.We get into trouble when we use words like “unsinkable” and “unhackable.” This is now the case with blockchain, which has long been touted as an immaculately secure mechanism for keeping tabs on transactions. But as blockchain has grown in popularity and expanded its usefulness beyond currency, new and increasingly worrying security issues start coming to light. Some of these problems are a natural consequence of relying on any kind of digital infrastructure. Many of the others come down to simple human deviousness. Other examples of blockchain weaknesses, unfortunately, reveal shortcomings in the very foundation of the technology itself. Here’s a closer look at some of the ways criminals are managing to turn blockchain against its users.
What’s the Scale of the Problem?
In 2018, hackers made off with $1.7 billion thanks to clever cryptocurrency scams that take advantage of bitcoin’s underlying weaknesses. Of this, hackers lifted at least $950 million directly from cryptocurrency markets and their infrastructure, making for a three-fold increase over the losses reported in 2017. However, the losses could be higher. These numbers are based on what’s been reported and what security firms have uncovered through investigations.
Here are just some of the techniques used, some of which we’ll look at in greater detail in a moment:
- 51 percent attacks
- Initial coin offering (ICO) scams
- Ponzi schemes
- Hacks of crypto exchanges
- Exploits in client software
When these methods fail, would-be scam artists sometimes turn to “inside jobs.” That means, instead of targeting digital infrastructure, fraudsters engage in some old-fashioned grifting aimed at investors, directly, as well as general users of crypto exchanges. Think email-based phishing scams, password theft and other techniques.
How Hackers Can Compromise Blockchain
The question now is how hackers and fraudsters manage to leverage blockchain weaknesses in the first place. How do you outwit an unhackable system?
Remember, blockchain is a database of information shared across computers. Each computer (“node”) on the blockchain contains the most recent version of each piece of information. In a cryptocurrency exchange, the information shared across nodes includes the nature, and amount, of all monies (“coins”) that have changed hands. It’s extremely difficult for bad actors to falsify transactions due to the decentralized ledger. Why? Each node in the ledger must reflect the desired change.
This brings us to a major point of potential failure: blockchain protocols. These protocols instruct each node to verify and record new transactions. Each protocol is built on game theory, cryptography and other mathematical principles to keep it “on the level.”
But the code comprising these blockchain protocols is precisely that: computer code. Coders make every attempt to squash bugs in the software they’re building, but that doesn’t mean oversights don’t happen. In fact, having human coders all but guarantees it.
One cryptocurrency company, called Zcash, admitted recently that they’d had to dig into their source code to find the source of a “subtle cryptographic flaw” in their protocols. If the company hadn’t spotted the bug, an attacker could have exploited it to create an unlimited amount of counterfeit cash. Or, rather, “Zcash.”
The company fixed the problem in their code and alerted their users, but stories like this are dealing a harsh blow to blockchain’s legitimacy and giving a lot of companies, investors and general users pause. It’s just the beginning.
Other Exploitable Blockchain Weaknesses
In September 2018, Bitcoin Core — which develops the main client used by cryptocurrency Bitcoin — disclosed its own behind-closed-doors bug-fixing scramble. The problem was a little different from the Zcash issue, but the result was the same: a potential mass counterfeiting of cryptocurrency. This time, developers traced the flaw to the software client itself. To trade cryptocurrency or operate a node, users have to install a software-based dashboard. These software suites are just as likely to have exploitable weaknesses “baked right in” as anything else built on computer code.
With blockchain protocols and user dashboards both outed as a potential point of failure, what else do blockchain users and investors need to look out for?
So-called “51 percent attacks” are another example of how the underlying technology behind blockchain can be subverted for personal gain.
A 51 percent attack is where a criminal gains control of a majority of the computing power sustaining a blockchain. Each node in the system expends a great deal of computing power to mine cryptocurrency as well as “prove itself” as a good-faith participant in public ledgers. But when 51 percent or more of these nodes turn toward malign purposes, any number of things can happen. A”hard fork” is one eventuality.
Hackers attempting a hard fork effectively create their own blockchain within the existing one and then build their own set of financial records. The result is that they effectively get to spend their “winnings” twice — they spend money on the existing exchange, then invoke their “alternative financial records” to spend the same funds all over again. Their falsified records become the new normal.
The good news is, the more widely used a blockchain is, the more unrealistically expensive it is to hijack its computing power. Hijacking Bitcoin would cost an estimated $260,000 per hour. Doing the same to Ethereum would cost $1124. But lesser-known cryptocurrencies could become the target of 51 percent attacks with a relatively paltry expenditure of just $1 to $50 per hour.
Blockchain makes “Smart contracts,” another next-generation concept possible. And they’re another potential point of failure.
A smart contract is a digitally enhanced legally binding agreement in which transactions or other events are carried out automatically after agreed-upon conditions have been met. For example, a smart contract could automatically transfer funds from one company to another after an exchange of goods.
According to the CEO of AnChain.ai, a blockchain security company, tens of thousands of smart contracts may contain a vulnerability, not unlike those being leveraged in blockchain protocols and client software. These vulnerabilities include flawed lines of code that could allow dishonest parties to keep requesting the funds allotted by the smart contract, again and again, even if the payment has already been made.
How to Fight Back?
“Patching” blockchain weaknesses like these isn’t always as easy as deploying clean code. The automation used in smart contracts is to such a degree that makes the reversal of funds effectively impossible. The very technology behind blockchain was designed around being as tamper-proof as possible. This makes smart contracts one of the most urgent problems that need solving in the security world.
Deploying additional contracts that act on the original terms could fix smart contracts. It’s the closest equivalent of a straight bug fix. Smart contracts could also incentivize and reward “white hat” hackers for finding and reporting exploitable bugs.
The lesson here is that blockchain technology holds a great deal of potential for every industry on earth — but also that it’s vulnerable in ways both familiar and totally novel.
Featured Image: Designed by Freepik