Much has been said about the recent “hacks” in the decentralized financial world, especially in the cases of Harvest Finance and Pickle Finance. That conversation is more than necessary, as hackers stole more than $ 100 million from DeFi projects in 2020, accounting for 50% of all hacks this year, according to a CipherTrace report.
Related: Collection of crypto hacks, exploits and robberies in 2020
Some point out that the events were just exploits that shed light on the vulnerabilities of the respective smart contracts. The thieves didn’t really break into anything, they just happened to walk through the unlocked back door casually. Because of this logic, since the hackers have exploited flaws without actually hacking in the traditional sense, exploitation is more ethically justified.
But is it so?
The differences between an exploit and a hack
Security concerns are the root of exploits. A vulnerability is a weakness that an adversary can take advantage of to compromise the confidentiality, availability, or integrity of a resource.
An exploit is specially crafted code that adversaries use to take advantage of a particular vulnerability and compromise a resource.
Even the use of the word “hack” in reference to blockchain could confuse an industry outsider less familiar with the technology, as security is one of the key points of the appeal of distributed ledger technology. It’s true, blockchain is an inherently secure medium for exchanging information, but nothing is totally uncrackable. There are certain situations where hackers can gain unauthorized access to blockchains. These scenarios include:
- 51% attacks: Such hacks occur when one or more hackers gain control of more than half of the computing power. It’s a very difficult feat for a hacker to achieve, but it does happen. Most recently, in August 2020, Ethereum Classic (ETC) faced three successful 51% attacks in the space of a month.
- Creation errors: These occur when security vulnerabilities or errors are overlooked during the creation of the smart contract. These scenarios provide loopholes in the most powerful sense of the word.
- Inadequate security: If hacking is done by improperly accessing a blockchain with weak security practices, is it really that bad if the door is left wide open?
Are exploits more ethically justified than hacks?
Many would argue that doing something without permission could not possibly be considered ethical, even if worse acts could have been committed. This logic also raises the question of whether an exploitation is 100% illegal. For example, having a US company registered in the Virgin Islands could also be viewed as conducting a legal tax ‘exploitation’, although its appearance is not considered illegal. As such, there are certain gray areas and loopholes in the system that people can use for their own benefit, and an exploit can also be seen as a loophole in the system.
Then there are cases like cryptojacking, a form of cyber attack where a hacker hijacks a target’s processing power to mine cryptocurrency on behalf of the hacker. Cryptojacking can be malicious or non-malicious.
It might be safest to say that exploits are far from ethical. They are also completely avoidable. In the early stages of the smart contract creation process, it is important to follow the strictest standards and best practices for blockchain development. These standards are set to prevent vulnerabilities, and ignoring them can lead to unexpected effects.
It is also essential for teams to test intensively on a test net. Smart contract audits can also be an effective way to detect vulnerabilities, although there are many audit firms that conduct audits for little money. The best approach would be for companies to get multiple audits from different companies.
The views, thoughts and opinions expressed here are solely of the author and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Pawel Stopczynski is a researcher and R&D director at Vaiot. Previously, he was R&D director and co-founder at Veriori and at UseCrypt. Since 2004, Pawel has been involved in the development of 18 IT projects in Poland and the United Kingdom, targeting the private sector. He has been a speaker at several IT conferences and the organizer of two TEDx conferences. For his work, Pawel received a gold medal at the Concours Lépine International Innovation Fair 2019 in Paris, and a gold medal from the French Minister of Defense.