Merely couple of years ago many people considered blockchain a geek thing, a fad or a
 bubble. Their opponents claimed it was a hack-proof technology that would solve all
 trust and security issues modern world had been struggling with. It didn't take that
 much time to prove both sides wrong. Now it's quite clear that blockchain is about to
 become not only a foundation of so called New Internet, but also a massive game
 changer for the economy and banking systems as well as vast majority of businesses,
 industry and commerce sectors. It has its vulnerabilities, though, and knowing them is
 essential for implementing and using this technology for the greatest benefit. Both fiery acclaimers and non-believers might have been misled by blockchain's complexity that its rapid development and updating speed makes it quite hard to master or even fully understand. This very same complexity may be considered as a factor providing more security. On the other hand it allows to see blockchain as a well-mixed set of tools and disciplines (such as computer
 software, cryptography, game theory and distributed networks) that are vulnerable within themselves and thus separately create weak spots in the whole system. A can of bugs It could be such simple thing, known very well since the very beginning of the internet, as flaws
 in the code. The more a blockchain is complex, the harder it is to set it up correctly, without any
 bugs being the lowest-hanging fruit for the hackers. It's the problem with the execution and not
 with the technology itself, of course, but still quite common since many lines of code deployed
 on live blockchains are insufficiently tested. Probably the most (in)famous case of this threat is the DAO case. DAO first made history by
 setting the record for the largest crowdfunding campaign ever and raising $150 million. And then
 again, shortly after, by being attacked by a hacker who found out that the code allowed to transfer
 tokens from the same account for, like, 40 times before updating the account’s balance. Nobody
 knows why the hacker enriched himself with 'only' $55 million in cryptocurrency this way before
 deciding to abort his mission, but surely this story brought up some serious security questions. And some answers as well. Importance of code reviews, penetration testing and smart contract audits One of the solutions to avoid this kind of exploit may be, for example, subjecting the smart-
contract code not only to heavy peer review before deployment but also to audits conducted by
 professionals. Companies that specialize in this started emerging not that long ago, yet are already
 known to have prevented attacks similar to the one described above (e.g. Petar Tsankov's ChainSecurity saved Ethereum from the DAO-like catastrophe that would probably have taken
 place after a major software upgrade earlier this year). Kamil Górski from Blockhunters points out to two main reasons why the service his team
 provides might be extremely useful. First: the source code is usually visible on the blockchain due
 to its open-to-public nature. So if there is a bug, the hackers are more likely to find it than they
 would be in the 'old world'. Only between February 13 th and March 13 th over 40 bugs have been
 found in blockchain platforms and the research was conducted by so called white hat hackers,
 that is 'the good guys' who got payed for it much less than they could 'earn' by using their powers
 for evil (you can read more about it ). here And no team, even consisting of the best devs, is immune to bugs hackers pray on - mainly because the developer's job differs substantially from security experts / white hat hacker's job (more about suprises security audit may bring in ). Górski's post source: https://thenextweb.com/hardfork/2019/03/14/blockchain-cryptocurrency-vulnerability-bug/ Second thing is another key difference between blockchain and traditional software. In the latter,
 you can fix a bug with a patch but as far as the smart-contract code is concerned, you can't. A
 transaction on a blockchain cannot be undone. You can only 'upgrade' some contracts with
 additional contracts that interact with them or use a kill switch that stops all activity after a hack
 detection. But once the money is lost, it's lost forever, unless you get back to the point before the
 attack and create a so called hard fork to a new blockchain. Basically: create an alternative reality
 and have everyone agree that from now on we're gonna live in the new one. Not that easy to
 manage and even more controversial. But again, this was the Ethereum case after the DAO thing. Except a part of the network did not 'agree' and stuck with the original chain, called now
 Ethereum Classic. 51% attacks Let's stick with the Ethereum Classic as well for a moment for it has recently become an example
