There has been a lot of talk about the recent “hacks” in the DeFi realm, particularly in the case of Harvest and Pickle Finance. That talk is more than necessary, considering hackers stole more than $100 million from DeFi projects in 2020, accounting for 50 percent of all hacks this year, according to a CipherTrace report. Some point out that the occurrences were merely exploits that shone light on the vulnerabilities of the respective smart contracts. The thieves didn’t really break into anything, they just happened to casually walk through the unlocked back door. By this logic, since the hackers exploited flaws without actually hacking in the traditional sense, the act of exploiting is ethically more justifiable.
But is it?
The differences between an exploit and a hack
Security vulnerabilities are the root of exploits. A security vulnerability is a weakness an adversary could take advantage of to compromise the confidentiality, availability, or integrity of a resource.
An exploit is the specially crafted code adversaries use to take advantage of a certain vulnerability and compromise a resource.
Even mentioning the word “hack” in reference to blockchain might baffle an industry outsider less familiar with the technology, because security is one of the centerpieces of distributed ledger technology’s mainstream appeal. It’s true blockchain is an inherently secure medium of exchanging information, but nothing is totally unhackable. There are certain situations in which hackers can gain unauthorized access to blockchains. These scenarios include:
- 51-percent attacks: Such hacks occur when one or more hackers gain control over half of the computing power. It’s a very difficult feat for a hacker to achieve, but it does happen. Most recently in September, Ethereum Classic faced three successful 51-percent attacks in the span of a month.
- Creation errors: When security glitches or errors go overlooked during creation of the smart contract. These scenarios present loopholes in the most potent sense of the term.
- Insufficient security: When hacks are done through gaining undue access to a blockchain with weak security practices, is it really as bad if the door was left wide open?
Are exploits more ethically justifiable than hacks?
Many would argue that doing anything without consent cannot possibly be considered ethical. Such acts also don’t become ethical because of worse acts that could have been committed. That logic also raises the question as to whether an exploit is 100-percent illegal. For example, having a U.S. company registered in the Virgin Island’s can also be seen as performing a legal tax “exploit,” though it isn’t considered outwardly illegal. As such, there are certain grey areas and loopholes in the system that people can use for their own benefit, and an exploit can also be seen as a loophole in the system.
Then there are cases such as cryptojacking, which is a form of cyberattack in which a hacker hijacks a target’s processing power to mine cryptocurrency on the hacker’s behalf. Cryptojacking can be malicious, or non malicious.
It may be safest to say that exploits are far from ethical, and they only get a point for being less disastrous than their counterpart. They are also entirely avoidable. In the early stages of the smart-contract creation process, it’s important to follow the strictest standards and best practices of blockchain development. These standards are set to prevent vulnerabilities, and ignoring them can lead to unexpected effects. There are many ways in which smart contracts can be exploited. It’s vital for teams to fully understand each attack vector and vulnerability before building. It is also vital for teams to have intensive testing on a testnet. Smart contract audits can also be an effective way to detect vulnerabilities, though there are many audit companies that issue audits for little money. The best approach would be for companies to get several audits from different companies.
By: Pawel Stopczynski, R&D Director of VAIOT
The VAIOT Website, Platforms, Solutions, and Services, and in particular VAI Tokens, are not offered for use and purchase to natural and legal persons having their permanent residence or their seat of incorporation in any of the restricted areas as listed in VAIOT’s Whitepaper, in particular: USA, Germany, Puerto Rico, US Virgin Islands, Canada, China, Singapore, Afghanistan, Central African Republic, Cuba, Democratic Republic of the Congo, Eritrea, Iran, Iraq, Libya, North and South Korea, Somalia, South Sudan, Sudan, Yemen, Zambia (Restricted Areas).
