Are you as knowledgeable as these experts when it comes to blockchain, cryptocurrency and cyber security? In this exceptional interview, the authors of Cyber Hacking in the Worlds of Blockchain and Crypto delve into the inspiration behind their book, its key highlights and the invaluable insights that it offers CISOs and cyber security professionals.
Grab a cup of coffee and prepare to enrich your understanding with a wealth of new information. Join us for a deep-dive into the dynamic world of blockchain and cryptocurrency security!
Congratulations on the publication of your book. What inspired you to write it?
Over the past couple of years in our roles as cyber security researchers, we’ve observed a significant uptick in cyber criminal activity targeting blockchain platforms. A report by CNBC highlighted that a staggering $14 billion in cryptocurrencies was pilfered by hackers in 2021 alone. This prompted us to shift our focus toward understanding the intricacies of cyber attacks within the blockchain ecosystem. What we uncovered was a captivating, yet vulnerable, technological landscape.
Recognizing these vulnerabilities, we took it upon ourselves to identify and disclose numerous security flaws that were being exploited in attacks on blockchain platforms. It became clear that there’s a substantial knowledge gap in the area of blockchain security. The escalating threats and multitude of vulnerabilities have led to colossal financial losses, underscoring the need for more information on this topic.
With this in mind, we decided to author a book aimed at blockchain developers, information security professionals, and anyone with a keen interest in technology and cryptocurrency.
Could you please provide a brief overview of what you address in the book?
In this work, authors Oded, Roman and Dikla provide a unique vantage point on blockchain technology, examining it through the lens of both hackers and cyber security researchers, while also exploring the underlying network technologies.
The opening chapter offers an in-depth look at what blockchain technology entails, along with a comprehensive exploration of its various protocols.
In the subsequent chapter, we focus on the programming language Solidity, delving into its mechanics at the bit and byte level. Here, readers will gain hands-on experience in crafting a smart contract, from writing the code to deploying it on a blockchain network.
The third chapter is dedicated to identifying security vulnerabilities in the blockchain ecosystem and understanding how these weak points have been exploited in real-world attacks on smart contracts.
Throughout the book, readers will encounter code snippets, exercises, challenges, and labs designed to provide practical insights and guide them every step of the way.
What unique perspectives do each of you bring to this book, given your individual experiences and expertise?
Oded’s perspective:
“As the head of a vulnerability research team, my role in this book is to provide a comprehensive understanding of the ever-evolving threat landscape. Drawing from years of experience in managing research into various forms of vulnerabilities, I focus on outlining strategies to identify, mitigate, and defend against potential security risks in blockchain technologies. My contribution offers an overarching view that ties together the technical details and real-world implications, providing readers with a well-rounded understanding of the subject.”
Dikla’s perspective:
“As a senior security expert, my specific forte lies in dissecting the complexities of blockchain technology, with a keen focus on smart contract vulnerabilities. My expertise isn’t just broad but deeply specialized, offering readers an in-depth look at the mechanics of blockchain networks—from how transactions are verified through consensus algorithms, to how decentralized applications function. Where my contribution becomes particularly critical is in the area of smart contracts. I delve into the granular details of how smart contracts can be exploited, security gaps, and other vulnerabilities. Through this focus, I aim to provide readers with a layered understanding that covers both the overarching blockchain ecosystem and the critical, nuanced area of smart contract security.”
Roman’s perspective:
“My role as a senior security expert focuses on the tactical aspects of blockchain security. I delve into the practicalities of how vulnerabilities are actually exploited, offering a hacker-centric viewpoint. This involves breaking down high-profile security breaches to dissect the methods and tactics employed by attackers. The goal is to provide readers with a tactical understanding of the kinds of threats they should be prepared for, and how best to defend against them.”
Together, the combined expertise of Oded’s managerial and research skills, Dikla’s deep technical understanding, and Roman’s practical insights into the hacker mindset offer readers a multi-dimensional, comprehensive guide to understanding blockchain security.
The book features specific real-world scenarios. Could you share one example that highlights the kind of practical insights that readers can expect to find in your book?
In the book, we delve deep into an array of real-world scenarios that have shaken the cryptocurrency and financial landscapes. One particularly riveting case we examine is the Terra Luna crash, a catastrophic event that wiped out approximately $60 billion from the crypto ecosystem in a single day.
