Everyone loves a good hack, unless it’s your data (or fortune) that’s lost. Web3 has been rocked by a number of major hacks following the growth of interest in crypto and NFTs that began in the early 2010s, with substantial values lost.
We’re strong believers that the smartest way to prevent future hacks is to understand those that already happened. The best place to start is by looking at the biggest, the boldest, and the most curious ones out there.
Join us as we leaf through the vaults of web3 hackery and uncover the vital security lessons behind them.
Mt Gox: ~ 850,000 BTC (~450 million USD value at the time)
You can’t talk about web3 hacks without paying homage to the 2014 Mt Gox eruption.
It all goes back to 2010, when Jed McCaleb transformed the MTG card exchange into a Bitcoin exchange. The platform’s ability to handle the volume and transaction type was questionable. In 2011, Mark Karpeles — a rising crypto star and the new owner — reprogrammed Mt Gox so it could fit its new role. But in Feb ‘14, it erupted. Mt Gox suspended withdrawals, lost between 650,000 and 850,000 BTC, and went bankrupt in less than two months.
The eruption was sudden, but not unexpected. Vulnerabilities like the 2011 user record publication had been a running concern for years. Rumors of an oversized vulnerability to one-click attacks and cross-site request forgery also circulated in the wider community. By the time the attack came, it was the final nail. But here’s the thing: despite plenty of speculation, we still don’t know who held the hammer.
The lesson: Don’t use bandaids to hold together crumbling architecture
Mt Gox was not built to handle the amount of Bitcoin that went through it. Original vulnerabilities were never fixed. There was no operational version control software — anyone could rewrite code. This left it open to the attacks that blew it apart.
Coincheck breach: ~ 500 million NEM (~500 million USD in Jan ‘18)
In January 2018, Coincheck temporarily restricted all non BTC crypto and currency exchanges on the platform. Later, we learned that the Japanese-based crypto exchange had been hacked to the tune of ~500 million NEM. The breach affected around 260,000 users.
So how did it happen? At the time of the breach, Coincheck claimed that the funds had been lifted out of its hot wallet. According to Cointelegraph, employees’ personal computers had been hacked and infected using a virus that accessed their private keys. Various groups have been blamed, including a North Korean group and a Russian hacker group. As far as we know, the NEM was never recovered. In the aftermath, Coincheck reimbursed affected users and then got acquired by Monex.
The lesson: Protect private keys & use hot wallets with caution
Hacks don’t tend to come with clean, simple lessons. This one is no different but at least two of the takeaways we should walk away with are clear:
- Protect private keys. When it comes to private key storage, pen and paper rule. Don’t keep private key information online or near any device that can read and decipher them.
- Use hot wallets with caution. Anything linked to the internet is breachable — so frequent security and checks need to be a constant priority.
Poly Network breach: ~600 million USD
In a bid to beat out the Mt Gox and Coincheck hacks for ‘the #1 crypto hack in history’ spot, a hacker breached the decentralized Poly Network platform and absconded with a mix of crypto currencies valued at approximately 600 million USD.
The hacker used a code vulnerability to transfer funds to themselves. But this hack was not like the others. By the day after the attack, over half of the money stolen had been returned. And after some back and forth with the Poly team, the rest were restored too. Here’s why this story unfolded so, in the hacker’s own words:
“My actions, which may be considered weird, are my efforts to contribute to the security of the Poly project in my personal style. The consensus was reached in a painful and obscure way, but it works.”
The lesson: Plug your vulnerabilities before someone else exposes them
This hack had an unexpectedly happy ending — at the end of the day, the hacker cooperated and exposed a key vulnerability. The Poly team handled it well too: they wrote an open letter to the hacker(s), set up crypto addresses for returning the money, and worked with their partners to quickly freeze assets. But this story could have gone very differently: that’s why it’s vital to frequently hire and deploy experts that test your defenses before someone else tests them for you.
Multichain bridge breach: ~3 million USD
The Multichain bridge hack is not the biggest or the coolest. Compared to some of the other ones on this list, it may even feel unimportant. But the way it was handled earned it a spot.
