The cryptocurrency threat landscape is always evolving. Thanks to cryptocurrency existing within two distinct worlds, the financial and the technological, any changes within either lead to serious ramifications. There have been vast developments in new attack methodologies and threats, and it is important that both organisations and individuals within the cryptocurrency space are aware of these.
As seen in previous quarters, threat actors are innovating their tactics and tooling to attack the cryptocurrency space, but the same can be said for the legitimate companies and agencies. These range from the number of failures and exploits seen against Decentralised Autonomous Organisations (DAOs), to the faults around smart contracts, as well as big shifts in the operations of major cryptocurrency companies.
This report will discuss some of the most impactful threats to the cryptocurrency landscape that have happened in Q2 2023.
The Threats Identified
The downfall of DAOs
A DAO or Decentralised Autonomous Organisation is a blockchain concept originally conceived as a legal construct. The premise is that it enables the creation of decentralised organisations where the decisions for the organisation are made via the stakeholders. Within cryptocurrency, DAOs are often paired with a token, which often is used solely as a utility token. Decisions made within a DAO are often facilitated though group votes, where holders of the token can vote. To keep the system fair however, the number of tokens an individual holds can represent the voting power they wield. However, while this system aims to be an equitable way to enable the community to make decisions, malicious individuals have found a multitude of ways to exploit this.
During Q2 we have seen many DAOs being exploited, with a large number occurring on newly created organisations. When it comes to DAO exploitation there is a multitude of different attacks that can and have been deployed. These range from traditional Flash Loan attacks, such as that used against New Free DAO in September 2022, to re-entrancy attacks such as that against The DAO in August 2022. What remains a core theme, however, is that the voting system behind the DAO remains the main target of the attack. This is often because once an attacker has control of the votes, they can take control of the DAO itself, often removing control from legitimate users. While not against a DAO, this was the case with the attack against Bean Finance, where an attacker used a flash loan to forcefully pass a malicious vote, from which he gave himself control and exfiltrated around $182 million dollars.
Within Q2 2023 we have seen some new ways that DAOs have become the victim, including one example where the DAO was not attacked but merely misused. One such incident took place in May, targeting the now infamous Tornado Cash DAO. Tornado Cash was a decentralised protocol that focused on anonymity; enabling users to anonymise their funds through an Ethereum smart contract. Thanks to its effectiveness in helping cybercriminals launder stolen funds, it became a target of a US Treasury sanction after it was found to have laundered around $7 billion dollars, including $455 million dollars’ worth of money stolen by the North Korean Lazarus Group alone. Alongside Tornado Cash was the Tornado Cash DAO, a governance system that enabled the community to help shape the path the protocol takes. This was done by the original developers, who in doing so removed their own control over it, making it a community-controlled project.
On 20 May, Tornado Cash was subject to a governance attack which could have effectively rendered the entire DAO pointless. It was first reported by Twitter user Sam Sun, who noticed that an attacker had been able to maliciously grant themselves around 1,200,000 votes within the DAO. As there was only around 700,000 legitimate votes within the protocol, the threat actor effectively had full control over the entire DAO, removing the governance system entirely. To achieve this, the attacker created a malicious proposal within the project. However, as previously discussed, this would still have to be passed by the community to take effect, and to achieve this the threat actor utilised social engineering techniques. When the malicious proposal was created, the attacker claimed that it had the same logic as one that had been previously passed. This was a lie: when the proposal was dug deeper into, it was found the attacker had added a single extra function titled emergencyStop(). As nobody noticed the function, the proposal passed, and the attacker was able to execute the function, enabling the logic to be updated. With this the threat actor granted themselves the 1.2 million tokens, giving them complete control of the protocol. Alongside this, they took 380,000 of the TORN tokens, traded them for Ethereum, and then rather ironically laundered them through the Tornado Cash protocol itself. Once the proposal was discovered to be malicious, a further one was made to revert the changes, but thanks to the attacker having full control of the governance now, this effort was effectively useless. While the threat actor did post a new proposal that would revert all the changes, some speculated that this may have originally been a ploy to try to recover the price of the currency so the attacker could then mass sell at a higher price; the proposal passed with a total of around 517,000 votes for, and zero against.
What this attack highlights about DAOs, is that while in theory the concept of group governance builds an idea of protection through the community, auditing is still vital. If proposals fail to be correctly audited, resulting in malicious contracts being passed, further situations such as this may begin to occur. With this specific scenario, many voters would not have read thoroughly through the contract code, just voting based on the proposal itself. It is also important to note that many users of these protocols may not be technically savvy enough to conduct a full contract audit themselves. It is therefore the job of a DAO to ensure that some measures such as proposal security audits are in place to protect not only the DAO itself, but the community it represents.
