Security Issues With Crypto Assets

Crypto security faces major challenges, including social engineering attacks, code vulnerabilities, storage threats, and non-compliance risks. Learn how to stay safe in this guide.

Crypto security is an issue that has bedeviled the Web3 space. On one end, we have millions of investors looking to profit from the speedily evolving blockchain world. On the other end, we have malevolent actors driven by greed to steal millions from investors.

Statistics from blockchain security firms paint a picture of an industry struck by a severe security problem. For instance, Hacken stats indicate that in Q1 2024 alone, there were 67 major security hacks, resulting in the loss of about $824.4 million in assets. The same report projected that by the end of 2024, about $3.3 billion will be stolen in crypto, a massive increase from last year’s $1.9 billion.

Even as the blockchain space grows, hackers are devising new ways to steal from investors. In this guide, I explore the major security challenges associated with crypto and offer a few tips on how to stay safe.

Social Engineering Attacks Leading to Scams

Social engineering threats involve manipulating people into doing something they rightly should not, including:

  • Sharing private information.
  • Following fake web links.
  • Downloading harmful software.
  • Sending funds to criminal organizations.

Social engineering attacks take the form of crypto scams.

A scam is anything done by a malicious actor to steal your money or funds. These fraudulent schemes often prey on unsuspecting victims with promises of abnormal returns. A scammer creates social and web pages and uses fake and celebrity endorsements to make their project seem legitimate.

Such fraudulent and deceptive systems entered the crypto sector in its early days, with investors losing billions in investments from crypto-related scams. Below are some of the more common types of crypto scams:

1. Phishing Scams

This is where a malicious actor deceives an investor using emails or messages containing links. While these links appear legitimate, clicking them could open a web page created to siphon money from the person’s wallet.

People who fall victim to phishing attacks are often lured into unknowingly providing their private wallet and login details using a fake web page. For instance, a malicious party can create a bogus web page for the Binance crypto exchange. Afterwards, they will send their target an email or an SMS, promising airdrops or other gains.

A few years ago, scammers created a web page, https://www.Binance.com.com, and began encouraging people through Facebook to visit the link, upon which they stole their Binance login details.

If you unknowingly click the fake link and provide all the personal login details, the attacker will use the details to siphon all the funds from your wallet. 

2. Rug Pulls

A rug pull is a scam that primarily preys on your fear of missing out (FOMO) on new investments.

What are rug pulls? 

In this scam, a project team raises massive amounts of funds from unknowing investors only to abandon the project, leaving investors with worthless tokens. The rug philosophy originates from the popular idiom “to pull the rug from under someone.” 

How does this happen?

Crypto project developers lure investors with the promise of high returns from mainly newly launched tokens. 

After launching a new token, the team behind it conducts serious social media marketing campaigns to make investors believe it will give them high returns. 

The marketing campaigns are often aimed at making you feel that if you miss out on investing in the project, you will lose out on huge profits. After all the hyping, the team then leaves the project as soon as the targeted volume of investments is achieved.

For this reason, it’s essential to check the project’s security audit status before investing. 

3. Romance Scams

In this type of scam, the attacker preys on the victim’s emotions. The process begins with a scammer manipulating their target over time, building trust and emotional connection. 

The attacker will always pose as a potential romantic partner, engaging in conversations and creating a sense of intimacy. 

As time flies, the scammer introduces the idea of investing in a crypto project promising high returns. Note that this process takes an extended period to come to fruition since the scammer aims to establish trust.

4. Impersonation Scams

This is where a fraudster impersonates well-known figures in the crypto space on social media. Take the example of Elon Musk, Vitalik Buterin, or even former Binance CEO Changpeng Zhao. These are influential names in crypto, and any mention of them can immediately foster trust. 

The attackers, under the guise of the well-known crypto personality, then promise massive investment opportunities and giveaways. Little known to investors is that this is a scheme to steal crypto from their wallets.

5. Pyramid Schemes

A pyramid scheme is a system of theft in which scammers promise investors high returns for recruiting other investors. In reality, the scammers rely on new investors to pay high returns to the first round of investors. As more investors put in money into the scheme, trust is built through proof of payment from the earlier round of investors. 

As the third, fourth, and even fifth generations of investors come in and some of the earlier investors invest more, the entire scheme collapses.

The One Coin scheme remains the largest pyramid scheme in the history of crypto. Launched in 2014 by Sebastian Greenwood and Ruja Ignatova, Onecoin promised investors good returns through mining, a wallet, and a payment system. 

However, sometime later, it was discovered that there was no blockchain or payment model associated with Onecoin.

Between 2016 and 2017, Onecoin’s troubles became apparent as regulators and stakeholders warned against this pyramid scheme. It was discovered that the funds were not used for investing. 