Here’s what happened: in January ‘22, hackers exploited a vulnerability of the liquidity pool contracts and router contracts of 8 tokens — WETH, WBNB, MATIC, AVAX, MFI, WSPP, TLOS, and IOTEX. They did this three days after the chain weakened and walked away with around $3 million USD.
Here’s why this hack matters. The critical vulnerabilities were exposed on Jan 10th. Multichain did not make an official statement to users until Jan 18th. And instead of trying to fix the problem internally, it asked users to manually remove approval for approved contracts for the 8 tokens affected.
The lesson: Don’t rely on your users to fix your mess
Multichain put the onus of closing the breach on its users through a public announcement. As of Feb 18th, about 40% of those affected hadn’t rescinded smart contract permissions yet, leaving themselves open to further breaches. We still don’t know if the issue has been completely resolved. In situations like these, where breaches are created due to company code, there should be a greater effort made to close them.
Wormhole breach: ~120 thousand wETH (~325 million USD in Feb ‘22)
When hackers exploited a smart contract on the bridge between Solana and Terra, millions disappeared, earning this hack its place in the history books.
It all started with a GitHub repository update that included a bug fix that hadn’t been fully deployed yet. Hackers spotted — and exploited — that bug and forged a transaction signature that let them mine 120,000 wETH on Feb 2nd 2022. The Wormhole team sprang into action and offered a $10 million USD bounty for the return of the funds — their offer was not accepted. The company did restore losses with VC help but the original assets were never recovered.
The lesson: Deploy fixes in a smarter way
By the time this attack took place, Wormhole were aware of the bug and had deployed the fix. However, signals about the security issue remained in the system. If you knew what to look for — and the hackers clearly did — the update did look like a security fix. That’s why it’s vital to ‘cloak’ fixes so that their signals are not as easy to identify.
Ronin bridge: ~$625,000,000 USD
The Ronin Network is the way Axie Infinity players exchange the digital tokens they earn battling their Axies for other crypto. In March ‘22, it was hacked.
This hack is particularly interesting because the people behind it played the long game. The groundwork for it started in November ‘21, as thousands of new players joined Axie and increased the demand on the servers. To keep up the momentum, security procedures were loosened. But even as demand started to even out, security protocols remained lax. In March, the hackers took advantage. They hacked validator nodes, getting the private keys of five out of nine validators — just enough to ‘approve’ the theft.
According to the BBC, it took six days and a customer complaint for the team at Ronin to first notice the breach, giving the hackers enough time to start laundering the assets through various means.
The lesson: Don’t decrease security
In order to not disappoint players and risk losing demand, the Ronin Network opened themselves and players up to substantial long term damage by North Korea’s Lazarus Group. As of now, player reimbursement has still not been guaranteed and the network have not been able to recover assets. So — no matter how tempting it may be at the time — don’t risk long term colossal losses for short term gains.
Heists, hacks and the future of security
Web3 heists and hacks will not go anywhere — to pretend otherwise would be to pretend that there’s a surefire way to stop crime. However, there are ways to make web3 projects into less tempting targets for hackers by always implementing specific precautions like:
- Keep private keys private. Keep them in a secure offline location and away from any IoT devices. If they’re not online, they can’t be hacked.
- Run routine security checks. Hackers don’t just have to work for ‘the bad guys’ — they can work for you too. Hire the best to regularly launch full-scale assaults against your systems so they can reveal real vulnerabilities before they become a problem.
- Get sneaky with security updates. There’s a time for transparency — securing your assets from malicious actors is not one of those times. Carefully plan security deployments and make sure you’re not accidentally sending the wrong signals out.
- Don’t take shortcuts. Don’t try to jerry rig platforms to do something they’re not supposed to or skimp on security so you can up user engagement. The price of doing things that way is just not worth it.
Keep your DAO, community and content safe
An easily overlooked security concern is web3 authentication. Web3 auth is essential for securing DAO and NFT communities and preventing nefarious actors from accessing your content, conversations, and voting systems.
Book a demo to see how SlashAuth can help you roll out web3 authentication without months of dev work.