole in the frontend, backend or any other components of the protocol and enters into the system that way. By entering through such an escape clause, the criminal is able to take a lot of finances in a single go, in most cases without being tracked or captured.
This raises a question for protocol managers. If they are investing time and skills on maintaining on-chain security, then why not also look into the vulnerabilities present in off-chain? Securing the current Web2 for the advent of Web3 applications is very important, so that there is no kind of slit or crack through which an unauthorised individual seeps through.
Off-Chain Hacks & Attacks:
If we talk about the current situation of the Earth, a recent pandemic hit the world so hard that almost 76.9% of the employees all around the world were working remotely. These conditions allowed a lot of people to carry forward unethical activities. This usually involved penetration into the contract or protocol through any means and exploiting it, resulting in global headlines and the stealing of millions of dollars worth of cryptocurrency.
Due to this condition of the world, the occurrence of such kinds of incidents increased a lot more. This article will explain 3 such recently happened incidents which are based on the exploitation of protocols through Web2 means.
1. OpenSea Hack:
One such exploit was on OpenSea, the largest NFT marketplace in the De-Fi space, allowing an attacker to take the expensive BAYC NFTs from the owners at a whopping 6 figure discount.
How OpenSea Works:
A “listing price” is found on OpenSea where all the NFTs are listed for buyers to view the price and buy them. Due to the functionality of smart contact that OpenSea uses, whenever a buyer accepts that listed price, the NFT is automatically transferred to his/her address. Now, if the new owner would re-list the NFT with a higher price, the proper way to do it is cancel the old price which costs gas fees and re-list the NFT with a new price.
What Actually Happened:
The normal phenomenon of relisting on OpenSea was causing higher gas fees resulting in a charge of tens, hundred or thousands of dollars. To skip this, some users invented a new method in which they transfer the NFT to another wallet and back to the original one. This caused the deal to be done, i.e re-listing of the new price of the NFT.
This above glitch caused a bug which was discovered very early by Rotem Yakir, a software developer at a De-fi platform Orbs. He stated an unforeseeable flaw in the backend of OpenSea. The flaw was observed whenever this above procedure was opted to re-list the price it apparently removed the old price of the NFT from the listing but it remained on the blockchain and can be found out by using the OpenSea API.
Tom Robbinson, co-founder of a blockchain analyst company Elliptic said that, “It’s a subjective thing whether you consider this to be a loophole or a bug, but the fact is that people are being forced into sales at a price they wouldn’t otherwise have accepted right now.”
In January 2022, a malicious attacker took advantage of this vulnerability and bought the NFT. “Bored Ape Yacht Club #9991” was purchased through this exploit technique for 0.77 ETH ($2391.54) and quickly resold for 84.2 ETH ($261,515.94), resulting in a profit of more than $200,000.
Rokem Yakir also said that this problem was created by mismatched information of the NFT present in the smart contract aka OpenSea’s interface which the attackers are taking advantage of. The old contacts which are available on the blockchain but are not available on the OpenSea application are being dug and taken off.
2. OpenSea Phishing Attack:
On Saturday, 19th February, 2022, some users noticed that their NFTs — digital tokens on a blockchain that represent ownership over a virtual asset, were missing. Which was later discovered that the hacker stole million dollars worth NFTs from 17 users. The loss count was $1.7 Million.
How It Happened:
On Friday, 18th of February, 2022, OpenSea tweeted that a new smart contract has been added to the OpenSea, the users can now use the link provided in the tweet and transfer their NFTs to the new smart contract.
After the users reported that they have noticed that their NFTs are missing OpenSea after one and half hour tweeted stating that “this appears to be a phishing attack originating outside the OpenSea’s website.”
Basically, a malicious actor copied the OpenSea email and resend them to a ton of users, where the email contained a link that redirected to a copycat website of OpenSea. On the website, instead of clicking “Sign” the phenomenon would trigger an action called “atomicMatch_” causing the stealing of NFTs in a single transaction.
Devon Finzer, CEO & Co-Founder of OpenSea in a tweet reported that 32 OpenSea users were the victim of this phishing attack. On Monday, 21st February, 2022, OpenSea clarified that instead of 17 or 32 users, who ever interacted with the email became a victim of the phishing attack.
Jake Fraser, Head of Business Development for the NFT marketplace Mogul Productions, on such a high profile incident shared his thoughts as, “these incidents present the opportunity to improve both personal and marketplace security.”
3. Lightning Network Bot Hack:
Lightning is a network that uses smart contracts to cater instant payment across a network of people, instantly.
By using real mechanisms of blockchain transactions and smart contract scripting language, Lightning Network depends upon the technology of blockchain. They create the possibility through a secure network that the participants are able to transact with high speed and high volume.
Lightning Network is also known as a “layer 2” payment protocol of Bitcoin’s base layer. Many Bitcoiners claim that Lightning is a Bitcoin as it works the same way i.e through a permissionless network. It also doesn’t mint any new coins or tokens. However, it does help Bitcoin to scale up, reduce fees, optimise blockchain storage capacity and improve speed for an average user.
Covering all these aspects, Lightning is claimed to be a Bitcoin.
How It Works:
When a user needs to do a transaction on Lightning Network, they do the following steps:
- A multi-signature single transaction is initiated, where a channel is opened and funds are transferred to that channel on the smart contract of Bitcoin’s blockchain.
- In this lightning channel the users are now allowed to exchange their BTC, avoiding the higher miner’s fees of Bitcoin “layer 1” blockchain.
- Once the exchange is done, the channel is closed back to the Bitcoin’s blockchain, finally distributing all funds.
How It Got Hacked:
According to the Lightning Network Transaction Twitter account, they declared that a team of hackers have exploited a minute vulnerability in Eclair’s API to siphon Bitcoin.
Eclair is one of the 3rd layers of the French Unit by ANIQ and is the top 3 implementation in Lightning Network. The other two are LND by Lightning Lab and C-Lightning by blockstream.
Lightning Network was hacked on Nov 5th, 2021, by a Telegram bot and exposed the vulnerability present in the layer 2 of Bitcoin blockchain. As the exploit was minute the hackers were still able to take away 14 million Satoshis (0.14 BTC and $43,476)
Since then the bot was taken down and gone under observation to testify how the hacker got through the tunnel and penetrated the network.
Lightning network bot hack perfectly demonstrates it’s not bitcoin. Protos. (2021, November 9). Retrieved February 24, 2022, from https://protos.com/bitcoin-lightning-tipping-telegram-bot-hacked-cryptocurrency/
Hacker exploits OpenSea bug that undervalue nfts to buy and Flip Bored Apes. Bitcoinist.com. (2022, January 24). Retrieved February 24, 2022, from https://bitcoinist.com/hacker-exploits-opensea-bug-that-undervalue-nfts/