Projects and networks that are not fully decentralized require accounts that have access to critical network controls. Privileged access management risk refers to the risk of compromise surrounding these accounts, and the catastrophic losses that can occur when access to them is compromised. Having accounts with privileged access provides hackers with a single point of attack that, when compromised, incurs catastrophic damage to the wider network. Whilst these risks are by no means limited to web3 projects, it is particularly frustrating to see decentralized blockchain projects fall to them as they are one of the key vulnerabilities that blockchains were designed to defend against.
However, despite the promise and principles of decentralization, there will always be web3 projects that will have some level of privileged accounts; because of this, there will always be hackers who are looking to exploit them. But there are ways to mitigate this. How a project handles its privileged access management is an essential part of its security that requires a multi-faceted approach. Regular smart contract audits, blockchain analytics, organizational best practices, and identity management all have a vital role to play.
Underpinning all of these defenses is the need for a strong understanding of what privileged access risks entail, and the malicious techniques hackers use to exploit them. Attacks that exploit privileged access risks often involve human error. Because of this, regular team training is an essential part of a project’s security. To that end, this blog post takes you through what privileged management risk is, and the best ways of mitigating it.
Spear-phishing attacks are a common technique that hackers will use in attempting to gain access to privileged accounts. They typically involve a hacker conducting reconnaissance, and thorough research around an individual target in a project team. They will then use the research to send a carefully tailored message that contains a malicious attachment or link via email or social media channels. Once opened, the attachment or link will have the user give up credentials or download malware to the user’s device, giving the hacker access to the system network.
Understandably, individuals with privileged access to high-value networks are prime targets for spear-phishing attacks as they are clear points of entry into gaining control over a network. Because of this, project team members are typically bombarded with spear-phishing attacks by hackers attempting to scam the system.
One of the most infamous examples of using an advanced spear phishing attack to exploit privileged management risk was the recent attack against the Ronin Network. In one of the most lucrative crypto attacks ever, the Ronin Network was drained of over $600 Million after a hacker was able to forge withdrawal signatures by gaining access to compromised private keys.
This was made possible because – in response to a request from Sky Mavis for help in distributing free transactions– Axie DAO whitelisted the Sky Mavis team so that they could sign transactions on its behalf. The giveaway ended, but the permissions were never revoked. A hacker was then able to gain control of five of nine validator keys by conducting an advanced spear phishing attack against a Sky Mavis team member. This then allowed the hacker to forge fake withdrawals and drain the funds from the Ronin Bridge in two astronomical transactions.
What is especially striking about the Ronin hack (aside from the scale of the losses) is that it went unnoticed by the project team until users reported having problems with withdrawals. The fact that $600 Million in funds can disappear without notice for a week is truly shocking, and a clear sign of the need for blockchain analytics as an essential layer in any project's security.
As outlined in Ronin’s post-mortem, Sky Mavis resolved the vulnerability by increasing the number of validator nodes, effectively distributing the power to sign transactions across a wider network. This means that a hacker would have to gain access to far more privileged accounts in order to gain the majority needed to forge withdrawals.
The Ronin attack was a prime example of the stakes involved in privileged management risk, and their solution to the problem highlights the centralization issues that are to blame. As is often the case, decentralization was the resolution. CertiK’s 2021 State of DeFi Report notes that centralization is antithetical to the ethos of DeFi and poses major security risks. Single points of failure can be exploited by dedicated hackers and malicious insiders alike.’
Part of the risk in having users and accounts with privileged access is that it places a dangerous amount of trust in certain individuals; trust not only that they will not abuse the system, but also that they can be trusted to responsibly and securely protect sensitive information. Yet everyone makes mistakes, and even the most tech-savvy, security-minded individuals are still susceptible to human error which hackers will look to exploit. Indeed, as with centralization issues, the dangers of needing to entrust individuals with the security of high-value systems is precisely what blockchain technology was designed to avoid– hence the so-called ‘trustless system’.
In keeping with this, web3 projects can learn from the innovative security benefits of the technology they develop by incorporating zero-trust mechanisms in their organization’s structure. This means requiring identity authorization checks at every level, and at every point of connection with the system, checking not only private keys, but also monitoring geo-location and unconventional activity. Blockchain analytics can help here. By providing on-chain monitoring of irregular activity and tracking privileged accounts, blockchain analytics can help relieve the burden of trust placed on users with privileged access, and ensure projects can foster transparent and accountable ecosystems in their organizations.
To further protect against privileged access management risk, projects should make use of blockchain analytics tools such as CertiK’s Skynet, which actively monitors and displays on-chain insights for smart contracts using industry-leading technologies. By using blockchain analytics, projects can avoid the kinds of oversight demonstrated in the delayed response to the Ronin attack, and save precious time in handling the fallout.
Alongside blockchain analytics, projects that require points of privileged access should implement stringent internal processes that ensure all team members are steeled against potential attacks. Such measures would include the use of work-only devices, routinely educating staff, and fragmenting and dispersing private keys across multiple hardware devices.
The threat of privileged management risk hammers home the need for teams to take an end-to-end approach to their projects’ security. As the examples above show, smart contract audits and team expertise are not enough to ensure 360˚ protection. Whilst these measures are essential to any web3 project that is serious about its security, they should be bolstered by other tools such as blockchain analytics and KYC verifications. It also bears repeating that auditing smart contracts just once before a project’s launch and calling it security, is a lot like washing your hands once a month and calling it good hygiene. Instead, web3 projects should begin thinking in terms of having smart contract audits - plural - especially when making changes to their underlying code. Ultimately, security is something to be built and maintained, not bought and forgotten about, and having the foresight to invest in it will always be more cost-effective than attempting to clean up the damage after an attack.