Cyber Defense eMagazine January Edition for 2022

More documents

Recommendations

Info

Consequences of flash loan attacks Depending on the scale of the attack, consequences can vary. But one thing is certain, the reputational damage is great, and the other protocol users pay the adverse effects. Seemingly never out of the spotlight, C.R.E.A.M. has been attacked three times in 2021, two of which were flash loan attacks. In the case of flash loans, lightning can and does strike the same place twice. The primary and most important consequence is the impact that flash loan attacks can have on other users. DeFi would be nothing without the loyalty and money of the users who are all key players in an intricate autonomous ecosystem. It is presumptuous to assume that victims have available cash to put back into a system that has failed to protect their assets adequately. Questions about whose responsibility it is to ensure that flash loan attacks don’t occur will continue to rise and protocols will rightfully be expected to defend themselves. Is taking preventative measures enough to adequately prove that the platform isn’t responsible if an exploit occurs? A prudent protocol or exchange should also consider a post-exploit action plan, if the worst is to occur. 5 Steps for protocols to take to minimize the likelihood and impact of flash loan exploits The recommendations here align with the three pillars of cyber security: security, vigilance and resilience. 1. Design of the protocol matters Complexity comes with risk. While developing a large smart contract or building a dApp it is difficult to pinpoint loopholes. Therefore, all external calls should be located, to explore if these could serve as a path for the malicious actors in the contracts. In older versions of Solidity, even reading a public field could lead to unsafe external calls that can be easily manipulated. Therefore, developers should always use the stable and updated versions of Solidity. 2. Use a decentralized oracle Oracle manipulations are the biggest cause of flash loan attacks. Smart contracts heavily rely on oracles which provide an effective interface between the contracts and the external source to push the required data. Decentralized Oracles like Chainlink, gather data about prices from multiple sources, which reduces the likelihood of a single data point influencing the oracle. If a platform relies solely on the data of one particular DEX, then its data is at risk of being flawed. Mal Intended users could directly manipulate the price of the singular DEX where the loan price is based off, resulting in loans issued with an inaccurate average price. On the other hand, limited data could form an inaccurate representation of the average market price and thus promote excessive slippage exploitation. Cyber Defense eMagazine – January 2022 Edition 84 Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.
3. Get audited Getting a smart contract audit is one of the most vital steps before launching your product. These audits identify and remediate vulnerabilities in the smart contracts before they can be exploited by someone with malicious intent. Source Consensys Source Certik Due to the interwoven nature of these protocols, just focusing the attention of the audit on the critical components isn’t enough to guarantee their security. A chain is only as strong as its weakest link, perfectly showcased by the recently detected Log4Shell vulnerability. If an audited protocol integrates with, for example, an un-audited bridge, well this might be the gap that a hacker is looking for. If a hole in the code of the platform is found, then it is crucial for the developers to remedy it as soon as possible. It may sound obvious, but apparently it isn’t to everyone. As described in the examples above, in May of 2021, Pancake Bunny was hit resulting in an enormous loss. Just days after, AutoShark was hit in a copy-cat attack, which fortunately resulted in significantly smaller losses. The kicker, however, is that AutoShark officially published its acknowledgement that it was vulnerable to a similar style hack. 4. Participate in a Bug Bounty program Continual vigilance over the smart contracts while they are in operation is critical, especially if updates and integrations are occurring. Offering a bug bounty incentivizes those with ‘hacking skills’ to act ethically. They are prizes for ethical hackers who report holes in code, which they could have exploited. It encourages these white hat hackers to work with the protocols rather than against them. ImmuneFi is a platform that advocates for the rights of white hat hackers. Protocols list their bounty on the database and offer a portal for hackers to submit their findings. It isn’t enough to just offer a few thousand dollars as a bounty. ImmuneFi suggests 10% of TVL. It has to be enough to incentivize a hacker to act ethically when they know they have ‘illegal’ access to a much larger pool of funds. The incentives provided are attractive with a record amount of $10m being offered by BXH after a hack where over $139m was taken. 