Not long after dropping out of college to
pursue a career in cryptocurrencies, Ben Weintraub woke up to some bad news.
Weintraub and two classmates from the University of
Chicago had spent the past few months working on a software platform called
Beanstalk, which offered a stablecoin, a type of cryptocurrency with a fixed
value of $1. To their surprise, Beanstalk became an overnight sensation,
attracting crypto speculators who viewed it as an exciting contribution to the
experimental field of decentralized finance, or DeFi.
اضافة اعلان
Then it collapsed. In April, a hacker exploited a
flaw in Beanstalk’s design to steal more than $180 million from users, one of a
series of thefts this year targeting DeFi ventures. The morning of the hack,
Mr. Weintraub, 24, was home for Passover in Montclair, New Jersey. He walked
into his parents’ bedroom.
“Wake up,” he said. “Beanstalk is dead.”
Hackers have terrorized the crypto industry for
years, stealing Bitcoin from online wallets and raiding the exchanges where
investors buy and sell digital currencies. But the rapid proliferation of DeFi
start-ups like Beanstalk has given rise to a new type of threat.
These loosely regulated ventures allow people to
borrow, lend, and conduct other transactions without banks or brokers, relying
instead on a system governed by code. Using DeFi software, investors can take
out loans without revealing their identities or even undergoing a credit check.
As the market surged last year, crypto users entrusted roughly $100 billion in
virtual currency to hundreds of DeFi projects.
But some of the software was built on faulty code.
This year, $2.2 billion in cryptocurrency has been stolen from DeFi projects,
according to the crypto tracking firm Chainalysis, putting the overall industry
on pace for its worst year of hacking losses.
Many of the thefts have stemmed from flaws in the
computer programs — known as “smart contracts” — that power DeFi. Because smart
contracts use open-source code, which provides a publicly viewable map of the
software, hackers have been able to orchestrate attacks on the digital
infrastructure itself, rather than simply infiltrating someone’s account. It is
the difference between robbing an individual and emptying an entire bank vault.
“DeFi has introduced a whole other level for hackers
to be able to access a platform,” said Erin Plante, vice president of
investigations at Chainalysis. “It’s putting a lot of pressure on the space and
restricting the innovation that’s possible.”
The breaches have shaken faith in DeFi during a grim
period for the crypto industry. An epic crash this spring erased nearly $1
trillion and forced several high-profile companies into bankruptcy. Last week,
the crypto firm Wintermute said its DeFi division had been hacked, leading to
losses of $160 million.
The hacks have prompted many DeFi start-ups to
explore preventive measures, recruiting auditors to examine their code for
vulnerabilities. Even as other types of crypto firms cut costs during the
downturn, security and auditing companies have seen a huge surge in business.
“This year was a good year for attackers,” said
Goncalo Sa, a founder of ConsenSys Diligence, which conducts code audits. “That
has definitely ingrained in the minds of people that security is something that
they should take seriously.”
From crypto’s inception, companies have struggled
with security. In 2014, the first major Bitcoin exchange, Mt. Gox, was breached
in a damaging attack that eventually led to the company’s bankruptcy and the
loss of billions of dollars in digital currency.
At the time, the industry was relatively small and
uncomplicated. Now hackers can attack a wider ecosystem, including an
experimental economy of crypto-based video games, decentralized lending
projects and newfangled coins. Last year, a hacker stole $600 million from the
DeFi platform Poly Network; the thief eventually returned the money after
negotiations with the project’s leaders.
This year’s hacks have caused far more damage. In
March, a group sponsored by the North Korean government stole $620 million in
digital currency from the Ronin Network, a DeFi platform that powers the video
game Axie Infinity. Around the same time, a hacker exploited a software flaw in
a DeFi project called Wormhole to abscond with $320 million.
“Many people are putting up platforms with a known
vulnerability,” said Chris Tarbell, a former FBI agent who now runs the
cybersecurity firm NAXO. “In a target-rich environment, criminals are going to
be opportunistic.”
The Wormhole hack exploited vulnerabilities in a
novel element of crypto technology known as a cross-chain bridge, which allows
investors to switch back and forth between digital currencies built on separate
blockchains.
The sheer amount of crypto flowing across these
cross-chain bridges makes them valuable targets. A total of 10 hacks this year
have involved bridges, leading to losses of $1.3 billion, according to
Chainalysis.
The technology is “highly complicated, and
complexity is the enemy of security,” said Steve Walbroehl, a founder of the
crypto security firm Halborn.
Beanstalk was not built as a cross-chain bridge. But
it had other vulnerabilities baked into its code.
The project’s inner workings were almost comically
obscure. A white paper outlining its mechanics consists of 61 pages of graphs,
charts, and mathematical equations (as well as a quote from Alexander
Hamilton’s letters).
In essence, Beanstalk allowed people to deposit tens
of millions of dollars in virtual currency into a software system, which
generated interest and helped maintain the value of a stablecoin called a bean.
The project didn’t operate as a traditional startup.
Like many crypto founders, Weintraub and his collaborators — Brendan Sanderson,
25, and Michael Montoya, 24 — kept their identities secret. When the software
was released in August 2021, users who deposited their crypto got votes in an
investor collective called a decentralized autonomous organization, or DAO,
which had to agree to make changes to the software.
Beanstalk’s collective governance was ultimately its
undoing. In April, a hacker borrowed $1 billion of cryptocurrency from another
DeFi project, Aave. The transaction was a so-called flash loan — a
lightning-fast process in which a crypto user borrows funds without posting any
collateral, makes a trade, and then immediately pays back the loan, keeping any
profits generated from the series of near-simultaneous exchanges.
The code that Weintraub and his partners had
designed did not have a mechanism to stop someone from using a flash loan to
take over the platform. So the hacker used the $1 billion to claim a huge stake
in the Beanstalk DAO, taking total control of the software’s governance. Then
the hacker transferred everyone’s funds — a total of nearly $200 million — out
of the Beanstalk system.
Panic ensued. “I lost $1 million today,” one
Beanstalk user declared on YouTube. “It happened through beans.”
Ultimately, Weintraub and the other founders decided
to continue the project. They reported the theft to the FBI and held calls with
Beanstalk enthusiasts to find a path forward. In an April post on the chat
forum Discord, they also revealed their identities for the first time.
Over the last few months, the Beanstalk DAO has
worked to restart the project, recruiting blockchain analysis firms to help
track down the lost crypto. The group also hired Halborn, the security firm,
which is reviewing the code to eliminate any vulnerabilities. Beanstalk officially
reopened last month.
“We’ve always been so transparent with the community
that this is an experiment,” Weintraub said. “We’re all figuring this out
together.”
The stolen funds remain missing.
Read more Technology
Jordan News
.jpg)
.jpg)