 of yet another problem. This time, it was not the code being the issue but rather the unique
 structure of blockchain itself. As Mike Orcutt neatly put it in his , article in MIT Technical Review ' ' a blockchain is a cryptographic database maintained by a network of computers, each of which stores a copy of
 the most up-to-date version. A blockchain protocol is a set of rules that dictate how the computers in the network,
 called nodes , should verify new transactions and add them to the database. source: https://hackernoon.com/ethereum-classic-attacked-how-does-the-51-attack-occur-a5f3fa5d852e To prove that they are trustworthy to do so, the nodes use great amounts of computing power in
 the process called mining. This Proof-of-Work protocol is utilized in most blockchains that
 cryptocurrencies exchange platforms are running on, which makes them susceptible to famous
 (mostly due to the HBO Sillicon Valley series) 51% attacks. Performing such an attack means
 gaining control of a majority of the network's mining power, which allows the hacker to create a
 mentioned above fork after sending other users payments that never happen in the new,
 alternative and authoritative version of the blockchain. And this lets him spend the same
 cryptocurrency more than once (so called double-spend). The smaller the blockchain is, the less computing power you need, so the whole process is easier and cheaper. That's why it's usually smaller coins falling prey to such practices. To attack Bitcoin,
 for example, one would have to spend over $260,000 per hour for renting enough mining power
 (according to the website). Crypto51 Ethereum Classic was just the first among top-20
 cryptocurrencies being successfully attacked. The attacker got away with more than $1,1 million
 out of over $20 million taken altogether in the last year alone due to this blockchain security
 issue. The 51% attacks are said to become soon both more common and severe, partly because of the
 'hashrate marketplaces' where one can rent enough computing power. This calls for the
 exchganging platforms being more picky about which cryptocurrencies they support. And 'if your
 blockchain utilizes a Proof-of-Work [...] consensus mechanism, you need to have security
 measures in place to prevent a 51% attack,' writes Ajay Chandhok in his , coming up
 with some piece of advice: 'Being vigilant of mining pools, implementing merged mining on a blockchain with a higher hashrate, or switching to a different consensus mechanism are all viable
 options.' blog post Other vulnerabilities Please don't forget that many security threats concern not the blockchains themselves but their
 endpoints where they're accessed by the humans. The latter use for this purpose various keys and
 passwords that are nearly impossible to crack. And this is why they are rather stolen. The stealing
 methods have been well known for decades and haven't changed that much whatsoever (e.g.
 malware, phishing). There are also many Web 3.0 scammers ready to empty crypto wallets of the
 most gullible blockchain users. One could come up with other possible security threats, such as hacking the random number
 generator that creates keys and thus weakening the encryption, or even performing a creative
 denial of service attack against a particular blockchain or whatever is using it. And many more,
 yet to be known, will surely emerge as the technology evolves. In fact, its growth can become an
 issue itself. As Rick Martin wrote in his : blog post ' '. […] we are approaching unknown territory with every gigabyte of expansion. The limited experience of the [...]
 industry means limited experience identifying and responding to problems. As with every technology, from airplanes
 to autonomous cars, experience comes at a price. The price for a blockchain security failure has not yet been high
 enough to require a major change to the system […] And it is worth remembering that despite all the problems outlined above, blockchain still
 remains the most secure technology ever invented, far more secure than what it's about to
 replace. Companies, governments and institutions willing to use this technology and benefit from
 it only have to make sure that their smart contracts are well-designed and that they stay up-to-
date with the latest preventative security measures addressing the arising security issues.

Ethereum Classic

Too Long; Didn't Read

Discover Saakuru: Web3 Mass-Adoption with 0-FEES

A New Internet's Foundation or A Damp Squib: How can “Security's Game Changer” Be So Insecure?

Too Long; Didn't Read

People Mentioned

Coin Mentioned

Radoslav Kobus

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

A New Internet's Foundation or A Damp Squib: How can “Security's Game Changer” Be So Insecure?

Too Long; Didn't Read

People Mentioned

Coin Mentioned

Radoslav Kobus

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES