Demystifying Blockchain: The Building Blocks
In the first two installments of this three-part series, we discussed the importance of blockchain nodes and Oracles, which serve as a bridge between blockchains and the external world; more on Oracles can be found here.
Now we will shift our attention to arguably the most relevant topic as it relates to Web 3.0: Web 3.0 Security.
As the popularity of blockchain technology grows, so do the threats of cyber-attacks through phishing attacks or smart contract exploits.
The biggest challenge we face today in securing digital assets is understanding the variety of attacks and layers of protection that are needed to truly secure a user. There are many layers of security to consider when examining the state of blockchain security, but today we focus on the following key areas:
· Underlying Blockchain Security
· Smart Contract Security
· Identity and Access Management
Navigating all of these complexities is extremely challenging, but the good news is there are a growing number of solutions being created to tackle the security issues of today — let’s dive in…
Web 3.0 Security
We’ve established that the potential of Blockchain is immense, but before we see mass adoption or enterprise adoption, there are issues that need to be considered and addressed.
Those who are advocates of this technology will tell you that the technology is more secure than Web 2.0, given the emphasis on user control in a decentralized environment. While Web 3.0 security may prove to be the better solution, no system is perfect and there will always be security risks. There is less information available about the security risks because solutions have yet to be fully realized.
Blockchain Vulnerabilities
Today Blockchain technology is only in its infancy and bad actors have been able to capitalize on the vulnerabilities that exist. The following are various ways bad actors can attack a blockchain:
Sybil Attacks: Sybil attacks are an attempt by a single person to overtake a network by creating multiple accounts, nodes, or computers, which ultimately crash that network.
Front-Running Attacks: Front-running is not a new concept and traditionally has been associated with public equities. It is defined as the act of buying or selling a security (a stock, bond, etc.) based on advance knowledge or information that affects the price of that asset. As it relates to cryptocurrency, the danger is front-running robots. These robots analyze smart contract details with the intent to find pending transactions after they have been broadcasted, but before they are finalized, and reorder the transactions to benefit themselves. These bots are harmful as they result in exorbitant gas fees rendering blockchains at times useless. More on the intricacies of front-running can be found here.
Phishing Attacks: Phishing is common in this space. Bad actors sending false emails to wallet owners, asking for their sensitive information.
A prime example was the Opensea phishing attack that took place earlier this year in February. The bad actors placed a fraudulent link in the discord channel of OpenSea; this resulted in the loss of over 200 NFTs for a total value of $1.7 million.
51% attacks: Blockchains use a large amount of computing power to perform mining tasks. Both proof-of-work and proof-of-stake-based blockchains are susceptible to this type of attack. Theoretically, a group of miners can seize control over a blockchain if they can bring together enough resources to acquire more than 50% of a blockchain network’s mining power — more on blockchain nodes can be found here.
The process to carry out a 51% attack varies based on whether the network involved is proof-of-work or proof-of-stake-based. Using Ethereum as an example, a bad actor would need to own 51% of the staked Ethereum on the blockchain. It is possible for someone to own enough, but it’s unlikely; according to Ethereum.org, more than 15.5 million ETH were staked at the time of this post. The bad actor would need to own more than 7.8 million ETH (nearly $10 billion worth) to attempt an attack.
As you can imagine 51% attacks are highly unlikely, but they are not to be taken lightly. If a cryptocurrency is subject to frequent block attacks, the reputational damage may be irreversible.
We now know that even the best-designed blockchain ecosystem is susceptible to exploitation.
Smart Contract Security
Smart contracts were designed to facilitate transactions between individuals or organizations. Unfortunately, bad actors constantly scan smart contracts for vulnerabilities. In some scenarios, smart contract vulnerabilities have led to millions of dollars worth of digital assets being stolen, and have left the organizations depending on those smart contracts devastated.
Furthermore, these bad actors may use these potential security issues to further disrupt a company’s smart contract, resulting in massive liquidity loss and client data loss. Though often referred to as “immutable,” these contracts have no firewall, making them publicly facing and vulnerable. While most people acknowledge the need for robust solutions, just a few take the necessary prevention measures.
The most common attacks at the smart contract level include the following:
Re-entrancy Attacks: These occur when a function makes an external call to another untrusted contract. The untrusted contract makes a recursive call back to the original function in an attempt to drain funds. The re-entrancy attack is often referred to as one of the most destructive attacks in a smart contract.
A digestible example could be the process of sending an email. Anyone can start drafting an email, save a draft, send another email, and finish the draft message later.
Now, imagine issuing a wire transfer through a poorly designed banking system where the account balance is checked only at the initialization phase (verifies whether the data contained in the request is valid). A bad actor could initiate several transfers without submitting any of them, similar to drafting an email. The system would confirm that the user’s account holds a sufficient balance for each transfer. If there was no additional check at the time of the actual transfer submission, the user could then submit all transactions and potentially exceed the balance in their account. This is very similar to the re-entrancy attack which was used in the $80 million smart contract exploit of Fei Protocol.
