Some time ago, CoinDash, an Israeli cryptocurrency startup, was using their ICO to raise $10 million. Just hours after it started, an unknown attacker compromised the website and took $7 million of it. Then, many were shocked this could happen. Today, crypto hacks are commonplace.
First Published 21st July 2017 | Latest Refresh 29th October 2021
Oh, to put a coin on the moon.
4 min read | Reflare Research Team
As we have pointed out in previous briefings, cryptocurrency marketplaces face several unique problems that put them at increased risk for cyber attacks. In this research report, we will review one of the larger hacks as well as some more recent cases illustrating this fact.
History lesson - The CoinDash hack
Israeli cryptocurrency startup CoinDash fell victim to a hacking attack at the time it was holding its so-called ICO or “Initial Coin Offering” - a process commonly used by cryptocurrency companies to raise capital without a traditional IPO. While the latter offers shares in the company, the former offers cryptographic tokens instead. Since these tokens can thereupon be traded freely, they behave very similar to shares without any regulation or governmental oversight.
To purchase coins, buyers were asked to transfer a certain amount of a cryptocurrency called Ethereum to a provided address. However as payments were made, attackers changed the address and subsequently diverted large portions of the cashflow to themselves instead of the company.
According to blockchain records, the company managed to raise US$6.4m before the attack. The hackers thereupon stole roughly US$7.0m.
The fallout
While CoinDash was quick to declare that they would honour all coin purchases - even those where funds were sent to the attackers - the damage would likely be fatal for the startup. Apart from losing more than half of the raised capital, the image damage done to the company is immense.
Whether the attack was performed by insiders or unrelated attackers, investors and potential customers will have a very hard time regaining trust in CoinDash’s technical capabilities. The unregulated nature of cryptocurrencies further means that there is no way to roll back the theft or restore funds. Many in the cryptocurrency industry took note of what happened to CoinDash, and vowed to stay on top of their cyber security. Okay.
Cash Rules Everything Around Me
Now let's skip forward to more recent times. Cream Finance is a Taipei-based decentralised lending platform that has experienced what could be one of the largest flash-loan attacks ever in the decentralised finance (DeFi) sector.
The company reported their Ethereum C.R.E.A.M v1 Lending Market Platform was exploited and lost approximately US$130m of tokens. Unsurprisingly, the value of the C.R.E.A.M token dropped 25.8% within 24 hours of the breach going public.
However, this isn't the first time Cream Finance has fallen victim to such an attack. Less than two months earlier, one exploit led to a US$35m loss. Six months earlier again, hackers managed to get away with another US$38m by using the DeFi protocol Alpha Finance.
Although this is unfortunate, it is a reflection of the insufficient cyber security practices within many crypto and DeFi platforms.
Insecure Markets
Crean Finance and CoinDash are not alone. Poly Networks suffered a US$600m hack (although it is reported the kind-hearted hacker returned the booty). Japanese crypto currency exchange Liquid incurred losses of over US$90m in an attack which siphoned Ethereum, Tron, Bitcoin and XRP tokens from their platform (this hacker wasn't so kind).
The unregulated, transparent and - at least initially - anonymous nature of cryptocurrencies are what makes them appealing to many users and investors. However, the exact same attributes also introduce great risks.
Traditional financial networks are heavily regulated and watched to prevent fraud, money laundering and security breaches. While nothing is absolutely secure, the core transaction networks of major banks are among the most secure IT systems currently available with specialized teams monitoring transactions around the clock. If fraud should occur, transactions can usually be rolled back and the perpetrators prosecuted.
Pleeease do your research
Most cryptocurrency startups however consist of small teams with widely varying technical expertise. While some companies manage to retain the required talent, time and funding to build highly resilient infrastructure, others don’t. Assessing the security of a company is virtually impossible for the general public. Furthermore, once fraud occurs, nothing can roll it back and the attackers - unless highly incompetent - remain anonymous.
We advise any individual or organisation who is considering to engage with cryptocurrency - be it by accepting it as payment, investing in the technology, purchasing coins or doing business with entities holding significant amounts of their assets in coins - to take the significant added risk into account during the due diligence process.
To stay up-to-date with the latest cyber security events in crypto and DeFi, subscribe to the Reflare Research Newsletter and check out our related research topic below.