Part 1 (#25–#13)
Revealing techniques of 25 successful attacks on blockchain: from 2010 to 2018, $1.8+ billion USD.
Hacks on blockchain have always been controversial topics throughout history. Countless exchanges and platforms have been exploited by talented attackers who made away millions of dollars without leaving a trace.
Numerous great articles have been focusing on the discussion of the procedure and impact of an attack, but this article steps aside to emphasize the technical approach of the attack. No worries. Rather than going through sophiticated techie murmurs, this post translates the attack method into a format that is more friendly for children and grandparents.
Various hacks have different levels of details opened to the public. Some hacks disclosed too few, and some missed the after-attack measurements. This article will try to record and explain as much as possible.
Let’s get started!
Bitcoin Out of Thin Air — 92 Billion BTC
Date: Aug 2010
An integer overflow flaw in Bitcoin’s code has been exploited at block #74638 to generate 92233720368.54277039 BTC. The overflow has resulted from a type UINT64_MAX that can hold an integer up to at most 2⁶³-1, giving the number 9223372036854277039.
Bitcoin community canceled all relevant transactions and rolled back the ledger to the pre-hack state.
AllinVain — 25,000 BTC ($500,000)
Date: Jun 2011
World’s first cryptocurrency hacks victim. The hacker broke into the victim’s hard drive and transferred a large chunk of balance to an external wallet.
Mt. Got 1st Hack — 2609 BTC ($50,000)
Date: Jun 19 2011
The attacker obtained an auditor’s credentials and altered the nominal value of BTC to 1 cent. Afterward, the attacker transferred 2609 BTC from some clients to sell at this low price and purchased back nearly 650 BTCs from another account.
Mt. Got suspended the operations for several days but then carried it on.
Bitcoinica: Hacked 3 Times — 122,000 BTC ($430,000)
Date: Mar / May / Jul 2012
The attacker decrypted the Bitcoinica’s hot wallets hosted on the Linode’s server and made away with 43,554 BTC. Some individuals who used Linode’s server have also been hacked.
The attacker got access to Bitcoinica’s database, obtained users’ private identification information and sensitive details, and stole 38,000 BTC.
The attacker stole 40,000 BTC, but it has been reported that Bitcoinica’s funds were held in Mt. Gox secretly, which was later refunded.
BitFloor — 24,000 BTC ($85,000)
Date: Sep 2012
The attacker obtained the unencrypted private keys that stored online for backups.
BitFloor refunded the users, but it eventually closed down due to regulatory measures from its associated banks.
Mt. Got 2nd Hack — 750,000 BTC ($350 million)
Date: Mar 2014
The attacker found transactions malleable. The details of the transactions can be edited to make it like it never took place.
Specifically, in a general transfer transaction, the attacker (the receiver) was able to manipulate the sender’s signature before it goes into the blockchain, and changed the transaction ID. This new and tampered transaction has a chance to overwrite the sender’s original transaction, in which scenario, the attacker gets the funds yet it seemed like the sender does not successfully put the original transaction into the blockchain. The attacker (the receiver) can, therefore, ask for an additional transfer, who will eventually receive the funds twice.
Mt. Got halted all BTC transactions right away. No refunds were made. Eventually Mt. Got filed for bankruptcy.
Poloniex —97 BTC (12.3% of all its BTC)
Date: Mar 04 2014
The attacker exploited the faulty design of Poloniex’s withdrawal code. Because of that, the withdrawal requests were processed simultaneously instead of sequentially, the attacker could send multiple withdrawal actions within a short period of time to withdraw more than the balance allowed, making the balance negative eventually.
Polonies reduced all its holders’ balance by 12.3%, and later on repaid all the losses.
BitStamp — 19,000 BTC ($5.1 million)
Date: Jan 04 2015
The attacker stole 19K BTC from Bitstamp’s operational hot wallet.
BitStamp suspended all operations. And it moved on to use a multi-sig wallet.
The DAO — 3.6 million ETH ($55 million)
Date: Jun 2016
Clearly, it’s due to reentrancy. Lots of tutorials on it.
Ethereum community planned to do a soft fork but found another DDoS vulnerability inside the code, so a hard fork was inevitable. Right now we have Ethereum (new version) and Ethereum Classic (old hacked version).
Steemit.com —Steem and Steem Dollars ($85,000)
Date: Jul 2016
The attacker hit 260 Steemit accounts and drained their balances.
It’s a human error that was caused by a UI design flaw. Some users might not be aware of the difference between the memo and the password, and accidentally pasted their password at the memo field, which will be submitted along with the transaction. Those passwords will be kept public and immutable on the blockchain of Steemit! A simple script can simply scrape the passwords of numerous users who made this fatal mistake.
Bitfinex — 120,000 BTC ($72 million)
Date: Aug 2016
Bitfinex switched to use BitGo’s multi-sig wallet 12 months ago. The attacker found a vulnerability in its multi-sig architecture and took advantage of it.
Bitfinex issued BFX tokens to compensate victims, which are redeemable in USD. The victims lost are refunded slowly and steadily afterward. The attack made the price of BTC drop from $607 to $515 in just a few hours.
CoinDash — ETH ($7 million)
Date: Jul 2017
The attacker manipulated the ICO address posted on CoinDash’s website to lure investors into incorrect place for exchanging Ether for CoinDash tokens.
Hope you enjoy the brief intro to the techniques of each of the big hacks. Some of the attack details remain confidential and there’re not much opened to the public, I have tried my best to organize and present the truth based on the references below.
There are 12 more hacks to go, including Veritaseum, Parity 1st hack, Enigma, Tether, Parity 2nd hack, NiceHash, Coincheck, BitGrail, Google Adwords, Bancor, Coinrail, Zaif, and a real bloody hacker fight that I have experienced.
- Hack on blockchain itself: https://coincentral.com/blockchain-hacks/
- Blockchain Graveyard: https://magoo.github.io/Blockchain-Graveyard/
Acquire security consultancy from blockchain white-hat hackers. Turing Chain is for your blockchain business safeguarding. Be careful not to be 0xdead!