An unknown hacker or hacker group has taken advantage of a vulnerability within MonoX Finance, a cryptocurrency service. They used this exploit to steal approximately $31 million worth of cryptocurrency, after artificially inflating the price.
This vulnerability was found in their system that lets them draft smart contracts. This exploit allowed the hacker to exchange one cryptocurrency token for another of the same type but for a different value, which should be impossible.
For some, one of the biggest appealing factors of cryptocurrency is the lack of a central governing body. With normal currency, the government can impose taxes and fees onto transactions, but cryptocurrency has no such body. This, however, means that there is little to no law when something does go wrong.
What Did the Hackers Do?
How exactly did this heist take place? After all, cryptocurrency blockchains are supposed to be some of the most secure online services in the world, so the fact that someone could not only figure out an exploit, but also escape with that much money, is noteworthy to say the least.
An internal accounting error within MonoX Finance let the culprit inflate the price of the MONO token and then use it to cash out $31 million worth of Ethereum and Polygon tokens. This was done by altering the sell price without changing the buy price, meaning that the transactions were weighed heavily in their favor.
This exploit was allowed to happen specifically due to a feature known as Smart Contracts, which are essentially automated scripts that are activated under certain conditions. However, since these scripts are automated, there is no human to look at each case and gauge whether it's a good idea or not, meaning that they can be manipulated under the right circumstances.
“These kinds of attacks are common in smart contracts, because many developers do not put in the legwork to define security properties for their code… They had audits, but if the audits only state that a smart person looked at the code for a given period of time, then the results are of limited value. Smart contracts need testable evidence that they do what you intend and only what you intend. That means defined security properties and techniques employed to evaluate them,” said Dan Guido, expert in the securing of smart contracts.
While this attack is enormous, it's not the first to occur under similar circumstances. Similar attacks have occurred to other financial firms that deal in cryptocurrency, like Indexed Finance losing $16 million due to index pool management.
The Future of Cyber Security and Cryptocurrency
As mentioned, one of the main draws of cryptocurrency is the ability to trade currencies and goods without having to pass through the government's mandated taxes or fees. And due to the relative newness of cryptocurrency, government regulations are still struggling to keep up.
However, this is a bit of a double-edged sword. While not having to live under regulations sounds nice, that means when something like this happens, the legality of the whole situation is far grayer than it would be if someone had robbed a bank or government building.
The more things like this happen, the more that governments will likely be pressured to impose stricter regulations on the world of cryptocurrency in general. In fact, federal bank agencies issued a statement outlining their 2022 roadmap in regard to cryptocurrency regulation. The relevant agencies stated that they were looking to:
“Provide coordinated and timely clarity where appropriate to promote safety and soundness, consumer protection, and compliance with applicable laws and regulations, including anti-money laundering and illicit finance statutes and rules.”
What this means is still slightly up in the air, but it's a borderline guarantee that the crypto world is headed for more federal regulation, despite the fact that a large portion of the crypto user base is likely opposed to this development. However, if it stops multi-million-dollar attacks from taking place, then it's hard to argue against regulations too strongly.