Solutions
Go Back

Make Security Possible

Reduce Alert Noise and False Positives

Boost your team's productivity by cutting down alert noise and false positives.

Automate Security Operations

Boost efficiency, reduce burnout, and better manage risk through automation.

Dark Web Monitoring

Online protection tuned to the need of your business.

Maximize Existing Security Investments

Improve efficiencies from existing investments in security tools.

Beyond MDR

Move your security operations beyond the limitations of MDR.

Secure with Microsoft 365 E5

Boost the power of Microsoft 365 E5 security.

Force-Multiply Your Security Operations

Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Explore Our Solutions
Security Operations Platform
Go Back

The GreyMatter Platform

Detection Investigation Response

Modernize Detection, Investigation, Response with a Security Operations Platform.

Threat Hunting

Locate and eliminate lurking threats with ReliaQuest GreyMatter

Threat Intelligence

Find cyber threats that have evaded your defenses.

Model Index

Security metrics to manage and improve security operations.

Breach and Attack Simulation

GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.

Digital Risk Protection

Continuous monitoring of open, deep, and dark web sources to identify threats.

Phishing Analyzer

GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.

Unify and Optimize Your Security Operations

ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Explore the GreyMatter Platform
Resources
Go Back

Resources

Blog

Company Blog

Case Studies

Brands of the world trust ReliaQuest to achieve their security goals.

Data Sheets

Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.

eBooks

The latest security trends and perspectives to help inform your security operations.

Industry Guides and Reports

The latest security research and industry reports.

Podcasts

Catch to the latest cybersecurity perspectives, tutorials and industry discussions with various guest speakers.

Solution Briefs

A deep dive on how ReliaQuest GreyMatter addresses security challenges.

Threat Advisories

The latest threat research report from ReliaQuest Photons research team.

Upcoming & On-Demand Webinars

Upcoming and on-demand webinars addressing the latest challenges and solutions security analysts must know.

White Papers

The latest white papers focused on security operations strategy, technology & insight.

Videos

Current and future SOC trends presented by our security experts.

ReliaQuest Resource
Center

From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Resource Center
Company
Go Back

Company

About ReliaQuest

We bring our best attitude, energy and effort to everything we do, every day, to make security possible.

Executive Leadership

Security is a team sport.

Careers

Join our world-class team.

Press and Media Coverage

ReliaQuest newsroom covering the latest press release and media coverage.

Become a Channel Partner

When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.

Contact Us

How can we help you?

A Mindset Like No Other in the Industry

Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Search
Go Back

Generic selectors

Exact matches only

Exact matches only

Search in title

Search in title

Search in content

Search in content

Search in excerpt

Post Type Selectors
Hidden

Hidden

Hidden

Hidden

Back to blog

Vulnerable smart contracts and fake blockchains: What do investors need to know?

Roman Faithfull 10 November 2021

Well, here we are again. Another blog on a topic that’s often spoken about but little understood: cryptocurrency. Cryptocurrency-related decentralized finance (DeFi) is seeing unprecedented interest from retail and institutional investors alike. Both the cybercriminal-friendly Bitcoin and Ether, the token for the Ethereum blockchain, have hit all-time highs this week. The price of cryptocurrency tokens such as Solana and Cardano has exploded in recent months. And so-called “meme” coins like DogeCoin and Shiba Inu are attracting an ever-increasing number of retail investors to the scene. More and more money is pouring into the cryptosphere, and if you’re a regular reader of this blog, you’ll know that where there’s money, there’s crime. While DeFi grants users greater financial “freedom” by removing the influence of centralized institutions like banks, investors often have no legal recourse if they lose their funds through fraud or a hack. In this blog, we’ll look at one of the many ways cybercriminals seek to profit from this space: by exploiting vulnerabilities in smart contracts.

What are smart contracts?

Essentially, a smart contract is a binding agreement between two parties written in code that can execute itself (i.e., it does not require a third party to enforce it). For example, a smart contract could be programmed to release payment once someone confirms receipt of delivered goods. You couldn’t break the terms of the contract without breaking the code in which it is written. Compare this to a non-smart contract, such as a lease for an apartment. Although it would be unwise, there’s nothing that actually stops you from not paying your rent on time. You’ll suffer consequences, sure, but the piece of paper on which your lease contract is written doesn’t actually enforce the terms – a bailiff does. It’s the same with eating food at a restaurant. You enter into a verbal contract with the patron to pay for what you’ve eaten, but the police will have to get involved if you try to dine and dash.