Sometimes the poor management of DAOs can lead to the issues arising naturally. This was the case for Arbitrum DAO, after their first official vote ended up failing in dramatic fashion due to an over eager team. After the initial airdrop of tokens, the team at Arbitrum outlined AIP-1, a proposal that described the procedures and structure that the DAO would follow. Unfortunately for the Arbitrum DAO, the proposal was not well liked within the community, with over 76% of the vote going against it. One main reason for this was that it included the decision to keep around $1 billion worth of ARB tokens as a budget to be used by the protocol. While this seems innocent at first, it was quickly revealed via a blog post by a member of the team that Arbitrum had already began to sell ARB tokens from their budget before the AIP had passed. The post likened the situation to that of “A chicken and an egg” where within a community-run organisation, how the community can or should vote, should be open to debate. They went on to explain that this was merely a “ratification” of previously agreed upon decisions that the team had made internally. While some saw this post as an olive branch with the community, the revelation from Arbitrum themselves that 40 million ARB tokens were allocated to a “sophisticated actor within the financial markets space” led some to speculate that the team was aiming to cash in on the creation of the DAO. While this situation does not present us with a traditional cryptocurrency attack, it highlights the importance that community control holds within these communities and the threat that attempts to bypass this can pose. The Arbitrum team may have had the best interests of the protocol in mind when they were establishing these rules, but by not consulting the community, we are left with an interesting issue. Maybe the team put it best themselves, as in trying to solve whether the chicken or egg came first: the decision they made left them and the DAO itself with egg on its face.
Through Q2 we have seen a new perspective on the potential threats to DAOs. What this boils down to is the distribution of work between that of the community and the team behind the DAO, and the fine line that needs to be found to ensure the safety and success of the project. If either party is left with the burden of security, cracks can begin to form. Both the teams behind DAOs and the community around them need to come together to approach the problems of the threat landscape of decentralised organisations. Through this, solutions which work for the team from a technical perspective, and that the community behind the DAO agree with, can be identified to ensure the safe and democratic operation of the protocol can continue without exploitation.
Ever since the first smart contract was posted, they have posed an interesting threat problem thanks to the combination of the power they hold, and their unique properties. A smart contract is effectively how people place code onto the blockchain. Unlike a traditional contract, smart contracts do not hold any actual agreements, but scripts which run once certain conditions are met. Simply put, these allow the automation and innovation of many blockchain activities, with large numbers of crypto projects now having some smart contract element within them. Interestingly, however, smart contracts have specific properties that open them up to threat. The most prominent of these is their permanent and immutable nature, meaning that once the contract is on the chain, it cannot be altered and is permanent. If an attacker can find an exploit within a smart contract, such as a way to drain it of its funds illegitimately, then there is very little that can be done to fix the issue. These vulnerabilities were nicely categorised in the paper Finding the Greedy, Prodigal, and Suicidal Contracts at Scale where three common results of bugs within smart contracts are analysed. These are Greedy Contracts, which lock entered funds indefinitely; Prodigal Contracts, which leak funds to arbitrary users; and Suicidal Contracts, which can be killed by any unauthorised user.
Within Q2, smart contract vulnerabilities have been a serious cause for concern with projects falling victim to all kinds of issues. The first of these happened back in April to a project known as Gemholic, which is powered by zkSync and promised an ecosystem which facilitated mining, staking, yield farming, and NFTs. The project’s initial token sale was a success with the total amounting to around 921 Ethereum, some $1.7 million. However, after the funds were sent to the project’s smart contract, researchers realised there was no way to retrieve any that had been placed within it. This was all thanks to a flaw within their code which used the .transfer() Solidity function to withdraw their funds. The issue with this is that the zkSync layer 2 network that the contract was built on did not support the .transfer() function. What this meant was that the logic of the contract was broken and due to the immutability of smart contracts, there was no way to fix it. This vulnerability led to the Gemholic contract becoming a greedy contract, locking all funds onto the chain with no way for users to retrieve them. While this would normally be the end for a project, due to the zkSync chain being an L2 chain, the team was able to update their protocol to support the .transfer() function, taking to Twitter to announce the good news. While this scenario ended up working out for the protocol in the end, it shows how important it is that care is taken during the development stages of smart contracts. With many traditional code bases, if bugs are found after it has been released, teams can quickly and easily push a patch to the code to ensure it is no-longer vulnerable. As this example shows, it is vital that smart contract developers have thorough and rigorous testing of their code bases before deploying the contract on chain. While it is easy to just blame developers, it is important that the platforms themselves offer clear guidance as to what is supported on their specific chain, in order to help developers and avoid situations such as this.
