“A highly profitable trading strategy” was how hacker Avraham Eisenberg described his involvement in the Mango Markets exploit that occurred on Oct. 11.
By manipulating the price of the decentralized finance protocol’s underlying collateral, MNGO, Eisenberg and his team took out infinite loans that drained $117 million from the Mango Markets Treasury.
Desperate for the return of funds, developers and users alike voted for a proposal that would allow Eisenberg and co. to keep $47 million of the $117 million exploited in the attack. Astonishingly, Eisenberg was able to vote for his own proposal with all his exploited tokens.
This is something of a legal gray area, as code is law, and if you can work within the smart contract’s rules, there’s an argument saying it’s perfectly legal. Although “hack” and “exploit” are often used interchangeably, no actual hacking occurred. Eisenberg tweeted he was operating within the law:
“I believe all of our actions were legal open market actions, using the protocol as designed, even if the development team did not fully anticipate all the consequences of setting parameters the way they are.”
However, to cover their bases, the DAO settlement proposal also asked that no criminal proceedings be opened against them if the petition was approved. (Which, ironically, may be illegal.)
Eisenberg and his merry men would reportedly go on to lose a substantial portion of the funds extracted from Mango a month later in a failed attempt to exploit DeFi lending platform Aave.
How much has been stolen in DeFi hacks?
Eisenberg is not the first to have engaged in such behavior. For much of this year, the practice of exploiting vulnerable DeFi protocols, draining them of coins and tokens, and using the funds as leverage to bring developers to their knees has been a lucrative endeavor. There are many well-known examples of exploiters negotiating to keep a portion of the proceeds as a “bounty” as well as waiving liability. In fact, a report from Token Terminal finds that over $5 billion worth of funds has been breached from DeFi protocols since September 2020.
High-profile incidents include the $190-million Nomad Bridge exploit, the $600-million Axie Infinity Ronin Bridge hack, the $321-million Wormhole Bridge hack, the $100-million BNB Cross-Chain Bridge exploit and many others.
Given the apparently endless stream of bad actors in the ecosystem, should developers and protocol team members try and negotiate with hackers to attempt to recover most of the users’ assets?
Should you negotiate with hackers? Yes.
One of the greatest supporters of such a strategy is no other than ImmuneFi CEO Mitchell Amador. According to the blockchain security executive, “developers have a duty to attempt communication and negotiation with malevolent hackers, even after they have robbed you,” no matter how distasteful it may be.
“It’s like when someone has chased you into an alley, and they say, ‘Give me your wallet,’ and beat you up. And you’re like, ‘Wow, that’s wrong; that’s not nice!’ But the reality is, you have a responsibility to your users, to investors and, ultimately, to yourself, to protect your financial interest,” he says.
“And if there’s even a low percentage chance, say, 1%, that you can get that money back by negotiating, that’s always better than just letting them run away and never getting the money back.”
Amador cites the example of the Poly Network hack last year. “After post-facto negotiations, hackers returned back $610 million in exchange for between $500,000 to $1 million in bug bounty. When such an event occurs, the best and ideal, the most effective solution overwhelmingly, is going to be negotiation,” he says.
For CertiK director of security operations Hugh Brooks, being proactive is better than reactive, and making a deal is only sometimes an ideal option. But he adds it can also be a dangerous road to go down.
“Some of these hacks are obviously perpetrated by advanced persistent threat groups like the North Korean Lazarus Group and whatnot. And if you are negotiating with North Korean entities, you can get in a lot of trouble.”
However, he points out that the firm has tracked 16 incidents involving $1 billion in stolen assets, around $800 million of which was eventually returned.
“So, it’s certainly worth it. And some of those were voluntary returns of funds initiated by the hacker themselves, but for the most part, it was due to negotiations.”
Should you negotiate with hackers? No.
Not every security expert is on board with the idea of rewarding bad actors. Chainalysis vice president of investigations Erin Plante is fundamentally opposed to “paying scammers.” She says giving in to extortion is unnecessary when alternatives exist to recover funds.
Plante elaborates that most DeFi hackers are not after $100,000 or $500,000 payouts from legitimate bug bounties but frequently ask upward of 50% or more of the gross amount of stolen funds as commission. “It’s basically extortion; it’s a very large amount of money that is being asked for,” she states.
She instead encourages Web3 teams to contact qualified blockchain intelligence companies and law enforcement if they find themselves in an incident.
“We’ve seen more and more successful recoveries that are not publicly disclosed,” she says. “But it’s happening, and it’s not impossible to get funds back. So, in the end, jumping into paying off scammers may not be necessary.”
Should you call the police about DeFi exploits?
There is a perception among many in the crypto community that law enforcement is pretty hopeless when it comes to successfully recovering stolen crypto.
In some cases, such as this year’s $600-million Ronin Bridge exploit, developers did not negotiate with North Korean hackers. Instead, they contacted law enforcement, who were able to quickly recover a portion of users’ funds with the help of Chainalysis.
