Security is a cat and mouse game that is consistently evolving, particularly in the cryptocurrency industry. From the DAO exploit to the Parity Wallet Hack, exploitations of smart contracts have led to millions in lost funds.
Further compounding the problem, smart contracts are immutable and autonomously run on a blockchain network once they are committed, amplifying the detrimental impact of bugs. The first place that hackers go once they have successfully stolen funds is to exchanges. Despite how obvious the transgression of events in cryptocurrency hacks may seem, the environment that they occur in is entirely novel and requires innovative solutions.
Smart contract auditing is often not enough to prevent hacks and does not apply to protections once hacks take place. MonitorChain — a product by company Zenchain — strives to solve this dilemma through an on-chain Oracle service for real-time surveillance of critical smart contract triggers.
MonitorChain’s Spotlight on Suspicious Activity
MonitorChain is one of the more intriguing security solutions in the cryptocurrency space because of its departure from standard approaches. At its core, MonitorChain is an on-chain Oracle for the Ethereum blockchain that observes and evaluates suspicious activity within standardized token contracts on the network.
Rather than providing a security layer to protect against hacks — such as smart contract audits to review code integrity — MonitorChain explicitly emphasizes mitigating the fallout of a catastrophic event. These events can come in the form of dumping millions of counterfeit tokens onto exchanges such as with the batch/proxyOverflow exploit or an infinite minting exit scam seen with the Monero Gold Exit Scam. Therefore, MonitorChain is a product that enables exchanges, token issuers, and investors to reduce the severity of losses during attacks and even prohibit hackers from absconding with stolen funds.
MonitorChain takes advantage of the standardization of token contracts in Ethereum by identifying specific functions and events that are likely to be exploited by hackers. These include functions such as mint and transfer. By analyzing these functions with MonitorChain — which can be integrated into token contracts — tracking the execution of certain functions when they are executed is possible.
The MonitorChain Smart Contract (MCSC) functions as the on-chain Oracle that holds information on all the smart contracts that it is tracking. The contracts that it analyzes is determined by subscribers to the MonitorChain service who can query the Oracle for real-time updates on contract statuses. When critical contract functions such as mint or transferFrom are executed, MonitorChain’s error level system is triggered. Depending on factors such as large size transactions that are fed into the validation component of the MCSC, MonitorChain issues an instant alert to the necessary parties.
The alerts and interactions between subscribers and the MonitorChain system can be between exchanges, token issuers, and traders. Exchanges can receive direct notifications of addresses to block compromised token contracts to prevent the liquidation of stolen funds by hackers. Token issuers receive instant notifications of exploited contracts, allowing them to initiate token freeze protocols (i.e., the Bancor hack) to stop attacks. Traders can be forewarned of activity that may inadvertently trigger buy/sell commands for bots. With this sort of behaviour, it will be easy to control trading bots with suspicious activity and determine whether or not they are a scam. For example, the “make money” scams like Bitcoin Loophole, who was said to be endorsed by Peter Jones in this review, will never thrive with the exchanges that adopt the MonitorChain system. Further, traders can feel confident that exchanges have halted sell orders for compromised tokens in real-time rather than hours or days later once it is too late.
An important takeaway from the MonitorChain system is that while attack vectors for exploiting contracts will continue to evolve, the underlying mechanisms that hackers need to execute transfers to exchanges will remain constant relative to standardized contract designs. These mechanics are often overlooked and is where MonitorChain provides a practical solution that highlights their significance.
Examples of MonitorChain in Action
Zenchain provides some excellent examples of past hacks where MonitorChain could have played a vital role in minimizing the resulting damage. While hindsight is 20/20, analyzing previous exploits is exceedingly useful in protecting against future problems.
Two of the more compelling examples of where MonitorChain could’ve offered viable protection are the Titanium Blockchain hack and the previously mentioned Monero Gold Exit scam.
Titanium Blockchain Infrastructure Services (TBIS) was the victim of a hack earlier this year in February. The damage was 18.7 million BAR tokens stolen from company multisig wallets where they were subsequently dumped on multiple exchanges, plummeting the value of the coin by more than 90 percent.
Instances like this have tangible effects on the project, investors, and exchanges. Investors suffer massive financial losses in token value, Titanium lost its reputation and millions of ICO funding, and exchanges lose face for allowing stolen tokens to be sold on their platforms.
MonitorChain could’ve prevented the fallout after the initial stealing of the funds from the reserve wallets. The MonitorChain Rules Violation and Large Transfer Alerts would’ve immediately been triggered, starting a cascade of technical information flowing to exchanges about whether to halt trading of the BAR token. The hack stays in-house with TBIS, traders don’t lose value, and exchanges save face for not being the dumping ground for stolen tokens.
In the Monero Gold Exit Scam, the developers built a backdoor token burn function into the token contract that they used to create an infinite number of tokens and send to the exchange CoinExchange. They dumped the tokens on the exchange, driving the price to zero.
With MonitorChain, the MintingRule alert would’ve automatically been triggered, sending an instant alert to CoinExchange who would’ve been able to then halt trading for the XMRG token. Trust in the exchange would not have suffered and investors would not have lost all of their value from the dumping of XMRG tokens on the exchange.
The security of exchanges and contracts on smart contract platforms has become one of the foremost concerns in the industry following a litany of large-scale hacks. Many of these exploits are crafted by experienced hackers, who subsequently unload their scores on cryptocurrency exchanges, which are unprecedented opportunities for digital money laundering. The evolving security landscape will continue to innovate to enhance protections against instances of contract exploits.
However, products like MonitorChain offer a unique solution to mitigating the fallout of such instances with a design predicated on leveraging the standardized nature of smart contracts. As such, it should remain a more sustainable security solution for Ethereum than many other methods available today.