We dissect this incident meticulously, explaining the intricate workings of the Terra network and its algorithmic stablecoin, TerraUSD (UST). By understanding how Luna and UST were interdependent, and how their unique arbitrage mechanisms were designed, we set the stage for revealing the critical vulnerabilities that led to the collapse. For instance, we discuss how the decision to rely solely on algorithmic stabilization for UST, without any real-world asset backing, exposed the system to a spiral of negative feedback loops that eventually broke the peg and triggered a liquidity crisis.
But we don’t just stop at identifying the problem. We also delve into the key lessons that can be gleaned from this disaster—ranging from the importance of robust risk management strategies to the need for transparent governance. The book explores how market psychology can turn from an asset into a liability, how algorithmic mechanisms can both stabilize and destabilize and how legal and regulatory frameworks are lagging behind the rapid innovations in the crypto world.
By meticulously dissecting the Terra Luna crash, our aim is to arm readers with deep technical insights into blockchain architecture, algorithmic stablecoins, and decentralized financial systems. This isn’t merely an exercise in understanding the flaws that led to this catastrophe; it’s a blueprint for enhancing the robustness, security, and resilience of future blockchain networks. The case study serves as a vivid demonstration of how technological design choices can have cascading impacts across an entire ecosystem. Whether you’re a developer, researcher, or decision-maker in the blockchain space, the goal is to equip you with the knowledge to identify vulnerabilities and implement safeguards to prevent or mitigate such systemic failures in future projects.
One specific focus in the book is unpacking hackers’ logic. Why and how do hackers become pros when it comes to identifying security vulnerabilities within blockchain and cryptocurrency technologies?
“In the book, we take a deep dive into the hacker mindset, especially as it pertains to blockchain and cryptocurrency vulnerabilities. Hackers excel in this area for a few reasons. First, they often have an in-depth understanding of the blockchain protocols and algorithms, enabling them to spot weak points that others might overlook.
Second, they’re highly motivated. The financial incentives are enormous given the billions in circulation within the crypto ecosystem. But it’s not just about money; there’s a prestige factor in hacking high-profile blockchain projects that drives them to innovate continually.
Third, they use a multi-faceted approach. They engage in rigorous testing, sometimes in less secure or sandboxed environments, and even use social engineering to exploit human vulnerabilities. They’re also incredibly adaptable, updating their techniques to match the fast-paced evolution of blockchain technology.
By understanding how hackers think and operate, we can better secure blockchain technologies against a range of vulnerabilities. Our aim is to provide the reader with the knowledge needed to identify risks and implement effective countermeasures, enhancing the overall security and resilience of blockchain systems.
What mindset or skills do hackers have that give them an advantage in this field?
In the realm of blockchain and cryptocurrencies, hackers have a unique set of skills and a particular mindset that give them a distinct advantage. First and foremost, they are incredibly curious. They want to understand how systems work, down to the smallest detail, and that includes how these systems can be broken and fixed. This curiosity is coupled with a high level of persistence. They’re willing to put in the long hours to explore various angles, run multiple tests, and iterate until they find a vulnerability.
Another mindset attribute is their risk tolerance. They’re willing to venture into uncharted territories, even if it means navigating legal or ethical gray areas. And they’re remarkably adaptable, always staying ahead of the curve as blockchain technologies evolve. Many are also community-oriented, engaging with like-minded individuals to share knowledge, tools, and even collaborate on more complex projects.
When it comes to skills, their technical proficiency is often top-notch, spanning programming languages, cryptography, and network security. Their analytical abilities are razor-sharp, enabling them to dissect complex systems and understand both their strengths and vulnerabilities. Some are also skilled in social engineering, using psychological tactics to exploit human weaknesses in addition to technological ones.
So, by merging this unique mindset and skill set, hackers are particularly well-equipped to uncover vulnerabilities in blockchain and crypto technologies, many of which might go unnoticed by others.
How can cyber security experts adopt and adapt these attributes to enhance their own prevention and defense strategies?
Cyber security experts can learn a lot from the mindset and skill set that hackers bring to the table. For starters, adopting a sense of curiosity similar to that of a hacker can be a game-changer. This involves going beyond surface-level assessments and diving deep into the architecture of blockchain and cryptosystems. You want to understand not just how they work, but how they could fail. That’s where the real vulnerabilities lie.
Persistence is another trait to emulate. It’s not just about finding quick fixes but about being committed to fully understanding a problem and testing multiple solutions until the most secure one is found. This often involves mimicking the hacker’s approach of trial and error, sometimes running extensive tests in sandboxed environments to gauge the effectiveness of different security measures.
