Much has been said about the recent “hacks” in the decentralized finance space, particularly in the cases of Harvest Finance and Pickle Finance. This conversation is more than necessary considering that hackers stole more than $ 100 million from DeFi projects in 2020, which is 50% of all hacks this year, according to a CipherTrace report.
Connected: Summary of the crypto hacks, exploits and robberies in 2020
Some point out that the events were merely exploits that highlighted the weaknesses of the respective smart contracts. The thieves didn’t really break into anything, they just casually walked through the unlocked back door. According to this logic, the exploitation is more ethical, since the hackers exploited errors without actually hacking in the traditional sense.
But is it?
The differences between an exploit and a hack
Vulnerabilities are at the root of exploits. A vulnerability is a vulnerability that an adversary could exploit to compromise the confidentiality, availability, or integrity of a resource.
An exploit is specially crafted code that an adversary uses to exploit a specific vulnerability and put a resource at risk.
Even the mention of the word “hack” in relation to blockchain might baffle an industry insider who is less familiar with the technology, since security is one of the core pieces of the main appeal of distributed ledger technology. While blockchain is an inherently secure medium for exchanging information, nothing is completely hackable. There are certain situations in which hackers can gain unauthorized access to blockchains. These scenarios include:
- 51% attacks: Such hacks occur when one or more hackers gain control of more than half of the computing power. It is a very difficult task for a hacker to accomplish, but it happens. Most recently, Ethereum Classic (ETC) was exposed to three successful 51% attacks within one month in August 2020.
- Creation error: These occur when security gaps or errors in the creation of the smart contract are overlooked. These scenarios have gaps in the strongest sense of the term.
- Insufficient security: If hacks are performed through inappropriately accessing a blockchain with weak security practices, is it really just as bad if the door is left wide open?
Are exploits more ethical than hacks?
Many would argue that something cannot possibly be considered ethical without consent, even if worse acts could have been committed. This logic also begs the question of whether an exploit is 100% illegal. For example, if a US company is registered in the Virgin Islands, this can also be viewed as an “exploit” of a statutory tax, although outwardly it is not viewed as illegal. Hence, there are certain gray areas and loopholes in the system that people can use for their own benefit, and an exploit can also be viewed as a loopholes in the system.
Then there are cases like cryptojacking, a form of cyberattack in which a hacker misuses the processing power of a target to mine the cryptocurrency on behalf of the hacker. Cryptojacking can be malicious or not malicious.
It can be safest to say that exploits are far from ethical. They are also completely preventable. In the early stages of the smart contract creation process, it is important to adhere to the strictest standards and best practices of blockchain development. These standards are designed to prevent vulnerabilities, and ignoring these vulnerabilities can lead to unexpected effects.
It is also important for teams to conduct intensive tests in a test network. Smart contract reviews can also be a powerful way to spot weaknesses, although there are plenty of audit firms out there that do low-cost auditing. The best approach would be when companies receive multiple audits from different companies.
The views, thoughts, and opinions expressed here are the sole rights of the author and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Pawel Stopczynski is the researcher and R&D director at Vaiot. Previously, he was R&D director and co-founder at Veriori and UseCrypt. Since 2004, Pawel has been involved in the development of 18 IT projects in Poland and the UK, with a focus on the private sector. He has been a speaker at several IT conferences and the organizer of two TEDx conferences. For his work, Pawel received a gold medal at the Concours Lépine International Innovation Fair 2019 in Paris and a gold medal from the French Minister of Defense.