Authorities estimate that by the time Onecoin came crashing down, investors had lost a cumulative $4 billion, making this token the single biggest scam in crypto. 

How Can You Mitigate Against Social Engineering Attacks?

As already established, social engineering attacks prey on a victim’s ignorance, FOMO, or even emotions. So, how can you steer clear of this massive security threat? 

The most fundamental thing to do is exercise caution. Some offers often seem too good to be true. If it’s too good to be true, it most likely is. As such, thoroughly research any project or person offering such promises of high returns. 

Before you make any investments, investigate and research again and again. Use social networks and other available tools to do the best research.

The big question is, when researching, what should you focus on to avoid falling prey to any such scam? Well, here are a few things you must look into:

  • Project team: look at the history of the project team members and their social networks.
  • The token economics of the project.
  • Market performance on charts.
  • Look at the project’s web page.
  • Consider the project’s audit status.

Also, verify if the sources of information or communication you receive are legitimate. Clicking links from unverified or untrusted sources will expose you to more risks. You, therefore, must refrain from engaging with emails originating from unverified sources.

Code Vulnerabilities

Another widespread security risk for users of blockchain technology is code and smart contract vulnerabilities. Code vulnerabilities are loopholes or weaknesses in a blockchain project’s code that attackers can exploit to disrupt network operations and even siphon money. 

According to a recent PTSecurity report, 17% of cyber attacks prey on vulnerabilities associated with web applications. The report suggests that about 72% of vulnerabilities result from code flaws.

While the above statistics are not specific to blockchain-based applications, they still expose the considerable risk of code vulnerabilities that result in security breaches. That brings us back to blockchain-based projects. 

Like other tech programs, smart contracts and blockchains rely on written codes. In simple terms, smart contracts are automated agreements that can be managed and executed without intermediaries. 

In a perfect world, smart contracts should be the most efficient agreements. Yet, like other technologies, they suffer from code vulnerabilities, which come about when minor or major errors occur in code lines.

Below are a few of the most common types of vulnerabilities in smart contracts and blockchains:

1. Reentrancy Attack

This vulnerability allows attackers to re-enter a call function multiple times before the original call function is completed. Here, the smart contract calls another contract and continues with more executions using the first call function. Reentrancy attacks are a product of vulnerabilities in smart contract codes.

When a smart contract has a re-entrance vulnerability, malicious actors can exploit it by repeatedly calling the withdraw function, draining all funds in the contract.

Picture this: When transferring a crypto token like UNI, a receiver function is called handing control to the receiver. In some cases, a token protocol will alert the receiving contract to the receipt of a token by calling a function. The recipient gets control of the function. 

If the receiving contract is an attacker’s, it does not need to call the same function since it already has control. Instead, it can repeatedly call a different function in the sender’s smart contract or another contract.

Forms of reentrancy attacks

  • Single-Function Reentrancy: Mono-function reentrancy occurs when a single function in a smart contract is infected with repeated invocations before the original call is completed. This attack focuses on a single function.
  • Cross-Function Reentrancy: When a vulnerable function within a smart contract shares its vulnerability with another function manipulated by an attacker, this is called cross-function.
  • Cross-Contract Reentrancy: Imagine two contracts sharing the same state. If one of the contracts does not update its state with the latest changes, it becomes vulnerable.
  • Read-Only Reentrancy: An attacker re-enters a different contract (not the same one) that reads from the state of the original contract. The critical point is that the call function does not modify the contract’s state but may still have other vital roles, such as reporting token values. 
  • Cross-Chain Reentrancy: Occurs when a contract exists in two different blockchain networks and is connected using bridges. For instance, a contract deployed on Ethereum and BSC is connected through a bridge. An attacker spots a vulnerability and leverages it to create multiple copies on an NFT. However, they make the NFT fungible by duplicating it in various chains. 

2. Lacking Access Control

Another security issue smart contracts can be exposed to is the “Lacking Access Control.” 

In this type of code error, the smart contract lacks access restrictions; hence, even unauthorized parties can manipulate state variables and execute critical functions. Anyone can withdraw or disrupt a contract, while in a standard situation, only the contract owner should be able to control it.

The story of an MEV bot, Oxbad, depicts the “lack of access control” error well. It was attacked by another anonymous wallet and drained of 1,101 ETH due to a lack of reasonable access controls.

As per the earlier mentioned Hacken report, breaches in access controls were the most prevalent vulnerability in Q1 2024, with investors losing $682 million to those exploits.

Aside from re-entrance attacks and lacking access controls, other minor code issues expose smart contracts to more vulnerability. Among them include:

  • Lacking input data validation systems translates into some unexpected behavior. 
  • Unchecked send: Some contracts lack proper checks, making it possible for users to lose funds if transactions fail. 
  • Integer overflow/underflow: Poor handling of integers can cause underflows or overflows, allowing people to claim assets of higher value. 

