May 17, 2024
Security

Anatomy of an Attack: Guide to Hack Detection and Prevention in Web3

An exploit is not a singular event, but rather a process that unfolds over time. Because of that, hacks can be detected in real-time and can be stopped.

Hypernative

The biggest DeFi hack of 2023 started in the most mundane way, with a token transfer. On March 12, at 8:43 a.m. UTC, an address on Ethereum mainnet received 0.968 ETH from Tornado Cash. Over the next 24 minutes, it was used to stage an attack that stole almost $200M from lending platform Euler Finance.

Hypernative's real-time monitoring and response platform saw and recorded every step of the exploit as it unfolded over 6 discreet attacks. The team was able to identify Euler Finance as the target and notified them of the impending hack 20 seconds before the first exploit transaction. Even with such a short notice, Hypernative's automated response would have been able to prevent any loss of funds.

There is a common misconception in Web3 that hacks happen all at once, like a strike of a lightning. The reality could not be further from the truth, as exploits typically progress through four stages: funding, tooling, attack, and cashing out. The transparency of blockchain networks makes each of the steps detectable thanks to monitoring tools like the Hypernative Platform. If you can see it, you can stop it.

Funding: Follow the Money

In Web3 nothing can be said to be certain except gas fees, to bastardize Ben Franklin's famous idiom. And even the outlaws have to pay the tolls. But money leaves a trail, which is why attackers must use mixers like Tornado Cash or decentralized non-KYC exchanges like FixedFloat.

Funding from suspect or sanctioned origins raises a flag, but it is important to distinguish would-be-attackers from privacy enthusiasts. And an early-warning system is only useful if it combines a high rate of detection with a low false-positive rate. Hypernative Platform's suite of detection engines includes a real-time machine-learning pipeline that can classify contracts based solely on their bytecode, without relying on noisy markers like funding sources.

Tooling: Locked and Loaded

The attacker was gearing up for a flash-loan exploit. Flash loans do not require collateral and let users quickly borrow and repay funds in a single-block transaction. They are also frequently used to capitalize on vulnerabilities in DeFi protocols. To pull this off, the hacker had to deploy three different contracts.

At 8:50 a.m., two of the contracts went live, 12 seconds apart.

The Hypernative Platform instantly tagged the contracts as suspicious. An automatic real-time simulation using the code from one of the contracts identified Euler Finance as the target, revealed the full attack vector, elevated the threat severity level to "HIGH," and issued an extremely accurate exploit prevention alert.

Had Euler Finance been a customer, the alert would have triggered an automated action that could have paused the protocol and stopped the attack in its tracks.

Attack: Pulling the Trigger

The attacker proceeded to take out a 30 million DAI loan from Aave that was then used as the basis of the exploit leveraging Euler Finance’s borrowing capabilities. The first hack transaction resulted in an $8 million loss for the protocol, followed by another $13 million 5 minutes later. Over the span of 17 minutes and six separate attacks, the hacker stole $197 million.

Cashing Out: The Getaway

As every heist movie fan knows, breaking into the vault is only half the job and escaping with the loot can be just as fraught. The sanctioning of Tornado Cash by the US Treasury in August 2022 made getaways much more difficult, but the mixer protocol lives on as smart contracts running on decentralized blockchains out of reach of authorities.

That is why the attacker was able to move some of the funds to Tornado Cash. The hacker also moved 100 ETH to an address that had previously received funds stolen from Axie Infinity's Ronin Bridge, an attack attributed to the North Korean hacking syndicate Lazarus Group.

Luckily for Euler, the hacker agreed to return all of the funds after three weeks of negotiations. While such happy endings are rare, the case highlights the importance of having a security framework in place that covers the whole spectrum of pre-incident, response and post-incident measures, all of which are part of Hypernative's offering to clients.

Ounce of Prevention > Pound of Cure

Smart contracts call for smarter security. Hypernative monitors both onchain and offchain data sources in real time to stop hacks with the fastest and most-reliable threat detection and response in Web3. Hypernative Platform accurately identifies over 200 risk types from smart contract hacks and bridge security incidents to frontend compromises, market manipulations and private key theft.

Hypernative Platform uses battle-tested, sophisticated machine learning models, heuristics, simulations, and graph-based detections to identify threats with high accuracy and give customers precious minutes to respond before exploits can do damage. The system monitors over 25 chains, covering security, technical, financial, governance and other risks. Hypernative Platform detected 99.5% of hacks last year with less than 0.001% false positive rate and saved more than $50 million of funds to date.

Over 80 leading Web3 projects that rely on Hypernative’s real-time enterprise-grade platform that monitors over $37 billion worth of digital assets across 25 chains. The list includes Karpatkey, Starknet, Flare, Messari, Chainalysis, Circle, Galaxy Digital, Ether.fi, Radiant Capital, and more.

Reach out for a demo of Hypernative’s platform, tune into Hypernative’s blog and our social channels to keep up with the latest on cybersecurity in Web3.

Secure everything you build, run and own in Web3 with Hypernative.

Website | X (Twitter) | LinkedIn

Hypernative can protect you from zero-day vulnerabilities, frontend hacks, state actor threats and much more.

Book a demo