Sugarcane Podcast

Cyber Robbery | Hacks, Anonymity, and White & Black Hats | Ep 12

September 26, 2023 Sugarcane Episode 12
Sugarcane Podcast
Cyber Robbery | Hacks, Anonymity, and White & Black Hats | Ep 12
Show Notes Transcript Chapter Markers

Picture a modern-day bank robbery, but in a digital vault - that's the high-stakes drama we're diving into today on the Sugarcane Podcast. From discussing jaw-dropping hacks like Euler and Curve Finance to dissecting bridge hack incidents involving Ronin, we're exploring the world of crypto security where hackers are the new bank robbers.
Is anonymity in crypto a blessing or a curse? Meet the unsung heroes, the white-hat hackers, who exploit vulnerabilities but return the stolen funds. 

🛡️ The Biggest Crypto Hacks
🌉 Bridging the Gap
🎯 Best Practices
📜 Audits
⚖️ Regulation vs. Community
🎭 Anonymity

Links: 🔗 Website - Podcast - YouTube - Twitter - Discord - TikTok

Disclaimer: 🚨 The information provided across all of Sugarcane's communication channels is for informational and entertainment purposes only. It should not be construed as financial or investment advice. Consult with a financial professional before making any investment decisions.

Sheldon:

You're listening to the Sugar Cane podcast, where you get all of crypto's tastiest tidbits. Here's your hosts, Sheldon Trotman and Rudy Dogum.

Rudy:

Welcome back for the week of Tasty Tidbits. We are here to talk about something very serious Security and risks in this crypto world. It's a big deal. It's a big deal A lot of money being lost, stolen, hacked, scanned, grifted, whatever it is. It's tough. It's tough space. It's new. So if there's something new, that means someone's going to find a way to exploit it somehow, and it's not just unique to crypto. It's just making big headlines because crypto is mostly financial and when something does get hacked, it's a pretty big sum of money. So, sheldon, we've been around this industry for a while and we've seen plenty of hacks happen, but tell me, what hacks have you seen in your lifetime here? What were the biggest ones?

Sheldon:

So a couple of actually even this year, like, for example, euler or their finance, they got hacked. Must have been in Q1. So actually, like February and March time of this year, they got hacked for about like 200 million dollars, by the way.

Rudy:

And that's like a large sum yeah.

Sheldon:

Now it was an issue with. So Viper is a programming language that was used to program some of the smart contracts, and there's a vulnerability in the actual programming compiler, in a sense, the way in which the code goes from like raw, human readable code down to like on chain transaction or smart contract code, machine code, and so there's a vulnerability there that people found and took advantage of. Also, more recently than that, there was like Curve, so Curve Finance. That was, isn't it not funny to say? But that was one of the smaller large hacks and so that was like about 70 million dollars. That's about it. Yeah, yeah, no, so that one I think I mixed it up.

Sheldon:

So Viper was, that was Viper, so Curve Viper had an issue and then Euler happened, like with a vulnerability in their smart contracts, so a couple of instruments there and then, kind of across the board, the largest ones large, large large ones are mainly bridge hacks, to be honest, like, if you think about, like Ronin. So if people heard about the kind of game called Axi Infinity, a bridge from Ethereum to Ronin, that bridge got hacked and the kind of funny story about that is took them about like a week to find out that there was actually money lost, and this is not a small sum of money. So they got hacked for about 600 million dollars. So that one happened last year.

Rudy:

Yeah, I'm not gonna add that.

Sheldon:

Yeah, another one that got hacked was so BNB, so the bridge to BNB. It's a binary smart chain. That one got hacked somewhere around like 580, 590 million as well. Last but not least, another bridge on was like Wormhole, so another bridge to Solana from Ethereum, and so that was also last year as well. That one is about like 300, 320 million. So all these are in like the hundreds of millions of dollars. Primarily bridge hacks. There's a lot of money lost.

Rudy:

It's mobilize, has a lot of national security and Nazi Singhs also lost.

Sheldon:

Yeah, yeah. So that kind of gets into the technical details of like layer ones or Ethereum, like Solana. These are kind of are even Binance, bsc, so Binance Smart Chain. These are kind of their own sediment layers. So last week, I think, we talked about like sediment layers, like where assets are stored at the base chain. But the thing is that these kind of main L ones don't talk to each other.

Sheldon:

So, like, if you look at like Solana, or if you look at Ethereum, or you look at Bitcoin or you look at BSC, so Binance Smart Chain, these are all four separate chains that there's no cross chain, there's no communication between them.

Sheldon:

So what people do in order to move assets from one chain to another, they go through what's called a bridge, and so the way that works is that if you're coming from Ethereum, for example, and trying to go to Solana, like you have like five US dollars, usdc, us USDC what you do is you send it to a smart contract on Ethereum.