How Can You Mitigate Code Vulnerability Threats?

While code vulnerabilities expose crypto projects to severe problems, there are things that developers and stakeholders can do to mitigate the risks. 

Firstly, project developers and stakeholders with a keen eye for technicals can examine the smart contract codes. By understanding the code, we can spot potential points of vulnerability that can mess with the smart contract’s integrity before malicious actors. 

Secondly, before public launch, most smart contract networks undergo serious audits and rigorous checks of the smart contract codes by trusted firms to spot and solve flaws before they become massive. 

Firms like Certik, Hacken, and Trail of Bits have built a good reputation for elevating crypto security by auditing smart contracts and blockchain project codes before release. 

As a user of said contract, you need to check the audit status of the contract before investing. If a contract has not provided evidence of an audit, leaving it would make much more sense. 

Thirdly, bug bounty events. Some crypto projects with good financial power use bug bounty programs to bolster contract security. These programs allow ethical hackers to expose the contract to serious security threats and spot flaws. In return, the participants are rewarded for identifying possible points of weakness in codes.

Storage Threats: Vulnerable to Hacks

Crypto storage mechanisms and wallets are also potential vulnerability areas. In fact, since the dawn of crypto, thousands of crypto wallets, both individual and institutional, have been hacked, leading to massive fund losses. 

Typically, crypto wallets are grouped into hot and cold. Hot wallets are directly linked to the Internet, while their cold counterparts do not have any connections. The direct link to the Internet makes hot wallets vulnerable to attacks by malicious on-chain actors.

Wallets provided by crypto exchanges to store assets are also hot wallets. In many cases, the exchanges keep custody of the keys associated with those assets. As the famous adage goes, “Not your keys, not your coins.”

Hot and custodial wallets expose their clients to various security risks, including hack attacks. 

So, what separates hacking from general scams? As mentioned earlier, crypto scams attempt to deceive people into making fraudulent investments or sending personal wallet details. 

On the contrary, a crypto hack occurs when an attacker gains unauthorized access to a crypto wallet or exchange and steals funds. Hacks are often possible only because of wallet or exchange infrastructure vulnerabilities.

How to Mitigate Asset Storage Vulnerabilities

You can protect yourself from asset storage vulnerabilities by doing the following:

  • Do not store your assets in exchange wallets unless you are trading or selling. 
  • Avoid hot wallets. Instead, use cold wallets like Ledger and others.
  • Use two-factor authentication where applicable.
  • Employ other forms of security accepted in your wallet service. 

Non-compliance Risks

Another issue posing a severe security vulnerability in the cryptocurrency universe is non-compliance. A failure to comply with regulations has been seen as a significant issue. 

Projects that fail to comply with regulations set by government watchdogs put themselves at risk of regulatory attacks and their clients at high risk of losing their money. Here are some key points to consider under non-compliance:

  • Anti-Money Laundering (AML) and Know Your Customer (KYC) Compliance: It is the requirement for all financial service providers to implement robust AML and KYC procedures as governments intend to curb any illicit finance activities. However, some crypto platforms have intentionally failed to adhere to these requirements, setting themselves up as possible centers for money laundering, fraud, terrorist financing, and other illegal activities. If a wallet or a crypto project is tagged as supporting illicit finance at some point, all the clients on the platforms could be subject to legal scrutiny.
  • Transparency and Reporting: In many jurisdictions, financial platforms must openly and transparently report on their status. This could help spot and track transactions, allowing regulators to identify potential risks or suspicious behavior. Investing in projects that fail to comply with reporting and transparency requirements sets you up for possible losses. 

A lack of compliance could mean the following:

  • Investors are not protected.
  • Watchdogs can come after the project and its users, leading to funds being lost.

Mitigating Non-compliance Risks

Understanding the regulations can mitigate the chances of being affected by non-compliance. In some countries, like the US, the legal landscape remains a mystery, as no proper framework has been set to guide the trading of crypto assets.

However, a crypto network’s primary goal is to strictly follow the rules already in place, as they aim to protect investors. Project teams must strictly adhere to the regulations if their requirements include KYC and AML. 

Other players can protect themselves using platforms that comply with preset regulations. 

Final Word: The Crypto Security Dilemma

Since the early days of crypto, security has been an enormous problem. This guide has explored the major severe issues associated with crypto assets, including social engineering, code vulnerabilities, storage threats, and non-compliance risks.

While some of the security problems are the result of network and system vulnerabilities, others are plainly the fault of investors. As such, it is important that you, as an investor, exercise high degrees of caution when dealing with cryptos.

Leave a Reply

Your email address will not be published. Required fields are marked *