*No need for heavy-handed enforcement with a smart contract; the code* is *the law* *and* ***enforces*** *the law*

In the case of cryptocurrency, a smart contract is a set of instructions that will be followed once time or financial conditions are met. For instance, it could stipulate that once a cryptocurrency is worth a specified amount per coin e.g. when ETH 1 = USD 10,000, a percentage of funds locked into the contract will be released to a certain wallet. Once the conditions are met, the cryptocurrency will be released from the contract and recorded on the blockchain (the public ledger recording cryptocurrency transactions). There are two ways in which smart contracts can be vulnerable.

“Ignorantly” vulnerable smart contracts

With some basic knowledge and the requisite capital, anyone can write a smart contract on popular blockchains such as Ethereum or Binance Smart Chain; qualifications or advanced coding skills are not required. As a result, authors may write contracts that they do not realize are vulnerable, just as a poorly written law might have unintended loopholes in it. As you can imagine, cybercriminals seek out vulnerable smart contracts, often exploiting the contract so that they receive the funds locked into it. As there’s no central authority to which victims could appeal, there’s no way for them to get their funds back.

Cybercriminal outfits often comprise various threat actors with specialized roles, and those looking to exploit smart contract vulnerabilities are no different. It’s a large and highly specialized ecosystem. There are threat actors who discover vulnerable contracts, those who develop and execute exploits for these vulnerabilities, and others who direct unsuspecting investors into entering into these contracts. We found one user on a prominent cybercriminal forum advertising their services as a “smart contracts hacker for hire” (see Figure 1). They sought a partner to identify vulnerable contracts for them, acknowledging that “finding contracts is not a simple process.” Forum threads relating to uncovering and exploiting these vulnerabilities receive lots of attention from users, and articles on the topic usually place highly during forum articles competitions.

*Figure 1. Cybercriminal forum user advertises smart contract hacking services*

Smart contracts written on newer, less time-tested blockchains are even more vulnerable. Insecurities could allow attackers to steal exposed wallet API keys, flood the network with spam transactions (a sort of blockchain DoS), and carry out 51% attacks (when a individual or group gains control of over 50% of a blockchain’s mining power), which could all result in investors being unable to withdraw their funds, or even in the draining of these funds into attackers’ wallets. In this case, even if your smart contract is coded correctly, if the blockchain on which it is written is vulnerable, so is your contract. This is a serious and widespread problem, although some protocols are doing their best to keep their code clean. In October, the company behind Polygon, a protocol and a framework for building and connecting Ethereum-compatible blockchain networks, paid a record USD 2 million bug bounty to an ethical hacker who discovered a flaw in the network. This flaw could have allowed an attacker to release more than USD 850 million in funds.

It’s important to do your due diligence before you use a smart contract. Examine the code in which the contract is written for anything that looks untoward or erroneous, such as a spelling or calculus mistake. Like non-smart legal contracts, one small typo in the code could have massive ramifications; it could allow for arbitrary code execution, or could simply release more funds than you expected. If you don’t understand the code, get a trusted and capable entity to do it for you. Reviewing the code should always be possible: DeFi smart contracts are open-source, so an inability to review the code is a huge red flag. You should also find out whether the blockchain has a record of previous dodgy dealings (does it have a solid bug bounty program, or was it previously involved in scandals?) or is a favored target of cybercriminals.

“Maliciously” vulnerable smart contracts

We’ve all heard that cryptocurrency is volatile and that investors stand to lose all their funds. One of the reasons for this volatility, aside from the widely speculative nature of the market and the fluctuations in global mining power, is the fact that the cryptosphere is very much a Wild West, in which anyone, provided they have the know-how and the capital, can create a blockchain. There really isn’t much to stop adversaries from creating an intentionally insecure blockchain. They can then encourage victims to enter into easily exploitable smart contacts or carry out so-called “rug pull” attacks, in which the blockchain’s creator manipulates the market by holding a large proportion of the blockchain’s coin supply, artificially inflating the value of the coin as the available supply to other investors decreases, and then selling off their holdings before the market can react. In traditional finance this would be known as insider trading or market manipulation.