Sheldon:

You'd lock it. So you basically send it to a smart contract and say I'm going to push this here, give me it on the other side, on the destination chain, and what happens kind of off chain or happens outside of Ethereum outside of Solana is a computer just listens to on chain events and once it reads that you, as Rudy, locked that five US dollars on Ethereum, it then tells Solana to mint you five US dollars, and so what happens in that scenario is that you now have five dollars that's locked or kind of kept in a smart contract on Ethereum and you have five representation dollars on Solana. It's like the way that works. You can still interact with DeFi on Solana with that five kind of dollars that are still redeemable for the ones that are Ethereum, and the reason that's a big vulnerability is that it does a huge honeypot now, like money is just sitting in a smart contract, and there's a lot of different vulnerabilities and attack vectors from just being able to take money from that kind of honeypot sitting there on Ethereum.

Rudy:

It's like a cyber bank vault, because that's what it does, right, they just store dollars and then $2 or $3 needed. Not so much anymore because it's so much more digital. But back in the day, you know, bank robbery was probably more lucrative than it is now. But yeah, because, yeah, you just have a bunch of mice sitting somewhere and then all of a sudden someone's able to break into it.

Sheldon:

They got a lot of access to it, yeah, and the crazy thing is that, like, since the money is sitting on Ethereum, for example, in that context, if you were to steal the money on Ethereum now, the $5 that is floating around being used in Solana is essentially now backed by nothing, like there's nothing there that they can get back or redeem, and so what typically happens in that scenario is like the money, or the representation of that $5 that is now in Solana, that money, typically like the value, drops to zero because people know they can't get their money back. So it's a huge issue, like a big, big time.

Rudy:

Yeah, yeah, it just devalues it completely and that's sad. I mean it's also just. You can take security practices for yourself, but sometimes just get stuck with these protocols. Who just didn't know and just got one swung up, got rug pulled themselves. And what are some of the best practices that someone can take for interacting with these types of protocols?

Sheldon:

that could be at risk. Yeah, so if you think about the kind of main ways in which blockchains are hacked or money's lost, in the blockchain context, it's like either through bridges or kind of smart contract vulnerabilities, right? So on the bridge context, typically what you don't want to do is go through an L1 to L1 bridge. So like in the context of going from Ethereum to Solana, you don't typically want to take bridges between those because those two don't really talk to each other, and so if you were to try to go through them go from Ethereum to Solana you have to lock assets on one side and get issued assets on another side. So what you want to do is typically go through a solution that gives you what's called native assets on the chain. So like, for example, circle or companies that create the USDC. They have native USDC on a number of different chains, like, for example, ethereum, arbitrum, avalanche, so they basically, instead of having you go through a bridge, they basically give you the actual asset on the chain itself. So now, instead of having to block assets on one chain, go to get it on another chain. You have it natively on that chain.

Sheldon:

So that's one alternative, one kind of avenue to avoid the bridge hacks at least, and then on the kind of smart contract vulnerability side of it, just make sure that you use smart contracts or dApps that have one been out for a while, so they're kind of lindy, so they haven't been like really tampered with. They've been out for a while. And two is that it's kind of a long history of like haven't been hacked right. So like, if you think about like any main application that's out there right now that has hundreds of millions of billions of dollars that are being used within the application, it's a big honeypot as it stands, and so one would assume that there's a lot of hackers that are trying to hack that application. And for the fact that it has not been hacked means that it's kind of secure. There's no like 100% secure guarantee, but like just the fact that there's money there that hasn't been taken in quite a long time or hasn't taken at all gives you some assurance that like it's secure to some degree.

Rudy:

Yeah, and that's the thing too. It's when something is out and brand new, always be cautious about it because it's not tested through the times and that something has been tested through times could be more reliable.

Sheldon:

And also one thing I didn't mention is audits, so like. So smart contracts, by their very nature their public, their open, and so what companies do before they push out smart contracts is to get audited. So they basically take all their code, they stop working on it and they say, hey, security firm, come and look at my code, make sure there's no issues, no bugs, no problems, before I put it onto the wild. And so what people typically tend to do is just to basically go get their code checked by a third party to make sure they have a stamp for approval that this is legit or this is safe. So look for audits as well, yeah.

Rudy:

So the key thing too is people forget that a lot of systems in place that we have like to put things back into the web, two world, or, like olden days, olden days, olden days.

Rudy:

Where big manufacturing, for instance, there's checks that happen from OSHA or like different FDA approved companies or whatever else is out there to kind of regulate that these companies are performing as they should be, safely, they're clean, hygienic and they're accurate to what they're saying. And that is something we have to do in crypto, too. It's fun that's decentralized and permissionless and anyone can use it, and it's exciting. But also we need to effectively keep us safe and keep these companies safe, and I'm wondering, like you know, learning more about what you've experienced is like how do you see the mesh between, I guess, regulatory checks on these crypto companies, making sure they're secure and safe, versus, like, can the crypto community do that? Do it on its own?

Sheldon:

Yeah, um is.

Sheldon:

It's not kind of sad, but right now I think the Lot of the regulatory agencies right now are taking a much more like a a Negative stance to crypto, and so they are going through like enforcement versus like setting clear rules and how people can actually keep themselves secure.

