An interesting aspect of Web3 is the smart contract. These are simple programs that run on the blockchain when certain conditions are met.
For decades, we’ve been creating more and more software and one thing has always held true: there will be bugs.
A bug in the code is simply a mistake. Given the complexity of the environment that mistake could be minor or it could be catastrophic.
Security issues are a very special class of bug. These bugs allow a malicious actor to manipulate the code in order to produce a result that the actor desires…not what the programmer intended.
Smart Contract Bugs
Recently, Qubit Finance, a DeFi/Web3 platform, was attacked. Their incident report details the bug that the attacker took advantage of.
This bug allowed them to abscond with almost $80 million in cryptocurrency.
Coverage of the attack uses the term hacker to describe the malicious actor. Unlike some other cases, this use of the term is accurate. Though cybercriminal is even more specific.
Why would this attacker be a hacker when another isn’t? Intention.
The compromise of the OpenSea marketplace used the system in the way it was intended to be use. The actor bought an NFT from a valid listing on the platform through a valid transaction.
It went against the intention of the seller but the issue was with the platform, not the use of it.
In the Qubit Finance case, the technical specifics are very different. Qubit’s platform is designed to bridge one cryptocurrency to another.
Take X of Ethereum and convert it to Y Binance Coin.
The attacker used a bug in the Qubit smart contract to take 0 Ethereum to convert to almost $80 million in Binance Coin.
While a conversion was done, the intention was to convert a non-zero amount of one cryptocoin at fair market rates to another. That didn’t happen here.
Quality Coding Required For Smart Contracts
As smart contracts start to proliferate, code quality is paramount. The argument has been made here that the Qubit case is a cybercrime.
A strong case also exists that it this smart contract executed as designed.
After all, is the blockchain supposed to be the single source of truth? And that contract executed as written.
This issue highlights just how much work needs to be done in the Web3/DeFi world before it’s ready for mainstream adoption.