An established user on one Russian-language cybercriminal forum recently sought partners with “experience in creating their own coins and PR for them” with the aim of getting a “meme” coin listed on a cryptocurrency exchange (see Figure 2). This threat actor likely intended to conduct a “pump and dump” scheme or rug-pull attack.

*Figure 2. Cybercriminal forum user seeks partners for getting their coin listed on an exchange*

We also observed one forum user commenting on how easy it was to get a coin listed on an exchange. They wrote that it would be enough to provide a positive impression of a coin to an exchange and then “provide BNB 300 [USD 167,821] to their liquidity pool”. Several forum members have also provided guides on using a freshly listed cryptocurrency to conduct airdrop scams, a sophisticated phishing attack whereby malicious tokens generate fake error messages that redirect holders to phishing pages.

And it doesn’t stop there. Provided an adversary has sufficiently developed social engineering and marketing skills, they can get unwitting investors to buy coins for “cryptocurrencies” that don’t even have a blockchain. There are numerous articles on cybercriminal forums that tell users how to construct fake blockchains and market them to (mostly retail) investors. Perhaps the most famous example of such a scam is OneCoin, a Ponzi scheme promoted as a cryptocurrency by Bulgaria-based offshore companies that defrauded investors out of billions from 2014 to 2016.

*Figure 3. Cybercriminal forum user shares their guide for creating a fake blockchain API*

Aside from making their own dubious blockchains, some attackers seek to create intentionally malicious smart contracts on established blockchains such as Ethereum or Binance Smart Chain. In September 2021, one forum user offered USD 2,500 for an “Ethereum smart contract developer” to write a script that would automatically withdraw balances from Ethereum wallets. Again, if you end up the victim of such an attack, there’s no running to law enforcement to get your funds back – that money is gone.

Even the exchanges themselves are at risk. In March 2014, Mt. Gox, a massive Bitcoin exchange, filed for bankruptcy due to legal action by traders, who had lost USD 460 million and alleged that their operation was fraudulent. Although the exchange initially claimed it had been hacked, the CEO was later charged for fraud and embezzlement. Even when exchanges are totally legitimate, cybercriminal bug hunters are constantly on the lookout for vulnerabilities within them. Digital Shadows (now ReliaQuest) (now a ReliaQuest company) recently found one cybercriminal forum user advertising a proof of concept for a two-factor authentication bypass vulnerability in a large cryptocurrency trading platform (see Figure X). The more money is loaded onto these exchanges, the more likely cybercriminals will be to target them.

*Figure 4. Cybercriminal forum user advertises a proof of concept for a vulnerability in a cryptocurrency exchange.*

In all situations, it is imperative that cryptocurrency investors educate themselves on the risks involved with cryptocurrency and the threat cybercriminals pose to cryptocurrency exchanges, blockchains, and the smart contracts written on them. It’s worth reiterating that you are your own bank here – all the required reading and research that banks and their employees must take on is now your responsibility. Knowledge is power here, more than ever. Of course, it’s tough to keep on top of all the ways in which adversaries are seeking to part cryptoinvestors from their funds, but Digital Shadows (now ReliaQuest) (ReliaQuest) constantly scours all corners of the dark web to make sure our clients are aware of the new angles of attack.

To stay in the know about recent cybercriminal developments, request a demo of ReliaQuest GreyMatter Digital Risk Protection. Digital Risk Protection (DRP) clients receive real-time, actionable intelligence updates relating to new attack types, including analysis from our team of global analysts and intelligence on new posts to platforms across open and closed sources.

Roman Faithfull

Cyber Threat Intelligence Analyst

Roman Faithfull is a Cyber Threat Intelligence Analyst. He’s held various OSINT and foreign language instruction roles. His background is in Russian criminal culture, geopolitics, and language learning. He speaks 15 different languages and loves to travel when he’s not hard at work.

Explore Blogs