As regulatory uncertainty continues to plague the global digital asset ecosystem, there are many anti-crypto proponents who continue to harp on the fact that the industry as a whole has a long way to go when it comes to securing itself in a manner that is anywhere comparable to the traditional finance system. Now, with the recent Bitmart hack coming to light, these individuals have been given even more firepower.
To recap, on Dec 5, cryptocurrency exchange Bitmart was on the receiving end of a major hack that saw the platform lose nearly $200 million via a hot wallet compromise hosted over the Ethereum and Binance Smart Chain blockchains. The breach was first exposed by blockchain security firm Peckshield whose cybersecurity team revealed that nefarious third parties were able to initially transfer roughly $100 million via the Ethereum blockchain, followed by another concurrent hack of $96 million using the crypto exchange’s BSC reserves.
The hackers were able to accrue over 20 tokens including a number of altcoins such as Binance Coin (BNB), SafeMoon (SAFEMOON), BSC-USD and BNBBPay (BPay). They were also able to steal decent quantities of meme tokens including Baby Doge Coin (BabyDoge), Floki Inu (FLOKI) and Moonshot (MOONSHOT). As per PeckShield’s security team, the entire scheme can be attributed to a simple “transfer-out, swap and wash” maneuver.
To gain a better understanding of how the entire incident came to be, Cointelegraph reached out to Bitmart. A spokesperson for the trading platform pointed out that as soon as the breach was discovered, the firm took action by shutting down multiple systems to “limit any sort of immediate harm” — the actions included halting token withdrawals as well stopping users from trading certain pairs. The representative added:
“We plan to continue to gradually restore services but only following our security team’s thorough testing process. Security remains our No. 1 priority. In fact, as of Tuesday, Dec. 7, 2021, EST we have resumed ETH and ERC20 token deposits and withdrawals.”
Additionally, a written response from the exchange also highlighted that in order to bolster its native security infrastructure, Bitmart had replaced all of its token deposit addresses in relation to currencies like Bitcoin (BTC), Ether (ETH) and Solana (SOL), as well as all the other tokens involved in the incident. “We have also notified our users of the pertinent changes”, the statement closed out by saying.
Lastly, on Dec 6. Sheldon Xia, founder and CEO of BitMart, announced via Twitter that the xchange was going to be using its own funding to compensate for any losses emanating as a result of the incident: “We are also talking to multiple project teams to confirm the most reasonable solutions such as token swaps. No user assets will be harmed.”
The crypto community shows solidarity
Following the near $200-million hack, members of the global Shiba Inu (SHIB) community and crypto exchange Huobi Global jumped in to offer Bitmart with any sort of assistance needed by the exchange to not only strengthen its existing security setup but also to keep an accurate tab on the inflows of its misplaced assets.
Speaking with Cointelegraph, Huobi’s director of global strategy Jeff Mei noted that in cases like the one witnessed in relation to Bitmart, it is a must that transparency and immediate action be given top priority, adding:
“Exchanges should alert their users, other exchanges and law enforcement authorities as soon as possible and be transparent about what they are doing to handle the hack and the loss of user funds.”
Additionally, Mei emphasized that users should avoid pooling all of their assets on a single platform or a single wallet, and in cases where they feel something fishy might be going on, users should not hesitate to reach out to the relevant exchange and tell them about the potential security incident.
Much like Huobi, the Shiba Inu community also confirmed its intentions to help Bitmart, adding that it had already ramped up its efforts to review any potential security threats for ShibaSwap, a community-built decentralized exchange (DEX).
More education is needed
Raimundo Castilla, CEO of digital asset custody platform Prosegur Crypto, told Cointelegraph that what happened to Bitmart with its recent security breach was something that was easily preventable only if the platform’s users had been educated enough to keep their digital assets externally and not on the exchange itself:
“Hot wallets should be reserved just for the funds you want to trade with. This amount of money should have been guarded on cold storage with an air-gapped system and 100% offline transactions.”
Nevertheless, Castilla went on to add that in order for platforms like Bitmart to prevent future incidents, they need to employ a combination of innovative technologies coupled with rigid governance protocols. For starters, their private keys shouldn't have been guarded online since anything stored online is susceptible to being attacked regardless of how well it may be protected. “They should have worked with whitelisting so even though someone gets access to any private key, he could only send funds to a pre-confirmed wallet direction”, he elucidated.
Moreover, Bitmart could have potentially employed an advanced multiparty computation (MPC) co-signing system that made use of a multisignature approval module. This would have required the hackers to need several people to approve the transactions in question.
Castilla added that: “Hacking just one private key can do nothing at all.” Furthermore, someone performing the role of a key account manager could have stepped in and “stopped the transaction to get to the client to see if it was legitimate.”
Better security measures are the need of the hour
With the crypto ecosystem seemingly under an ongoing onslaught of nefarious hacking incidents, it is worth noting that recently digital asset lending platform Celsius also confirmed that it had been faced with a loss of $50 million via an exploit related to decentralized finance (DeFi) protocol BadgerDAO.
Reports of the attack first surfaced on Dec 9. with the protocol’s core developer team announcing that they received “multiple exports of unauthorized withdrawals” related to their clients. After, they paused all of their existing smart contracts so as to mitigate any more potential losses.
That said, it hasn’t all been bad news recently, as cross-chain protocol Synapse Bridge revealed that on Nov. 9, its security team was able to avert a multimillion-dollar exploit on the Avalanche Neutral Dollar (nUSD) metapool, preventing miscreants from making their way with nearly $8 million worth of digital currencies.