Adaptability is key, especially given how fast the landscape of blockchain and crypto technologies is evolving. Cyber security professionals should be prepared to continuously update their knowledge and skills, staying abreast of the latest advancements and vulnerabilities.
Now, on the skills front, mastering a wide array of tools is crucial. This includes not just those designed for defense but also understanding the tools that hackers use for penetration testing and vulnerability scanning. Knowing your ‘enemy’s’ tools can offer invaluable insights into potential attack vectors.
Analytical thinking is another must-have skill. It’s essential for dissecting complex systems and predicting potential attack scenarios. Sometimes this involves thinking like an attacker: What are the most lucrative targets? What are the weakest links in the chain?
Lastly, while hackers often operate in communities, sharing tips and strategies, cyber security professionals should also seek to foster a similar sense of community. Collaboration across different departments, and even with experts outside the organization, can provide a more comprehensive view of potential vulnerabilities and solutions.
So, by adopting and adapting these attributes, cyber security experts can significantly enhance their prevention and defense strategies, making them more proactive rather than reactive when it comes to securing blockchain and cryptocurrency technologies.
How can CISOs and security professionals leverage the resources in your book to enhance their teams’ readiness in addressing security issues related to blockchain, crypto…etc.?
Our book offers a comprehensive toolkit for CISOs and security professionals to enhance their teams’ readiness for tackling the evolving security challenges in the blockchain and cryptocurrency spaces. One of the key features is the inclusion of hands-on labs. These labs provide practical exercises that allow your teams to engage with real-world scenarios. For instance, we go into Solidity programming labs to dissect how smart contracts work, offering a foundational understanding that’s crucial for identifying vulnerabilities.
We also delve into high-profile case studies that have had a significant impact on the blockchain and crypto ecosystems. For example, we look at bridge hacks like the Wormhole incident in February 2022, where 120,000 WETH (Wrapped Ethereum coins) were stolen, amounting to $324 million. Such incidents offer crucial insights into the kinds of vulnerabilities that exist and how they can be exploited, enabling your teams to be better prepared for similar threats.
Moreover, we highlight the top vulnerabilities prevalent in the blockchain space, including flash loan, reentrancy, access control issues, and front-running attacks, among others. By focusing on these high-risk areas, your security teams can better allocate resources and develop targeted defense strategies.
Another unique aspect of our book is its deep-dive into the hacker mindset. We explore the tactics and methodologies employed by hackers, empowering your team to think like an attacker. This proactive approach enables security professionals to anticipate vulnerabilities and develop effective countermeasures before they can be exploited.
The book is designed to be a continually useful resource, something your teams can return to as they encounter new challenges or as the technology itself evolves. It’s not just a guide but a long-term reference that aims to equip your teams with the knowledge and skills they need to both anticipate and mitigate security risks effectively.
Could you share your thoughts on emerging trends in the blockchain and crypto space that the CyberTalk.org audience may find interesting or that they might want to watch?
In the fast-paced world of blockchain and cryptocurrency, there are several emerging trends that the CyberTalk.org audience should definitely keep an eye on. Let me outline a few that are particularly interesting and come with their own set of challenges and opportunities.
Firstly, Decentralized Finance, or DeFi, continues to disrupt traditional financial systems by offering blockchain-based solutions that are open, transparent, and decentralized. However, this comes with its own set of security concerns, such as vulnerabilities in smart contracts.
Layer 2 solutions are another game-changer, particularly when it comes to scalability issues that plague popular blockchains like Ethereum. One of the most promising Layer 2 solutions is zk-rollups. These offer a way to handle transactions off-chain while ensuring the security and integrity of the main chain, but they also introduce new complexities in terms of security.
Non-Fungible Tokens (NFTs) have brought about a revolution in digital ownership. While they offer unprecedented opportunities in fields like art and music, they also present challenges related to copyright and fraud.
Decentralized Autonomous Organizations, or DAOs, are redefining governance within the blockchain ecosystem. They promise to democratize decision-making but are fraught with legal and security challenges that are yet to be fully understood.
Quantum computing is a longer-term concern but an important one. As this technology evolves, it poses potential threats to the cryptographic foundations of blockchain security, making post-quantum cryptography an area of active research.
