With a rapid increase in funds stolen from DeFi protocols, private keys at stake
Tue, 09/13/2022 – 20:00
Mass heist starts with private keys
The March 2022 theft by the Lazarus Group, a cybercrime group North Korean state-runstarted when he gained access to five of the nine private keys held by transaction validators for Ronin Network cross chain bridgeaccording to a chainalysis report.
Ronin Network is tied to Ethereum side chain for Axie Infinity’s blockchain game. Cross-chain bridges provide interoperability between different blockchains via a protocol that allows users to transfer digital assets from one blockchain to another, as described by Chainalysis.
The flight by Lazarus totaled, at the time, $540 million in Ethereum currency and USDC stablecoin, prompting punishments by the US Treasury Department. The Lazarus group usually carries out the attacks to finance the North Korean state.
Subsequently, over $30 million was seized by the US government with the help of Chainalysis. The seizures represent about 10% of the total funds stolen from Axie Infinity, Chainalysis said.
Switch to DeFi services to chain the jumps
The Lazarus Group used the private keys to approve two transactions, both withdrawals: one for 173,600 ether (ETH) and the other for 25.5 million USD worth of coins (USDC), according to the report. (The $540 million value quoted above.)
“They then initiated their laundering process…The laundering of these funds has leveraged over 12,000 different crypto addresses to date, demonstrating the hackers’ highly sophisticated laundering capabilities,” Chainalysis said.
Typical laundering techniques include stealing Ether and sending it to intermediary wallets and mixing Ether in batches using Tornado Cash.
However, after the US Treasury penalties imposed on Tornado Cash, Lazarus moved away from the Ethereum mixer, instead “leveraging DeFi services to chain jumps or switch between multiple types of cryptocurrencies in a single transaction,” Chainalysis said.
“Bridges serve an important function in moving digital assets between chains and most use of these platforms is entirely legitimate. Lazarus appears to be using bridges in an attempt to obfuscate the source of funds,” Chainalysis said. .
Venafi’s Take: The Vulnerable DeFi Security Model
“The DeFi security model needs to be strengthened immediately,” said Pratik Savla, principal security engineer at Venafi.
“Mismanagement of cryptographic keys is one of the biggest Achilles’ heels that opens DeFi to a number of security risks,” Savla said.
The use of private keys and wallets underscores the known security risks associated with their design and implementation, according to Savla.
“This, in turn, incentivizes attackers of all shades to deploy the same set of TTPs [Tactics, Techniques and Procedures] that they used to exploit in previous incidents,” Savla said.
Once the administrators’ private key is obtained by a bad actor, it opens up a whole host of possibilities for bad actors to wreak havoc, he added.
In addition to private keys, the wallets used to host and manage these keys present their own security risks, according to Savla.
‘Integrate’ security early in the development cycle
“Wallets and private keys combined open up a huge attack surface and make DeFi targeting attractive and rewarding. A critical approach to minimizing and ultimately containing multiple attack vectors is to embed security early in the development cycle. In-depth security design and architecture becomes extremely crucial in this case,” Savla said.
DeFi is an example of a “high-stakes system where machine identity management can be both its strength but also its weakness from a security perspective, if not done properly.” Savla added.