However, while Gemholic was not the victim of the attack thanks to their flaw, others were not so lucky. Level Finance is a decentralised exchange which is known for facilitating the trade of perpetual contracts. This is where cryptocurrency investors can speculate on what they believe the price of an asset will be at a certain point. To conduct some of their operations, Level uses smart contracts which is a fairly common operation. It is also known that Level regularly audits their smart contracts; however, unfortunately no one spotted the issue which ended up being the project’s downfall. On 1 May, the Level Finance Twitter account posted a tweet explaining that one of their smart contracts had been targeted in an attack. Thanks to researcher PeckShield, the contract in question was found to be “LevelReferralControllerV2”. What caused this contract to be vulnerable was that an attacker was able to claim for the same refund multiple times within the same epoch (time period). From this, they were able to steal a total of 214,000 LVL tokens from the contract, which they then promptly swapped for around $1 million worth of BNB. The effect of this was that the price of LVL plummeted, falling from $8.40 to around $4.20, and on a steady decline ever since. To add insult to injury, researchers discovered that the threat actor had unsuccessfully attempted the same attack a week prior. If the team had noticed this, there is a chance they would have been able to fix the bug before the later attack took place, saving the loss of funds. While this further highlights the importance of proper smart contract auditing, the failed initial attack presents another important step in protecting cryptocurrency infrastructure. By implementing appropriate on-chain monitoring, potential attacks can be seen coming, and while this is almost standard in traditional technology such as firewalls and network detection agents, applying the same fundamentals to the cryptocurrency space could build a more protected landscape.
One further attack in Q2 was that against the staked Ethereum liquidity marketplace unshETH. The decentralised protocol aimed to create competition within the liquidity staking protocols market, and, as with many Ethereum-based protocols, utilised smart contracts. Unlike other smart contract hacks, the contract in question was not targeted due to a vulnerability but instead thanks to a traditional off-chain attack. This is something that has been a big trend within the cryptocurrency threat landscape, being highlighted within Cyjax’s Cryptocurrency Threat Landscape Report – A Year in Review 2022. In this scenario, it was found that a developer of the project had leaked their private keys on GitHub. After a malicious actor found these, they were not only able to drain around $375,000 worth of tokens from the contract but also to transfer the contract’s ownership over to themselves. While the attacker did then proceed to return the ownership of the contract back to unshETH, they did not reimburse the funds, prompting the team to post an on-chain message to them requesting that they return the majority of the funds, keeping around $50,000 for themselves. What is important to take from this scenario is that while we often focus on smart contract vulnerabilities and the threat they pose, it can be easy to be blindsided into forgetting about traditional security. Ensuring that appropriate usage of environment files is applied and that GitHub repositories have correct “.gitignore” files is vital to protect against this kind of sensitive information leakage.
Overall, through looking at the threat landscape of smart contracts, we have fundamentally reinforced the original kinds of vulnerabilities found within the paper discussed earlier. From greedy contracts locking away money from Gemholic, to prodigal contracts leaking funds from Level Finance, it can be seen that despite these being known flaws, they begin to rear their head in new and interesting ways. None have shown this more than seeing an off-chain attack that led to a potentially safe contract becoming the target of an attack, leaving the protocol vulnerable. While this feels like a complex problem, through building a better understanding of these kinds of vulnerabilities, we can begin to help protect against them, rather than looking for specific kinds of flaws, searching for ways that these vulnerability categories could be realised within the contract code in a more holistic audit process. This is only further highlighted when it is noted that Level Finance had conducted two smart contract audits in 2023 before the attack took place. By widening the horizons on how smart contracts can be vulnerable, the risks can be more appropriately assessed.
Big changes for the big exchanges
Normally when evaluating the threat landscape, we rarely look at the logistical changes that are happening to the larger global exchanges, as often there is little that can be gleaned from them from a threat perspective. Within Q2 2023, however, there has been such movement from some of the bigger players within the industry that it allows some insight into what is happening within the cryptocurrency landscape as a whole. Ever since the collapse of FTX back in November 2022, there has been a big shift in the sector, after it was seen that the large cryptocurrency firms often deemed “too big to fail” could in fact fail. Trust in crypto fell, and while the FTX saga is in the rear-view mirror for some, it is hard to believe that it has not left a lasting impact on the community.
