More and more security gaps are emerging in cryptocurrencies and smart contract platforms, and all this is due to the way they are built. Coinbase’s security team noticed something strange when buying and selling cryptocurrencies on their platform. The blockchain history of all transactions was attacked, somehow an attacker had gained access to the private key of one of their users and used the computing power of the network to rewrite the transaction history.
This allows the same cryptocurrency to be issued more than once, known as double spending.
The attackers were seen seizing $1.1 million, but Coinbase claims none of their accounts actually had any of the stolen currency. A second popular exchange, Gate.io, admitted they were not so lucky as they lost half of their daily revenue to the attackers and returned half a day later in a strange way.
In total, hackers have stolen nearly $4 billion worth of cryptocurrencies from exchanges since the beginning of 2017, and that’s exactly what has been made public. Overall, hackers are stealing a nightmare scenario that was largely theoretical a year ago. There have been so-called 51% attacks on the blockchain in the last year alone, raising the stakes for the emerging industry.
Analysis firm Chainalysis recently said that perhaps a billion dollars may have been stolen from the stock markets, and we should not be surprised. These are opportunistic lone wolves, but even sophisticated cybercrime organisations are doing it now, so we are not only surprised.
Blockchains are particularly attractive to thieves because fraudulent transactions cannot be undone, as is often the case in the traditional financial system. We have also long known that blockchains have many other advantages, such as anonymity, privacy, and the possibility of being manipulated.
The marketing slogans and headlines that call the technology un-hackable are completely wrong, and we are beginning to see what this inherent weakness might mean for the future of blockchains and digital assets. We understand that Bitcoin was created over a decade ago, but what does that mean in practice? How was the blockchain hacked and what do these inherent weaknesses mean for our future blockchain digital assets?
Before we move on, I would like to clarify some terms for those of you who are unfamiliar with the history of blockchain and digital assets in general, and Bitcoin in particular please view my video ‘What is Blockchain technology?’.
Blockchain is a cryptographic database maintained by computers that store copies of the latest version of themselves. The protocol uses cryptography, game theory, and economics to motivate nodes to work for network security, rather than attacking it for personal gain. Properly set up, the system can make it much easier to add fake transactions than to verify valid ones. Blockchain protocol is a set of rules that dictates how computers in a network of so-called “nodes” should check new transactions and add them to the database.
This has enabled many financial companies to set up their start-ups, such as banks and insurance companies. Even central banks are now considering using the new digital form of the national currency. Blockchain will soon be integrated into existing financial systems and services will be introduced on the Intercontinental Exchange, which owns the New York Stock Exchange.
The more complex the blockchain system, the more opportunities there are to make mistakes during setup. Earlier this month, Bitcoin, a cryptocurrency that uses extremely complicated mathematics to allow users to make private transactions, revealed that it had secretly fixed a subtle cryptographic flaw that had been accidentally baked into the logs. An attacker allegedly took advantage of this by making indefinite false payments, according to a New York Times report.
Fortunately, no one seems to have done any of this, according to the Bitcoin Foundation, the world’s largest cryptocurrency exchange and trading platform.
But protocol is not the only thing that needs to be secure, and it is not the place where people can buy and hold cryptocurrencies. To trade cryptocurrencies and operate as nodes, software clients must run and may also contain vulnerabilities. In September, developers of Bitcoin Core, a major customer, had to fix a bug that would have allowed an attacker to mint as many Bitcoins as the system was supposed to allow. The hack, which caught the attention of the US Department of Homeland Security and the Federal Bureau of Investigation, was not only a hack against the Bitcoin protocol, but also against Bitcoin itself.
Many of these raids could be attributed to poor basic security practices, but not all, according to a recent study by the US Justice Department.
Vulnerabilities and attacks are inherent in most cryptocurrencies, and the attack on Ethereum Classic in January changed that. The vulnerability to attack is inherent in most cryptocurrencies, but not all, according to a recent study.
Most are based on blockchains, which use evidence-of-work as a protocol for checking transactions. In this process, also known as mining, nodes use enormous amounts of computing power to prove that information is contained in a new transaction database. A miner who has somehow gained control of the majority of the network’s mining power can defraud other users by sending them payments and then creating an alternative version of a blockchain in which the payments never took place.
This new version is called fork, and an attacker controlling most of the mining power can fork a major version of that chain and continue to issue the same cryptocurrency.
According to the website Crypto51, it would currently cost more than $260,000 an hour to hire enough mining power to attack Bitcoin. Attempts at an attack are likely to be extremely expensive for such a popular blockchain. But if you look at the cost of dismantling other popular blockchains like Ethereum, Bitcoin, and Litecoin, it gets much cheaper.
