September has become the worst month for crypto exploits in 2023 — with the amount of crypto theft surging to $329.8 million. According to Martin Schmidt, Co-initiator of a governance-as-a-service solution Q Protocol, the main reason behind crypto exploits is the lack of proper governance. Q Protocol provides both transactional and governance security, the first and only one with regulatory clearance in Europe.
We’ve got his insider analysis below, including what actions can on-chain projects take to reduce the risk of exploits.
Q1. What is the main reason behind the massive issue of crypto exploits?
Martin Schmidt: You implement all the best practices to keep your cryptocurrency safe, and then an attacker — often from within the project team — comes along, gains control of the project, and drains the treasury. If there’s anything in your wallet left to protect, it’s now worth a fraction of the price you paid for it — and there’s little you can do to stop it.
That’s the reality of governance attacks, a technique increasingly used by rogue actors that exploit the decentralized nature of crypto projects. With changes to a protocol’s rules and processes typically decided by community votes, these bad actors are obtaining the majority of a project’s voting power to hijack governance, make changes unchallenged, and siphon money out.
Q2. What are the main techniques that hackers employ?
Martin Schmidt: Does it seem difficult? Well, it often isn’t. To launch a governance attack, all cybercriminals really need is the majority of a project’s voting power. Often, a surprisingly low number of tokens is needed to gain a majority, since not many token holders actively engage in governance. An alternative strategy is to hide malicious code within a seemingly innocent proposal.
With majority rule, they can then push through any changes they want and there’s nothing the community can do to stop them. They manipulate price oracles, introduce new rules, or sometimes even just send funds to their own private wallet. Most attackers will steal as much money as they can get away with.
Q3. Latest examples of high-profile crypto thefts
Martin Schmidt: These bad actors aren’t stealing the keys or exploiting technical weaknesses. Rather, they are finding loopholes in a project’s governance rules. Just this year, an attacker used malicious code hidden within a proposal to grant themselves fake votes and seize control of the Tornado Cash project. With this attack on the project’s governance, they were able to mint over $4 million worth of tokens and move their ill-gotten gains to other addresses.
But that’s chump change compared to Beanstalk Farm’s losses last year. Exploiting a loophole in the project’s governance rules, an attacker was able to hand themselves a 67% voting stake and pass a proposal to transfer user assets to their own wallet. Their loot? An estimated $80 million.
Q4. The solution? Projects need a second layer of security
Martin Schmidt: It’s clear that code alone cannot be trusted to uphold a project’s governance, nor can the community, with users too often falling victim to the social engineering techniques that bad actors have mastered. And how many rug pulls need to happen for us to realize that leaving the key decisions in the hands of project creators is a recipe for disaster?
To uphold the security of their projects, what protocol designers need is an incorruptible layer that prevents governance from falling into the wrong hands. Something like a 2FA solution for blockchain — an external security anchor, upheld by transparent and trustworthy individuals, that lays out the law and upholds the rules, preventing crooks and criminals from commandeering projects and sailing off with investors’ hard-earned funds.
Follow Martin Schmidt on Twitter: https://twitter.com/martin__a__s
Follow Martin Schmidt on Medium: https://medium.com/@martin_a_s
To learn more about Q Protocol, visit https://q.org/