Adam Mazzocchetti Securely auditing a blockchain smart contract

The top 10 blockchain security hacks you should know.

Adam Mazzocchetti Blockchain Security

Distributed consensus, established trust, and distributed identity may sound like the ultimate security technology, which is foolproof, but new security attacks are emerging that are very mature. For anyone who develops and uses blockchain solutions, it is very important to understand these attack vectors. Although prevention is better than cure, some of these new security attacks have surfaced in recent years. 

If an attacker manages to shape a node to select a number of nodes as it’s malicious node, he can obscure the view of the original register and present the node with his own manipulated register. Once nodes get their view of the distributed register, they can be selected through a peer selection strategy or depend on a random number generator that selects any node as their malicious nodes. 

Sybil attack, an attacker will flood the network with a large number of nodes with pseudonymous identities and try to influence the networks. Unlike Eclipse attacks, which aim to change the user’s view of the true register, Sybil attacks are targeted at the entire network. 

In this case, the goal is not to target the user, but to create a number of nodes on the network as a whole with a branch register that allows the attacker to duplicate the output of other attacks. These nodes appear as independent individuals and are operated in the background by a single operator. 

This effectively provides the attacker with a small window to double output based on a cloak chain that can be built up once there are enough blocks in a row. Many blockchains consider the longest chain to be the latest version of the ledger, and if a selfish miner can build a long chain of self-made cloak blocks on the network, they can publish their private diversion that accepts this as a new truth. You can try to keep the cloak of the mode building blocks from the existing chain, but the transaction cannot be done until the long cloak chains are released, which reverses all transactions that have just been completed. 

China has reported that more than a million computers have been infected with malware that helps attackers steal data such as passwords, credit card numbers and other sensitive information. Malware harnesses the computer power of unsuspecting victims to gain access to cryptocurrencies and hackers, as well as to computers and computers in other countries. 

The probability of an attack on a small network is 51% or higher, while it is very difficult for a larger network to act. If a group has majority control over all transactions in the blockchain network, it can prevent certain transactions or undo – and reverse – old transactions. This depends on the internal timing, which is determined by the median time reported by the peer nodes. 

Suppose an attacker manages to add a lot of malicious people to your friends list, and then he can manipulate time. For example, you need to know your friend’s entire time, but not his address, phone number or even his e-mail address. 

The first step of this attack can be an eclipse attack on the target Node: If the block timestamp does not match the timestamp of the targeted node, it does not accept the blocks from the actual network. This allows the attacker to double his performance and perform a transaction on his target node, even though the transaction cannot be transmitted to actual blockchain networks. If you can mine a block of one transaction and keep it secret, there is a chance you will double your money. Once the attack on the target node is complete, it will not accept blocking of actual networks because its timestamp does not match its timestamps. 

If a trader accepts an unconfirmed transaction, the earlier transaction can be converted into his currency. Next, publish the previous mined block, which is kept secret until the new transaction is confirmed on the network. 

In this attack, an attacker transmits an unconfirmed transaction to both the merchant and the victim, while simultaneously executing the transaction that he has transmitted to the network. The difference is that the attacker has to advance or dismantle the block for his transaction that he wants to double. This would give the merchant the illusion that he was making the first transaction but never lodged it in the blockchain network, and it would be easy for him to launch an attack if his merchant node is directly connected to his own node and not to that of another merchant. 

A Smart Contract is a fully automated contract that handles transactions in a manner agreed by all parties involved. The transaction will become unchangeable after completion and drafting into the blockchain, and participants will be guaranteed a return based on the time to the conclusion of the contract that has been agreed. Smart contracts can be stopped as soon as they start or as long as the time for concluding a contract is agreed. 

Just think what would happen if an intelligent contract goes wrong and nobody can change it, and we will deal with such attacks and attack vectors in connection with smart contracts.  

The biggest exploitation in the history of cryptocurrencies was the DAO hack, the decentralised autonomous organisation was an ambitious feature of Ethereum. A company called Slock started crowdfunding for a project called DAA, which was overwhelmingly popular and brought in more than $1.5 million, or about $2 million a day, in less than a month. 

However, an attacker has identified a vulnerability in the code that could allow a recursive payout function to be performed without verifying the execution of the current transaction. The attacker started the attack by contributing a small amount and asking the recursive function to withdraw it. This allowed nearly $70 million to be pulled from the crowdfund, and events took an interesting turn. 

The Ethereum Foundation threatened to stop the attack or freeze the account, but he stopped it. The attack was stopped, and it has since stopped the attacks with the help of the US Federal Investigation Office (FBI) and other law enforcement agencies. 

The Ethereum Foundation took a hard line to get the money back, a decision that raised many concerns about the autonomy of smart contracts. Wallet contracts are so powerful that they can be integrated into a user’s wallet for regular automated payments. Hard folklore has led to a lot of confusion about smart contract security and its use in the Ethereum network. 

However, a critical feature was left open, resulting in a vulnerability that an attacker exploited. An attacker could insert his account into the contract library to become a user of a wallet that was introduced after a certain date. This then triggered a kill function that frozen the currency in the wallet, and $155 million was locked forever in cryptographically inaccessible wallets for days. 

This is very important, given that hard forks and soft forks are not practical options. While anyone can participate and their identity is anonymous, a blockchain deployment error can be very costly, as errors cannot be reversed. The attack vectors and vulnerabilities discussed in this article have no solution until they find a benefit, and even then they may not have a solution. So the best option is to have your smart contracts audited by a blockchain security specialist.