Through Q2 2023, Binance has undergone some serious changes to its operational capacity. The most prevalent among these is the removal of service in multiple countries. The first of these was the company’s decision to withdraw from Canada, after the country announced in a press release in February that they were aiming to implement cryptocurrency investment limits and stricter stablecoin regulation. After this, Binance looked to withdraw from Cyprus, as well as the Netherlands, after they failed to obtain a virtual asset service provider registration in the country. To finish this chain of withdrawals, Binance also cancelled its registration with the Financial Conduct Authority within the UK. While this seems like a strange strategic move, the number of regulations on cryptocurrency has increased dramatically as world leaders begin to turn their sights to what is still a relatively new and unexplored financial instrument. These new regulations within the EU have been titled the Markets in Crypto-Assets (MiCA) regulations, which were passed into EU law on 31 May. While Binance initially appeared to be heeding these new regulatory pressures, announcing they would cease to sell multiple privacy coins within the EU, this swiftly changed with the company abandoning these plans by the end of the month.
It has not only within the EU that these regulatory changes have been seen. The Securities and Exchange Commission (SEC) in the US has also filed two complaints against Binance and Coinbase. The SEC alleges that Binance has acted with “blatant disregard of the federal securities laws” as well as “unlawfully solicit[ing] U.S. investors to buy, sell, and trade crypto asset securities through unregistered trading platforms available online at Binance.com […] and Binance.US”. The Coinbase complaint followed suit, with the following press release explaining that Coinbase is “Operating as an Unregistered Securities Exchange, Broker, and Clearing Agency”. The impact of these filings has been seen across the crypto space most noticeably with Binance, whose affiliate Binance US began firing members of their team following the filings. Other exchanges such as Robinhood delisted some of the tokens which were referred to by the SEC within the lawsuits as “unregistered securities”. These tokens included Cardano, Polygon and most notably Solana. All this chaos surrounding the SEC filings also led Binance’s BNB token to drop significantly in value by nearly 25%. One major issue with this, however, is due to the BNB Chain bridge hack back in October 2022. After the attack, they were able to mint around $593 million worth of BNB and then deposit around 920,000 BNB onto the Venus lending protocol as collateral for a loan which was then used to borrow other assets. The problem is that if BNB was to drop below the point where the collateral liquidates, some researchers estimate it may cause the “single largest potential liquidation in all [of] Defi”. Venus has stepped in, to implement protection measures against this possibility, passing a governance proposal to try to protect the market. As reiterated by their Tweet, the proposal allows the liquidation of the hacker’s position to exclusively to the BNB chain core team in an effort to prevent any further impact this would have on the market.
Thanks to these recent regulatory and governance changes on cryptocurrency, Q2 2023 has seen some serious movements by the large exchanges. While some may not see this as a threat, it does allow a clearer insight into the cryptocurrency landscape for the rest of 2023 and beyond. With the increase in regulation, cryptocurrency exchanges have had to hunker down to ensure that they can stay trading, and potentially through this, trust has eroded further. For cryptocurrencies to be successful, it is vital that the community has faith and trust in the companies running the industry, and making decisions that benefit the community that they support. While the wider impact this will have is unclear, this is one of the first observations of a widespread weakening of the crypto space, as it begins its long and uncomfortable integration into the traditional global financial systems.
As this exploration of the threat landscape of Q2 2023 has shown, some key themes have emerged, and these can be monitored into Q3 and beyond. The most notable of these is a potential movement away from traditional cryptocurrency organisations to more community-based projects such as DAOs. As we saw with some of the distrust building with larger exchanges, communities have moved towards projects where they feel they have more control over the decision-making processes behind it. This is not surprising when, following events such as the FTX collapse, many questioned the decisions being made by the company that led to the downfall. Despite some seeing this move as a positive step, it is important that these newer and less well-funded organisations enforce a high level of security throughout their protocols. Without this, users moving away in an attempt to regain some control over how their platforms operate may end up with fewer security controls in place around them.
As we move into Q3, it is likely that further regulatory changes will have major impacts on the cryptocurrency space. While these may be the main priority in the minds of cryptocurrency organisations and exchanges, it is important that those operating in this sphere do not take their eye off their own security. Threat actors are always looking for weaknesses, and if companies begin to fall behind on fixing issues or conducting audits, attackers will take advantage for their own malicious goals.