Of course, we can’t overlook the regulatory landscape. Governments are increasingly scrutinizing these technologies, and new regulations could have a profound impact on how blockchains and cryptocurrencies operate.
Lastly, interoperability among different blockchains is becoming more critical for mass adoption. This trend is driving exciting innovations but also presents new challenges in terms of security and standardization.
So, for anyone interested in blockchain and cryptocurrency, understanding these trends is crucial. They not only offer a glimpse into the future of these technologies but also present new challenges that require innovative cyber security solutions.
Are there new areas of research that you’re excited about and that you might explore or continue to explore in the future?
Absolutely, there are several areas of research in the blockchain and cryptocurrency space that I find incredibly exciting and plan to explore further.
Zero-knowledge proofs, especially zk-rollups, hold immense promise for scalability and privacy in blockchain systems. They can revolutionize everything from financial transactions to identity management and secure voting
Ethereum Account Abstraction is another topic that has caught my attention recently. This is a proposed upgrade to the Ethereum network that would make it more flexible and easier to work with, but it also introduces new layers of complexity and potential security risks. Understanding these nuances could be key to Ethereum’s long-term success and security.
Oracles are fundamental to the functioning of smart contracts and DeFi platforms, serving as the bridge between blockchains and real-world data. However, they also introduce a point of vulnerability, and studying secure, decentralized oracle solutions is an area ripe for exploration.
Bridges, like Wormhole, that facilitate cross-chain interactions are becoming increasingly important as the blockchain ecosystem grows more fragmented. Understanding the security implications of these bridges is crucial for ensuring the integrity and robustness of cross-chain transactions.
So, yes, there are multiple exciting avenues for future research, and I’m looking forward to diving deeper into these topics to provide actionable insights and solutions.
Is there anything else that you would like to share with the CyberTalk.org audience?
Absolutely, I’d like to emphasize that we’re at a pivotal moment in the history of blockchain and cryptocurrency technologies. As these technologies mature and become more integrated into our daily lives and global economies, the importance of security and ethical considerations can’t be overstated.
For the CyberTalk.org audience, whether you’re a CISO, a developer, or someone simply interested in the field, I’d encourage you to approach blockchain and cryptocurrency not just as a technology but as an ecosystem. Understanding its complexities, vulnerabilities, and societal implications will be key to navigating its future responsibly.
Also, remember that the space is incredibly dynamic. What we know today could be upended by new research, regulations, or technological innovations tomorrow. So, continuous learning and adaptability are crucial for anyone involved in this field.
Lastly, I want to stress the importance of community. Many of the breakthroughs and best practices in blockchain and cyber security come through collaborative efforts. Whether it’s contributing to open-source projects, participating in forums, or attending conferences, being an active member of the community can provide invaluable insights and connections.
Professional bios:
1. Dikla Barda, a senior security expert in the web and blockchain world at Check Point Security Technologies, has more than fifteen years of experience.
Over the years, she has exposed, together with Roman Zaikin, many security vulnerabilities at leading technology companies.
In recent years, her research focus has shifted toward the blockchain ecosystem, with a particular emphasis on identifying and analyzing vulnerabilities in smart contracts. Alongside Roman Zaikin and Oded Vanunu, Dikla has made significant contributions to the field by publishing critical security flaws discovered in prominent blockchain platforms such as OpenSea and Rarible.
When she’s not probing the intricacies of blockchain or web security, Dikla is actively engaged in developing specialized research tools and participates in various Bug Bounty programs, further solidifying her commitment to enhancing cyber security across multiple platforms.
2. Oded Vanunu has approximately twenty years of experience in the cyber world and serves as the Head of Products Vulnerability Research, at Check Point Software Technologies Inc.
Oded leads the vulnerability research teams, which have exposed dozens of vulnerabilities in common technologies over the years.
He is a lecturer on the world of offensive cyber in academia and at conferences worldwide within the research sphere. He also dedicates time to working with young startups on technological innovation and is the owner of four patents in the area of cyber protection.
3. Roman Zaikin is a senior security expert at Check Point Software Technologies and has exposed, together with Dikla Barda, many security vulnerabilities at well-known and influential companies worldwide, including Amazon, DJI, Telegram, WhatsApp, Facebook, Rarible, OpenSea, Skype, Atlassian, LG, and eBay.
Zaikin is the author of the book Cyber and Penetration Tests for Web Applications and Cyber and Penetration Testing of Organizational Networks. Moreover, Zaikin has over ten years of experience in the cyber area.