Cyber Defense eMagazine July Edition for 2022
Cyber Defense eMagazine July Edition for 2022 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, Editor-in-Chief and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES
Cyber Defense eMagazine July Edition for 2022 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, Editor-in-Chief and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Take the Deus Finance exploit as an example, which saw an attacker drain close to $16 million USD in<br />
funds. While Deus did have their smart contracts audited, an attacker was able to target a new unaudited<br />
smart contract with a sophisticated flash loan attack. Though this attack, the hacker was able to change<br />
the price of Deus' DEI tokens and reap the benefits of this predictable price action. They did so by<br />
manipulating a lending pool that was used by the oracle - a node of code which interprets data - that<br />
dictated the price of the token.<br />
Now, any smart contract worth its coin would warn you of the dangers of using an oracle that determines<br />
a price by using a trading pair as these can be easily manipulated. However, since the vulnerable smart<br />
contract was outside the scope of the initial audit, auditors were not given a chance to highlight the<br />
problem.<br />
Deus should serve as a clear warning to projects that they must treat smart contract audits as an ongoing<br />
feature in their security framework and have them audited every time a significant change is made to the<br />
project. Yet, not all audits are equal. Time and again we see well-planned projects suffer from the flaws<br />
of bad auditing.<br />
Take the recent FEG exploits as an example. The FEG (Feed Every Gorilla) hyper-deflationary<br />
governance meme token was recently hit by two flash loan attacks which collectively drained $3.2 million<br />
USD in funds from the protocol over the course of two days.<br />
In each attack, the hacker (or hackers) targeted the same vulnerability in FEG’s smart contract. CertiK’s<br />
analysis of the exploit discovered that this was due to a flaw in the token’s Swap-To-Swap function, which<br />
directly takes user input “path” as a trusted party without any sanitations. In simple terms, this flaw allowed<br />
the hacker to repeatedly call functions that allowed them to gain unlimited allowances and drain the<br />
contract of its assets.<br />
Perhaps most frustratingly <strong>for</strong> FEG, this flaw should have been detected by a smart contract audit. Even<br />
though FEG did have their smart contracts audited, the auditors should have noticed that FEG’s untrusted<br />
“path” parameter is passed to the protocol and approved <strong>for</strong> spending assets of the contract. Any good<br />
audit would then flag this as a major severity and advize the project to act and edit accordingly.<br />
There is a lesson to be learned here <strong>for</strong> the crypto-security industry– that, as hackers continue to find<br />
new and ingenious ways to exploit projects, it is no longer enough <strong>for</strong> auditors to just update their checks<br />
in response to new attacks. Instead, they must constantly be updating their technology so that when a<br />
new attack happens they are prepared <strong>for</strong> it.<br />
Both of these exploits highlight not only the need <strong>for</strong> rigorous and regular smart contract audits, but also<br />
the need <strong>for</strong> a proactive, consistent, end-to-end approach to web3 security. This amounts to a shift<br />
towards viewing security as something to be built and maintained rather than just a label to be bought<br />
and sold. This applies to the teams who need to be updating their project’s security in tandem with their<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>July</strong> <strong>2022</strong> <strong>Edition</strong> 209<br />
Copyright © <strong>2022</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.