Decentralized blockchain networks such as Bitcoin and Ethereum are widely regarded as very secure, providing an immutable public ledger backed by the watchful eyes of open-source reviewers. This level of security enables entrepreneurs to focus entirely on their on-chain and off-chain code, such as Solidity smart contract code for the Ethereum network and web applications, respectively. The risks associated with on-chain code are very public and can be quite embarrassing; however, the risks of off-chain vulnerabilities are just as painful and put businesses in harm’s way. Immunefi reports that nearly half of the vulnerabilities in Web3 are inherited from the off-chain Web2 world. To put this in perspective, Immunefi reported: “In 2022, we saw losses of $3,948,856,037 across the web3 ecosystem;” budding entrepreneurs beware! Venture capitalists in the Web3/Crypto space should be particularly wary of Web2 vulnerabilities threatening their budding investments.
On-chain code vulnerabilities such as the Sushi-swap exploit, and Euler Finance exploit resulted in losses of tens and hundreds of millions of dollars. In some cases, an attacker exploits the system and is followed by other attackers who rapidly review the on-chain code and pile on. Smart contract coding mistakes can lead to costly exploits involving stranded and stolen assets. The crypto space remembers everything and can be very unforgiving. For these reasons, on-chain code deserves special attention. Reviews, audits, and open-sourced code techniques are immensely helpful in preventing the release of on-chain vulnerabilities, though actual white-hat penetration testing mimicking the behavior of blockchain thieves is warranted, as will also be seen with off-chain systems.
Off-chain code vulnerabilities can be just as costly as their on-chain cousins. Entrepreneurs should pay attention to the sensitivity of the off-chain systems they will undoubtedly construct to support their blockchain projects. While on-chain vulnerabilities are limited to problems solely with code, such as smart contracts, off-chain systems have a broader attack surface. Blockchain’s off-chain support tools are most commonly web applications, but there’s a rich list of off-chain systems involved in typical decentralized finance projects:
Off-chain components
Web applications (e.g., front-ends, back-ends, oracles, discreet log contracts)
Cloud systems (e.g., Amazon AWS, Google Cloud GCP, and Microsoft Azure)
Networking
Databases
Browser integrations
Browser extension integrations
The user interface element is a critical off-chain system for entrepreneurs deploying on-chain services. Typical blockchain transactions originate from browsers, browser extensions, and cloud-based services. Many blockchain entrepreneurs fail to recognize the security threats of these off-chain systems – particularly those out-sourcing portions of their development. For example, a Decentralized Finance (DeFi) company building around Bitcoin might deploy a worldwide web front-end interface on a rented cloud server such as Amazon AWS. This same cloud configuration may include back-end database systems, web applications such as discreet log contracts and oracles, managerial interfaces for control and reporting, and front-end systems providing user-interface components and crypto-wallet interfaces. The complexity of the off-chain systems is far greater than the on-chain code that often gets extra attention.
Off-chain components may include attack vectors that do not exist with on-chain code. For example:
Off-chain vulnerabilities
Cloud and domain architecture errors
Configuration errors
Key management, access control, credential weakness, and credential handling
Coding
Multi-OS
Desktop versus mobile
Multi-browser support
Multi-blockchain crypto wallet support
Zero-day exploits
Etc.
The optimal configuration and securing of such systems present significant risks for organizations promoting themselves as secured by blockchain. To complicate matters, a typical consumer blockchain transaction uses a variety of browsers on various personal computer and mobile platforms, using a variety of 3rd-party browser extensions commonly implemented as “wallets” (e.g. MetaMask and Xverse). These platforms, browsers, and browser extensions consistently produce some of the most versatile vulnerabilities in a hacker’s tool kit. Entrepreneurs should be aware of the risks associated with off-chain systems to keep the financial interests of their customers and the company’s business model out of harm’s way.
Entrepreneurs should pay special attention to innovative requirements that shift with the market or as the new business pivots. Implementation adjustments sometimes come without a proper security analysis, especially when proposed near the release date.
Penetration testing is one important tool in assessing the vulnerabilities of both on-chain and off-chain systems. Web applications may be the most significant risk throughout the system and a great place to start. Off-chain web applications and browser extensions often suffer the same vulnerabilities as traditional web apps.
Entrepreneurs wishing to keep their company safe are encouraged to work with white-hat penetration testing services to build a threat model and periodically assess security threats. Entrepreneurs with essential DeFi platforms should also consider continuous testing services.
Are you concerned about the vulnerabilities in your on-chain and off-chain code? Are you looking to ensure the security of your digital assets and transactions? At Darkthorn, we specialize in uncovering and fortifying security gaps in blockchain infrastructures. Our team of seasoned experts employs the latest methodologies and tools to conduct rigorous penetration testing, ensuring that your blockchain services remain secure.