Jeff Hu

@jj1385jeff850527

Learn Blockchain’s Top 25 Hacks in History

Part 1 (#25–#13)

Revealing techniques of 25 successful attacks on blockchain: from 2010 to 2018, $1.8+ billion USD.

Blackhat from Wallpaper Cave

Overview

Hacks on blockchain have always been controversial topics throughout history. Countless exchanges and platforms have been exploited by talented attackers who made away millions of dollars without leaving a trace.

Numerous great articles have been focusing on the discussion of the procedure and impact of an attack, but this article steps aside to emphasize the technical approach of the attack. No worries. Rather than going through sophiticated techie murmurs, this post translates the attack method into a format that is more friendly for children and grandparents.

Various hacks have different levels of details opened to the public. Some hacks disclosed too few, and some missed the after-attack measurements. This article will try to record and explain as much as possible.

Let’s get started!

from Bitcoin Wiki

Bitcoin Out of Thin Air — 92 Billion BTC

Date: Aug 2010

Attack

An integer overflow flaw in Bitcoin’s code has been exploited at block #74638 to generate 92233720368.54277039 BTC. The overflow has resulted from a type UINT64_MAX that can hold an integer up to at most 2⁶³-1, giving the number 9223372036854277039.

After Attack

Bitcoin community canceled all relevant transactions and rolled back the ledger to the pre-hack state.

AllinVain — 25,000 BTC ($500,000)

Date: Jun 2011

Attack

World’s first cryptocurrency hacks victim. The hacker broke into the victim’s hard drive and transferred a large chunk of balance to an external wallet.

from Wikipedia

Mt. Got 1st Hack — 2609 BTC ($50,000)

Date: Jun 19 2011

Attack

The attacker obtained an auditor’s credentials and altered the nominal value of BTC to 1 cent. Afterward, the attacker transferred 2609 BTC from some clients to sell at this low price and purchased back nearly 650 BTCs from another account.

After Attack

Mt. Got suspended the operations for several days but then carried it on.

from https://steemit.com

Bitcoinica: Hacked 3 Times — 122,000 BTC ($430,000)

Date: Mar / May / Jul 2012

1st Attack

The attacker decrypted the Bitcoinica’s hot wallets hosted on the Linode’s server and made away with 43,554 BTC. Some individuals who used Linode’s server have also been hacked.

2nd Attack

The attacker got access to Bitcoinica’s database, obtained users’ private identification information and sensitive details, and stole 38,000 BTC.

3rd Attack

The attacker stole 40,000 BTC, but it has been reported that Bitcoinica’s funds were held in Mt. Gox secretly, which was later refunded.

from bitcoinmagazine.com

BitFloor — 24,000 BTC ($85,000)

Date: Sep 2012

Attack

The attacker obtained the unencrypted private keys that stored online for backups.

After Attack

BitFloor refunded the users, but it eventually closed down due to regulatory measures from its associated banks.

from KryptoMoney.com

Mt. Got 2nd Hack — 750,000 BTC ($350 million)

Date: Mar 2014

Attack

The attacker found transactions malleable. The details of the transactions can be edited to make it like it never took place.

Specifically, in a general transfer transaction, the attacker (the receiver) was able to manipulate the sender’s signature before it goes into the blockchain, and changed the transaction ID. This new and tampered transaction has a chance to overwrite the sender’s original transaction, in which scenario, the attacker gets the funds yet it seemed like the sender does not successfully put the original transaction into the blockchain. The attacker (the receiver) can, therefore, ask for an additional transfer, who will eventually receive the funds twice.

After Attack

Mt. Got halted all BTC transactions right away. No refunds were made. Eventually Mt. Got filed for bankruptcy.

from https://cryptoiscoming.com

Poloniex —97 BTC (12.3% of all its BTC)

Date: Mar 04 2014

Attack

The attacker exploited the faulty design of Poloniex’s withdrawal code. Because of that, the withdrawal requests were processed simultaneously instead of sequentially, the attacker could send multiple withdrawal actions within a short period of time to withdraw more than the balance allowed, making the balance negative eventually.

After Attack

Polonies reduced all its holders’ balance by 12.3%, and later on repaid all the losses.

from Wikipedia

BitStamp — 19,000 BTC ($5.1 million)

Date: Jan 04 2015

Attack

The attacker stole 19K BTC from Bitstamp’s operational hot wallet.

After Attack

BitStamp suspended all operations. And it moved on to use a multi-sig wallet.

from http://theconversation.com

The DAO — 3.6 million ETH ($55 million)

Date: Jun 2016

Attack

Clearly, it’s due to reentrancy. Lots of tutorials on it.

After Attack

Ethereum community planned to do a soft fork but found another DDoS vulnerability inside the code, so a hard fork was inevitable. Right now we have Ethereum (new version) and Ethereum Classic (old hacked version).

from https://steemit.com/

Steemit.com —Steem and Steem Dollars ($85,000)

Date: Jul 2016

Attack

The attacker hit 260 Steemit accounts and drained their balances.

It’s a human error that was caused by a UI design flaw. Some users might not be aware of the difference between the memo and the password, and accidentally pasted their password at the memo field, which will be submitted along with the transaction. Those passwords will be kept public and immutable on the blockchain of Steemit! A simple script can simply scrape the passwords of numerous users who made this fatal mistake.

from https://www.bitfinex.com

Bitfinex — 120,000 BTC ($72 million)

Date: Aug 2016

Attack

Bitfinex switched to use BitGo’s multi-sig wallet 12 months ago. The attacker found a vulnerability in its multi-sig architecture and took advantage of it.

After Attack

Bitfinex issued BFX tokens to compensate victims, which are redeemable in USD. The victims lost are refunded slowly and steadily afterward. The attack made the price of BTC drop from $607 to $515 in just a few hours.

from “Daily value of your cryptocurrency wallet”

CoinDash — ETH ($7 million)

Date: Jul 2017

Attack

The attacker manipulated the ICO address posted on CoinDash’s website to lure investors into incorrect place for exchanging Ether for CoinDash tokens.

Wrap-up

Hope you enjoy the brief intro to the techniques of each of the big hacks. Some of the attack details remain confidential and there’re not much opened to the public, I have tried my best to organize and present the truth based on the references below.

There are 12 more hacks to go, including Veritaseum, Parity 1st hack, Enigma, Tether, Parity 2nd hack, NiceHash, Coincheck, BitGrail, Google Adwords, Bancor, Coinrail, Zaif, and a real bloody hacker fight that I have experienced.

Stay tuned!

Great References

Acquire security consultancy from blockchain white-hat hackers. Turing Chain is for your blockchain business safeguarding. Be careful not to be 0xdead!

More by Jeff Hu

Topics of interest

More Related Stories