Academics describe scenarios that put the use of blockchain technology at risk
Network security specialists from the
International Institute of Cyber Security reported a couple of weeks ago an
unusual incident in Coinbase, a cryptocurrency exchange platform: an attack on
its blockchain.
In the attack, a hacker somehow managed to take
control of more than half of the network’s processing power, using it to
rewrite the transaction history in the blockchain. Thanks to this it was
possible to spend the same cryptocurrency more than once (a fact known as “double
spending” in the cryptocurrency community).
According to specialists from the MIT Technology review, since 2017 hackers have stolen nearly 2 billion dollars in virtual assets, mainly attacking platforms such as Coinbase; in addition, these are only known incidents, undisclosed breaches have not been considered ).
MIT Technology review: Once hailed as unhackable, Blockchains are now getting hacked
The blockchain are especially attractive for
groups of malicious hackers, mainly because, unlike traditional financial
systems, transactions carried out in this way cannot be reversed. In addition,
although blockchain technology has unique security features, it also suffers
from unique security vulnerabilities; although developers argue that blockchain
technology is “impossible to hack,” they should reconsider their claim.
Hacking a blockchain
A blockchain is a cryptographic database maintained
by a computer network, each of which stores a copy of the most recently updated
version; that is what makes it so attractive for many organizations, mainly
financial ones. Even the New York Stock Exchange will be launching its own
blockchain implementation.
Recently, those in charge of Zcash
cryptocurrency, which allows users to perform private transactions through
complex mathematical processes, revealed the correction of “a small
cryptographic flaw” incorporated into the Zcash protocol. But protocol is not
the only thing that has to be secured; to swap cryptocurrency on your own or
run a node you must run a software client, which can also contain
vulnerabilities.
Still, most recent hacking incidents did not
present themselves in the blockchain, but in exchange platforms, websites where
users can buy, exchange, or store their virtual assets.
51% attack
During the cryptomining process, nodes spend
enormous processing power resources to demonstrate that they are sufficiently
reliable to add information about new transactions to the database. If a miner
somehow manages to take control of most of the network’s mining capacity, it
can defraud other users by sending them payments and then creating an
alternative version of the blockchain in which the transaction was never performed
(this version is known as “fork”).
The attacker, who controls most of the mining
power, can make the “fork” the authorized version of the blockchain, so they
can use the same cryptocurrency again.
Carrying out this type of attack against a
popular blockchain is very expensive; as mention by specialists in network
security. According to experts, renting enough processing resources to attack
the Bitcoin blockchain would cost about $250k USD an hour. However, the
situation changes when it comes to less popular cryptocurrencies. Considering
that there are currently more than 1 500 virtual assets, this becomes highly
probable; moreover, the fall in the prices of these assets represents less
protection for the blockchain.
Smart contracts
attacks
A smart contract is a computer program that
runs on a blockchain network used to automate the circulation of cryptocurrency,
according to its own rules.
The decentralized autonomous organizations
(DAO) were created in 2016 using the Ethereum blockchain system. Shortly
thereafter, an attacker stole over $60M USD in cryptocurrency, exploiting an
error in a smart contract that ruled the DAO. This vulnerability allowed the
hacker to continue soliciting money from the accounts without the system
registering that the transaction had already been performed.
In traditional computer systems,
vulnerabilities can be corrected with update patches, although this does not
apply to blockchain technology, as transactions in a string cannot be reversed.
There are some alternative solutions. Although
smart contracts cannot be patched, adding an additional smart contract might
work as a sort of update. Developers can also implement central switches on a
network, so they can stop any process if they detect anomalous activity,
although, again, network security specialists emphasize that this does not
reverse the cryptocurrency theft once the process is completed.
The only way to recover the money is to rewrite
the transaction history, return to the point in the blockchain before the
attack, create a new link for a new blockchain and have everyone on the network
agree to use that specific point. This was the case of Ethereum; many users
accepted the transition to another blockchain, while the remaining developed
Ethereum Classic.
Thousands of smart contracts could contain
vulnerabilities, according to recent research. Given the nature of the
blockchain, if there is an error in a smart contract, the hackers will surely
find it.
