Blockchain technology has garnered significant attention due to its various use cases and potential for disruption. It first manifested as the technology behind the cryptocurrency Bitcoin, which experienced a precipitous rise and subsequent crash at Hollywood-esque proportions, but is now in use by other businesses as well.
One of the main reasons blockchain is so popular is its inherent structure – it uses peer-to-peer networks and registers to store transactions, and is designed as a digital log file and stored as a series of linked groups, or blocks. Each and every block is locked cryptographically with the previous block, and once a block has been added, it cannot be altered.
Due to this structure, blockchain technology has been hailed ‘unhackable’, but recent studies and reports demonstrate that even blockchain is susceptible to various cybersecurity attacks. In fact, in June 2016, criminals attacked the distributed autonomous organization, or DAO, by exploiting a recursive calling vulnerability, and stole around $60M. In March 2014, criminals exploited a transaction mutability vulnerability in Bitcoin to attack MtGox, causing its collapse with approximately $450M in Bitcoin stolen.
With any new technology or code, the risk of creating vulnerabilities runs high as human developers will naturally make errors, which can, unfortunately, be exploited by nefarious parties. For instance, an investigation by Hard Fork has revealed that cybersecurity researchers detected over 40 vulnerabilities in some blockchain and cryptocurrency platforms in the period between February 13 and March 13. Block.one attributed the vulnerabilities in four of the bug reports they received to the buffer overflow fault. The flaw is said to have made their software vulnerable to arbitrary code injection.
Besides human-related vulnerabilities, blockchain itself possesses a number of vulnerabilities and risks. Below is a table taken from A Survey on Blockchain Cybersecurity Vulnerabilities and Possible Countermeasures published in January 2019 on Wiley that illustrates the main risks with blockchain systems.
If a single miner’s hashing power accounts for over 50% of the total hashing power of the entire blockchain, a 51% attack can be launched to arbitrarily manipulate and modify blockchain information. For popular blockchains, attempting this sort of heist is likely to be extremely expensive. According to the website Crypto51, renting enough mining power to attack Bitcoin would currently cost more than $260,000 per hour. But it gets much cheaper quickly as you move down the list of the more than 1,500 cryptocurrencies out there.
Toward the middle of 2018, attackers began springing 51% attacks on a series of relatively small, lightly traded coins including Verge, Monacoin, and Bitcoin Gold, stealing an estimated $20 million in total.
Private key security
Once a user’s private key is lost, it cannot be recovered. If the private key is stolen by criminals, the user’s blockchain account can be tampered by others and because there are no centralized institutions that manage the blockchain, it’s difficult to track the criminal’s behaviors and recover the modified blockchain information.
Double spending refers to a consumer who uses the same cryptocurrency multiple times for transactions. An attacker could leverage a race attack to initiate double spending – the attacker just needs to exploit the intermediate time between two transactions’ initiation and confirmation to quickly launch an attack. Before the second transaction is mined to be invalid, the attacker already got the first transaction’s output, resulting in double spending.
Transaction privacy leakage
Because user behaviors in blockchain are traceable, blockchain systems need to protect the transaction privacy of users. In practice, users need to assign a private key to each transaction so attackers cannot determine whether the cryptocurrency in different transactions is received by the same user. Unfortunately, privacy protection measures in blockchain aren’t very robust, and some research found that 66% of transactions sampled do not contain any mixins, or chaff coins, that prevents attackers from inferring the linkage of coins spent by the transaction.
Recent Breaches and Attacks to Blockchain
There’ve been a number of high profile blockchain-related security breaches over the past few years, and many sound like familiar versions of traditional computer security breaches. According to Emin Gün Sirer, an associate professor in computer science at Cornell University with expertise in developing cryptocurrency protocols and investigating blockchain security flaws, “the greatest security threat [to blockchain] involves targeted attacks on clients, as well as shared platforms such as exchanges.” Qualitatively, this checks out because attackers make cost-benefit analyses like any other individual, and they prioritize activities that will deliver the highest yield for the lowest effort investment.
In one case, a hacker gained access to an employee’s computer and used malware to steal private keys from digital wallets. That allowed the hackers to make off with more than $500 million in NEM coins from the Tokyo-based cryptocurrency exchange Coincheck during an incident disclosed in January 2018. In a related incident in 2017, a scammer set up a cryptocurrency wallet service and patiently waited for people to sign up over several months before making away with $4M from customers’ wallets. In total, hackers have stolen nearly $2BN worth of cryptocurrency since the beginning of 2017, mostly from exchanges, and that’s what has been revealed publicly.
Blockchain Security: Potential Solutions
As the awareness of blockchain’s security risks grows, startups have emerged to address the issues. Anchain.ai, founded in 2018 by Victor Fang, provides AI-powered solutions for code, infrastructure, and transaction analysis. In particular, Anchain’s smart contract audit platform can scan for vulnerabilities and threats on a given blockchain, and the team successfully detected Fomo3D hackers that stole over $4M.
Separately, Chainalysis, founded in 2014, provides blockchain transaction monitoring solutions geared toward real-time transaction screening to identify fraudulent transactions, and helps detect and investigate cryptocurrency money laundering and compliance violations.
Despite all the buzz it’s received, blockchain technology is still in its infancy, and robust security processes and policies are desperately needed to address the vulnerabilities we’ve identified.
At Plug and Play's Cybersecurity accelerator we are in touch with corporations and startups that are changing the world as we know it. Join our platform today.