But in other cases, such as in the Mt. Gox exchange hack, users’ funds — amounting to approximately 650,000 BTC — are still missing despite eight years of extensive police investigations.
Amador is not a fan of calling in law enforcement, saying that it’s “not a viable option.”
“The option of law enforcement is not a real option; it is a failure,” Amador states. “Under those conditions, typically, the state will keep what it has taken from the relevant criminals. Like we saw with enforcement actions in Portugal, the government still owns the Bitcoin they’ve seized from various criminals.”
He adds that while some protocols may wish to use the involvement of law enforcement as a form of leverage against the hackers, it’s actually not effective “because once you’ve unleashed that force, you cannot take it back. Now it’s a crime against the state. And they’re not just going to stop because you negotiated a deal and got the money back. But you’ve now destroyed your ability to come to an effective solution.”
Brooks, however, believes you are obligated to get law enforcement involved at some point but warns the results are mixed, and the process takes a long time.
“Law enforcement has a variety of unique tools available to them, like subpoena powers to get the hacker’s IP addresses,” he explains.
“If you can negotiate upfront and get your funds back, you should do that. But remember, it’s still illegal to obtain funds through hacking. So, unless there was a full return, or it was within the realm of responsible disclosure bounty, follow up with law enforcement. In fact, hackers often become white-hats and return at least some money after law enforcement is alerted.”
Plante takes a different view and believes the effectiveness of police in combating cybercrime is often poorly understood within the crypto community.
“Victims themselves are often working confidentially or under some confidential agreement,” she explains. “For example, in the case of Axie Infinity’s announcement of funds recovery, they had to seek approval from law enforcement agencies to announce that recovery. So, just because recoveries aren’t announced doesn’t mean that recoveries aren’t happening. There’s been a number of successful recoveries that are still confidential.”
How to fix DeFi vulnerabilities
Asked about the root cause of DeFi exploits, Amador believes that hackers and exploiters have the edge due to an imbalance of time constraints. “Developers have the ability to create resilient contracts, but resiliency is not enough,” he explains, pointing out that “hackers can afford to spend 100 times as many hours as the developer did just to figure out how to exploit a certain batch of code.”
The most engaging reads in blockchain. Delivered once a week.
Amador believes that audits of smart contracts, or one point-in-time security tests, are no longer sufficient to prevent protocol breaches, given the vast majority of hacks have targeted audited projects.
Instead, he advocates for the use of bug bounties to, in part, delegate the responsibility of defending protocols to benevolent hackers with time on their hands to level out the edge: “When we started on ImmuneFi, we had a few hundred white-hat hackers. Now we have tens of thousands. And that is like an incredible new tool because you can get all that enormous manpower protecting your code,” he says.
For DeFi developers wanting to build the most secure outcome, Amador recommends a combination of defensive measures:
“First, get the best people to audit your code. Then, place a bug bounty, where you will get the best hackers in the world, to the tune of hundreds of thousands, to check your code in advance. And if all else fails, build a set of internal checks and balances to see if any funny business goes on. Like, that’s a pretty amazing set of defenses.”
Brooks agrees and says part of the issue is there are a lot of developers with big Web3 ideas but who lack the required knowledge to keep their protocols safe. For example, a smart contract audit alone is not enough — “you need to see how that contract operates with oracles, smart contracts, with other projects and protocols, etc.”
“That’s going to be far cheaper than getting hacked and trying your luck at having funds returned.”
Stand your ground against thieves
Plante says crypto’s open-source nature makes it more vulnerable to hacks than Web2 systems.
“If you’re working in a non-DeFi software company, no one can see the code that you write, so you don’t have to worry about other programmers looking for vulnerabilities.” Plante adds, “The nature of it being public creates those vulnerabilities in a way because you have bad actors out there who are looking at code, looking for ways they can exploit it.”
The problem is compounded by the small size of certain Web3 companies, which, due to fundraising constraints or the need to deliver on roadmaps, may only hire one or two security experts to safeguard the project. This contrasts with the thousands of cybersecurity personnel at Web2 firms, such as Google and Amazon. “It’s often a much smaller team that’s dealing with a big threat,” she notes
But startups can also take advantage of some of that security know-how, she says.
“It’s really important for the community to look to Big Tech firms and big cybersecurity firms to help with the DeFi community and the Web3 community as a whole,” says Plante. “If you’ve been following Google, they’ve launched validators on Google Cloud and became one the Ronin Bridge, so having Big Tech involved also helps against hackers when you’re a small DeFi project.”
In the end, the best offense is defense, she says — and there’s an entire population of white-hat hackers ready and willing to help.
“There’s a community of Certified Ethical Hackers, which I am a part of,” says Erin. “And the ethos of that group is to look for vulnerabilities, identity, and close them for the larger community. Considering many of these DeFi exploits aren’t very sophisticated, they can be resolved before extreme measures, such as waiting for a break-in, theft of funds and requesting a ransom.”