In mid-2018, the attackers began attacking easily traded coins and stealing an estimated $20 million in total. Falling coin prices made it even cheaper, as miners shut down their machinery and left the network with less protection. In the fall, hackers stole $100,000 in a series of attacks on the currency Vertcoin. Ethereum Classic, which raised more than $1 million, was the first in the top 20 currencies.
One driver of the trend is the so-called hashraid, which attackers can use to hire computing power for attacks. Blockchain-based file storage platform Bitstamp predicts that 51% of attacks will continue to increase in frequency and severity, and exchanges will bear the brunt of the damage caused by duplication of spending.
Apart from the attack on 51%, there is another effect that researchers are only just beginning to explore. Coincidentally, this is also a key factor in understanding Ethereum Classic and its potential impact on the exchange. The exchanges will ultimately have to be much more restrictive when it comes to which cryptocurrencies they should support.
Smart contracts are computer programs that run on the blockchain network and can be used to automate the movement of cryptocurrencies according to prescribed rules and conditions. They may also be used to facilitate the transfer of funds from one party to another or between two parties without the need for a third party.
The advantage that is of interest here is the possibility of creating a voting mechanism through which investors in venture capital funds can jointly decide how money is to be distributed. In 2016, DAO, one of the world’s largest and most successful smart contracts, was founded on the blockchain system Ethereum. Attackers stole more than $60 million worth of cryptocurrencies by exploiting a flaw in the smart contract that was responsible for them. This error essentially allowed the hackers to continue to demand money from the account, even though the system had registered that the money had already been withdrawn.
With conventional software, the bug can be fixed with a patch, but this hack shows the vulnerability of Ethereum’s Smart Contract System and the potential for future attacks.
The introduction of smart contracts is a bit like launching a rocket, because transactions on the blockchain cannot be reversed. But in a blockchain world, it’s not that easy, says Michael O’Brien, co-founder of a smart contract security startup called ChainSecurity.
The software cannot make mistakes, and there are no fixes, whether in the form of a bug fix or even a new version of the software itself.
The contracts cannot be improved by using additional smart contracts to interact with them, and they cannot be patched up. To stop the activity when a hack is detected, developers build a central kill switch into the network to stop all activity.
But by then it will be too late, because the money has already been stolen from users. The only way to get them back is to rewrite history and get back to the point of blockchain before the attack happened, to create a distraction to a new blockchain and forget that everyone on the network is using it instead.
This is what the developers of Ethereum decided to do: Most, if not all, of the community switched to the new chain, which is now known as Ethereum. A small group of holdouts remained on the original chain that became the Ethereum Classic.
Last month at ChainSecurity and Ethereum saved the DAO disaster from a possible repeat. During a planned software upgrade of the Ethereum classic chain, the company informed the leading developers of Ethereum that they would still have some blockchain contracts with the same type of bugs that led to the DAO hack. The developers have immediately postponed the upgrade and will try again at the end of the month.
Hundreds of valuable Ethereum Smart Contracts are vulnerable to so-called retracy bugs. According to a study last year, tens of thousands of contracts contain various types of vulnerabilities.
This is very different from traditional cybersecurity, “said Fang, who previously worked for cybersecurity firm FireEye. The nature of public blockchains means that even if a flaw exists in the smart contract, hackers can find it because the source code is often visible on the blockchain.
In August, a lawyer identified a highly sophisticated attack that exploited a loophole in a popular gambling game to steal $4 million from the account of a former US Army officer and his wife. Those with thousands or millions of dollars in assets have lured hackers to attack banks and governments with their assets.
Other companies, are developing testing services based on established computer technology called formal verification. AnChain AI is one of several new start-ups that have signed smart contracts to combat the blockchain hacking threat. It uses artificial intelligence to monitor transactions and detect suspicious activity. The smart contract code can search for known vulnerabilities and hackers can be defeated within minutes using the company’s intelligent contract technology.
The goal is to prove mathematically that the code in the contract actually does what its creators intended. A number of audit tools that have emerged over the past year or so have enabled smart contract creators to eliminate many of the low-hanging fruit, he added.
It is also possible to use additional smart contracts to set up blockchain – error-based premiums – but the process can be expensive and time-consuming. He said he would encourage people to report deficiencies in return for a reward in cryptocurrencies.
After all, blockchain is a complex economic system that depends on human erratic behaviour. It only goes so far that the code is clean and people will always look for new ways to play with it.
Although blockchain technology has long been touted for its security, it is still vulnerable. Sometimes this can be attributed to sloppy execution or unintentional software errors, but sometimes it’s due to a lack of understanding of blockchain security mechanisms, or even a combination of the two. With so many blockchains in the world, we have learned much more about what they really mean than what we knew theoretically when technology was first introduced.