5. Offer in-App coverage Despite all efforts to prevent a flash loan exploit, there is always a possibility for the event to occur. Proactively educating users about the risks of investing should be the responsibility of the protocols. Do your own research (DYOR) is one of the most thrown-around phrases. However, in the context of deciding which protocols to use, the protocols themselves should do the research about their risks and present these to users in a clear way. The impact of an exploit can cause a serious business crisis if the protocol doesn’t act transparently. By offering in-app coverage, crypto's alternative to insurance, protocols are acknowledging the risks and presenting their users with a discretionary option to mitigate the risks based on their risk appetite. Cyber Defense eMagazine – January 2022 Edition 85 Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.
Page 1 and 2:
“Owning Your Identity” Through
Page 3 and 4:
WatchGuard Technologies’ 2022 Pre
Page 5 and 6:
@CYBERDEFENSEMAG CYBER DEFENSE eMAG
Page 7 and 8:
Cyber Defense eMagazine - January 2
Page 9 and 10:
MUST ATTEND REPLAY AVAILABLE ON-DEM
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34: Cyber Defense eMagazine - January 2
Page 39 and 40: But in spite of this threat, consum
Page 41 and 42: How To Thwart Fraud with Phone Numb
Page 43 and 44: mutable and dynamic by continually
Page 45 and 46: Phishing: How To Improve Cybersecur
Page 47 and 48: organizations gather data all in on
Page 49 and 50: offers comprehensive firmware prote
Page 51 and 52: Why Hackers Attack Mobile Devices a
Page 53 and 54: the network. This is a good indicat
Page 55 and 56: About the Author Nicole Allen, Mark
Page 57 and 58: Know your customer As spam and phis
Page 59 and 60: Microsoft Successfully Defended The
Page 61 and 62: However, you can’t rely 100% on t
Page 63 and 64: Why Americans Joined Europe in Not
Page 65 and 66: Have a good backup policy. A good p
Page 67 and 68: Secure Apart from reporting, the af
Page 69 and 70: Taking a hard look at the current s
Page 71 and 72: There are plenty of organizations t
Page 73 and 74: 5. The impact of the talent shortag
Page 75 and 76: The industry is already embracing a
Page 77 and 78: WatchGuard Technologies’ 2022 Pre
Page 79 and 80: Users, especially professionals, ha
Page 81 and 82: What Are DeFi Flash Loans & How to
Page 83: DeFi hackers can easily exploit fla
Page 87 and 88: Protecting Critical Infrastructure
Page 89 and 90: • They use penetration tools to g
Page 91 and 92: Three Key Facts About AI-Driven Net
Page 93 and 94: About the Author Eyal Elyashiv is t
Page 95 and 96: Tyler Farrar, CISO, Exabeam “What
Page 97 and 98: Protecting unstructured data will l
Page 99 and 100: change again before they’re done.
Page 101 and 102: Samantha Humphries, head of securit
Page 103 and 104: Due to their successes, adversaries
Page 105 and 106: Paul Farrington, chief product offi
Page 107 and 108: In 2022, it is going to become cruc
Page 109 and 110: Our Cyber Defenses Need to Be Battl
Page 111 and 112: the exploitation aspect, but if tes
Page 113 and 114: 12 Tips for Improving Access Contro
Page 115 and 116: weak passwords. Password management
Page 117 and 118: Four Cybersecurity Predictions Fede
Page 119 and 120: 4. Cyber Funding Gets Granular In F
Page 121 and 122: Of course, these recommendations ar
Page 123 and 124: Cybersecurity Tips to Help Your Org
Page 125 and 126: Organizations can achieve true cybe
Page 127 and 128: quarter. Put simply, any organizati
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Free Monthly Cyber Defense eMagazin
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
THE Q1/Q2 GAME CHANGER… CYBERDEFE
show all

Cyber Defense eMagazine January Edition for 2022

Create successful ePaper yourself

Delete template?

Save as template?