Sheldon:

And so right now at least, it's a bit of a interesting time in crypto space because regulators are more like Attacking the industry versus like supporting creating regulation around it.

Sheldon:

For that perspective, a lot of the crypto companies and people in the crypto space have actually like took upon themselves to Create white hat groups and select if there are potential vulnerabilities. They, as a white hack hacker, they basically come out and they they basically attack the protocol but basically secure the funds and they basically return them back to the company or the organization that created the product. So it allows people who are using the application to still get their funds back and so the bad actors don't take it and run off with it. So a lot of like, for example, in the curve context that that viper issue, that that kind of vulnerability that was there A lot of white hat hackers came out like hacked the actual curve protocol, took some of the money and actually were able to secure it themselves, and it gave it back to the curve organization. So, um, this is one example of like people taking on themselves to like Keep the whole industry secure for the benefit of the industry, that's so nice.

Rudy:

No, we never. Yeah, you're right.

Sheldon:

It's like you don't hear that hundreds of millions of dollars that are, like, available to be taken, and then someone like goes upon themselves to say they even take it and then keep it secure and then give it back, like only in crypto.

Rudy:

You find that it's like, if a bank robber gives you a duffel bag of money and just says, just take this duffel bag of money, it's fine, would you return it to the bank or would you just take it back home with you? What would you do?

Sheldon:

I would return it. I'm a good guy.

Rudy:

Yeah, but it's like that's. The thing, too is like there is a lot of good and people and good in communities and and anything that, wherever you are, and whatever in the community you are in that you love and care about, you want to succeed and you do truly want to grow, and that does mean like Helping out and however you can put every skill sets you have and our skill sets are building sugar cane, working here and building this podcast and people could hack and they can save money for others and that was a big, big thank you from the whole crypto industry that I'm very thankful for. I remember people really thanking the white white hackers for providing Providing fuel back with their money. That's. You know, it's a lot of money to lose.

Sheldon:

Yeah, it's kind of interesting, like one thing I realized being in crypto space was so long like I've been around since 2016,. Right, so, like um, the spaces is beautiful because, like there's a lot of like wholesome people that are just in it for the, the idea, idea of like decentralization and like parts of people and like making sure that people can actually control their own assets and then, from that perspective, now people are in it to support and help and like, if there are vulnerabilities, given the fact that is Financial in nature, it doesn't stop people from like so being better, so people being good and having that like positive perspective.

Rudy:

It's a good space to be in, at least. Yeah, yeah, and that's so the case too is there's a lot of anonymity in crypto and I'm wondering you know, how does that, you know, help or hurt crypto? Want to know more about what you think about that.

Sheldon:

Yeah, so, um, funny enough, uh, one of the big hackers in the curve example, uh, they were called coffee Bay, and so, like, uh, everyone like they, they like, like they white hacked, white hacked, hacked like tens of millions of dollars um from curve and just returned it back to the protocol, back to the company or organization and so, like that's one context where, like, a person who completely is anonymous hacked it for the benefit of the space and then gave it back. And so it's one place where, like, that person doesn't really care about the recognition or the popularity from whatever they did. They just want to make sure the space evolves and moves forward. And I think, once you detach like identity from like actions, it does two things. One, it either brings out the worst in people or brings out the best in people, because now the people who actually care about the space evolving and getting better, they can now, instead of having themselves be publicly blasted for publicly like um, put in like limelight for it, and then do this action and then move the space forward in positive way.

Sheldon:

Right, and the negative side of it I'd be kind of remiss to say, like if there are a lot of people who are still anonymous that try to hack companies and hack protocols and they do end up doing it and they can escape. But the kind of exit hash that tends to happen is that now you have a whole industry that's looking to find out who you are, and so there's a lot of like people who are looking at like um IP addresses and kind of addresses that people have interacted with to basically kind of de-anonymize that person, and so the anonymity is still there, but you can still find an industry of people who want to find out who they are and like report them to the law authorities.

Rudy:

Yeah, we want as many cyber Batman people as possible just to come in. Yeah, as capes heroes, Heroes were capes. Yeah, I mean this is definitely a interesting tape. I mean I think it's a good thing.

Sheldon:

I mean, I think it's a good thing. I mean, I think it's a good thing, I mean I think it's a good thing.

Rudy:

I mean, I think it's a good thing. I mean, I think it's a good thing Interesting tape, because there's a lot of security and a lot of risks that you have to keep in mind of in crypto and the safest method, as we've said before, is move your holdings onto a hardware wallet or a wallet that you can have full self custody over, and that way, there's no interaction between you and the outside world. Yeah, but if you want to interact, interact with something you're safe and comfortable, interact with. You've researched the company. Or, if you're new, avoid bridges. Avoid bridges and only use, only expend funds that you're worth, you're willing to worth risk.

Sheldon:

Yeah.

Rudy:

I think everyone's stay safe out there, because next week we got some more stuff for you Tasty tidbits, tasty tidbits.

Crypto Security and Risks
Anonymity and Security in Crypto