Logic Bugs: Logic bugs happen when a developer fails to identify problems at the code level in a given Dapp. This is problematic because smart contracts tend to be immutable once written. Through simple programming flaws, attackers can drain the contract wallet of all funds; this tends to be the most common way bad actors gain access to user funds. Developers can avoid these issues by pre-release testing, a notable difference from the iterative Web 2.0 approach.
As more organizations continue to adopt blockchain, it’s critical that smart contract security vulnerabilities are thoroughly understood. By understanding the methods used by bad actors, developers are empowered to write code with security at the forefront of Dapp development.
Identity and Access Management
Identity and access management have seen problems since the inception of the internet, and the market has invested billions of dollars to improve the usability and security of identity and access management. Authentication of who we are and how we are represented online has become increasingly important over the years to both individuals and enterprises.
A blockchain includes a consensus protocol to ensure the network can function at all times. Further, access control mechanisms enable the ability to use certain functions in a smart contract to approved entities, such as accounts responsible for managing the contract.
When discussing identity security as a topic, we narrow our scope to these areas:
Individual Node Code: This can be either the code that handles identity operation requests or the one that resolves identities already in the system.
Client-node Communication: Client-node communication is when you have an end user who can’t read and store the entire blockchain to validate a state, the user is trusting a node in the network to provide them with reliable information. This can be a problem if you have a compromised node or even an attacker intercepting communication between a user and a legitimate node. Through this, a bad actor can send false information that does not represent the actual state in the blockchain.
Private Key Storage: Once a private key is stolen, the identity is compromised regardless of how secure the underlying Blockchain is.
Exploitations of applications with poor security posture have been on the rise, which have proven to be quite costly. For example — in December of 2021, Vulcan Forged a cryto-gaming platform was involved in a private key hack, resulting in the breach of 96 wallets and the loss of 45 million PYR tokens with some ETH and MATIC assets valued at ~$140 million.
Industry Response
In the first half of 2022 alone, more than two billion U.S. dollars were stolen by bad actors, more than the combined total lost throughout all of 2021. Thankfully, solutions like Forta, Redfine Crypto, Valid Network, and Hypernative are all new solutions focusing on security prevention and providing powerful analytics behind their respective platforms.
These solutions at their core are real-time databases that continuously update, creating a prevention engine that simulates and reacts to transactions in real time to prevent loss of funds invested in DeFi assets. In addition, it is vital to discern whether or not a certain alert is real, and what the severity of the attack is. This will help those involved to make mindful and educated decisions. These new solutions are extremely important for the future of blockchain as projects aim to bolster consumer confidence in this space and ensure that consumer assets remain safe at all times.
Compared to similar platforms, Hypernative leverages low-latency simulation infrastructure to detect and prevent money extraction or abnormal behaviors in real time. They further leverage machine learning to detect the next unknown security issue.
In addition, startups are helping to address issues as they relate to identity and access movement through unique avenues. An example being Boldstart’s portfolio company Upstream, and their new digital asset security solution VaultDAO.
Historically hardware wallets have been the de facto tool providing a secure option for people to store the private keys to their wallets on what would be effectively a hard drive, but these “cold” wallets are notorious for being hard to use. Due to the physical component of the hardware wallet, one could misplace the hardware wallet and as a result lose the seed phrase that enables them to access their digital assets. “Hot” wallets, which are connected to the internet, are another solution, but these solutions are often custodial or operated by a centralized entity.
The VaultDAO operates as a multi-signature wallet that can be configured to require sign-off from multiple discrete accounts to authorize a transaction on behalf of a user. A user can set up multiple accounts directly through Upstream and can choose a threshold for the number of signatories. The product operates as a user’s personal DAO, because each transaction takes place in the form of a proposal being made by the user, voted on by a predetermined critical mass of DAO members and then executed as such. Unlike most popular multi-signature wallet products on the market today, VaultDAO is specifically designed for individual users to secure their own assets rather than for groups that require multiple parties to sign off on a transaction.
Closing Remarks
This overview of the different blockchain security issues shows just how early we are in the development of blockchain technology. Awareness of vulnerabilities in blockchain security is essential to the creation of better networks and systems to drive future adoption.
Furthermore, as we head into a future driven by this new technology, we must bolster the security of this ever-changing landscape. Future-ready projects will deliver real-time security data and alerts to their clients as part of a comprehensive security strategy. It will be interesting to see how the future of this rapidly evolving space continues to play out, especially as 2022 sees crypto hacks set all-time highs.
This concludes the three-part series; I look forward to providing more insights into the development of this technology as the space continues to iterate and mature in the process.
If you’re an investor or builder in the space and would like to connect, feel free to reach out to me at Ernest@Boldstart.vc or on twitter @ErnestAddison21
