Today @robin-kunzler who leads DFINITY’s Security team has provided a clear diagnosis of what happened behind the hack of the Odin.fun canister.
These are the most important paragraphs, but I suggest you carefully read the whole post, and follow his advice:
Whenever possible, use vetted libraries or platform features for security-critical functionality and do not implement it on your own. If you use third-party components that are security-critical, make sure they went through a security audit and ideally have a bug bounty program in place. A bug bounty program can incentivize and motivate people to look for and responsibly report bugs they find (see e.g. DFINITY’s bug bounty program).
Similarly, if you write security-critical components yourself and stakes are high, perform security audits and consider running a bug bounty program. Furthermore, ideally the development processes aim at high quality and security. Thorough design and peer reviews and testing increase confidence. The ICP security best practices should be used as a reference.
What can be done to be better prepared for attacks?
- Observability - make sure you notice attacks. Ideally, projects implement automated alerting for suspicious activities, such as exceptionally large transfers, spikes in usage or logins, etc.\
- Store data to enable forensic investigations. Logging important user actions such as authentication, transfers, withdrawals, etc. can prove very useful to retrospectively understand an attack, identify victims and attackers, trace funds and enable forensic investigations in general.
The key part where the code contained an implementation error that made the hack, and the stealing of funds is explained here:
Here is the link to the full post:
Joseph Hurtado
Founder Satoshi Notes
Founder Granata Consulting