It seems like blockchain hacks have become a common occurrence. One of the most recent major cryptocurrency hacks happened in May 2019. The amount stolen was valued at $41 million due to a security breach when Binance fell into the hands of hackers and 7,000 bitcoins were stolen from their bitcoin hot wallet. This was not the first blockchain hack that has happened since it was invented. The first hack can be dated back to as early as 2011 when MyBitcoin suffered a loss of nearly $2 million worth of Bitcoin. This incident had shaken up blockchain users and investors worldwide as blockchain has been hailed as an “unhackable” technology.
Before getting any further, we need to understand how blockchain works. In simpler terms, blockchain is a distributed ledger where information is verified and recorded on an immutable system without any intermediary. Every time data is added or a transaction is made, a block is created and it is sealed by a cryptographic algorithm through a process called “hashing”. The algorithm is made out of a string of symbols that is close to impossible to decrypt back to the original data. Hence why blockchain is deemed to be hack-proof.
An author in hackernoon summed up the cryptography hash process in the most basic terms with this following statement in his article:
“Given an output, it is extremely difficult to calculate the input, but given an input and output, it is pretty easy to verify if the input leads to the output.”
It is, in fact, close to impossible for hackers to corrupt the blockchain system. So what are the types of hacks that are threatening the blockchain network today?
It is important to note that not a single attack on the blockchain itself was a result of vulnerabilities in the system. On the contrary, most attacks were discovered to be a result of human mistakes or external technical errors that happened during the transaction processes or storage of the assets.
Sybil attack is when the hacker creates multiple fake identities to take over a certain network. To outsiders, the identities would seem to be “unique” and owned by different entities. However, what is happening, when a single entity is running multiple nodes on the blockchain. An easy example is when several Instagram accounts are created by one person.
This could happen in a few scenarios:
- The attacker can refuse a particular network to transmit the information/transaction. Consequently blocking everyone from the network.
- The attacker can transmit the blocks they created to execute double-spending attacks
Such attack has never endangered user funds before. It will only cause network traffic overflow and in turn result in transaction congestion.
51% Attack or Majority Attack
In 51% attack or majority attack, an individual or a group of hackers will control most of the nodes in a network and in turn possesses more power than others. Being in such position, the attacker will be able to mine blocks faster than the rest of the network combined. This will enable them to “double spend”. Double spend is when the attacker tries to prevent new transactions from gaining confirmation or miners from mining new blocks and also reverse transactions that were made by them or others.
51% attack is currently the most dreaded type of hack faced by the smaller exchanges and blockchain networks. In 2018 alone, 9 blockchain networks have been hacked and an estimated $30 million in total worth of cryptocurrencies was stolen. The biggest 51% Attack to date was when Bitcoin Gold suffered losses of around $18 million worth of tokens.
This is when the attacker tries to compromise the system and floods the traffic by spreading malwares and viruses into the network and denying the network to access to certain data, also known as a Denial of Service (DoS). This type of hack not only is a threat to the blockchain network, but popular websites like Twitter and Netflix were also once a victim of it and affected millions of users globally. According to Norton, an award-winning anti-virus software provider, DDoS attack is currently the biggest concern for internet security experts and it is said to be by far the strongest type of attack on the internet.
One of the more notable incidents was the series of DDoS attacks that happened to bitcoin network between 2015 to 2017. A series of planned “stress tests” on bitcoin network was conducted by CoinWallet.eu. They demonstrated a large scale overloading on their server with transactions in order to prove whether if the network could recover from the surge after increasing the block size to 1MB.
But a month later, a real attack occurred and 80,000 transactions were being sent out by an unknown party simultaneously. This flooded bitcoin mempool (memory pool) and caused the transaction time to be significantly longer than usual. The spams were later on cleared by one of the biggest mining pools at the time, F2Pool. They created a block just to clean up all the 80,000 transactions.
Another important blockchain attack vector is Routing Attack via the Internet infrastructure. While in theory, Bitcoin network is highly decentralized but in practice, from a routing and mining viewpoint, is fairly centralized. From a report published by ETHZurich in 2016, they found out that only 13 ISPs are hosting 30% of the entire blockchain network. Their results also indicate that 60% of the worldwide mining power is hosted on only 3 different ISPs.
Any attacker can use this attack to create two different routes on the same network and as a result, they will have the power to allow, deny or gain access to the information on the network.
Human error has been cited as the major contributing factor to security vulnerability and data breaches that happened on the blockchain network. It is inevitable but sometimes may cost us a huge amount of money.
Most of the hacks mentioned before mostly fall into the realm of either double-spending or disruption the speed of the network.
Perhaps one of the biggest heist that happened due to human errors and still haunts Ethereum till this day is none other than the infamous Ethereum DAO Hack.
DAO (Decentralised Autonomous Organization) is formed by a group of people with an objective to create a leaderless investment business model on top of the Ethereum network. Unlike traditional companies where the decisions are made by a few partners, anyone who invested will have a say in investment. The more you invested, the heavier weigh your vote is.
A mechanism so-called “split return” that allows investors who want to pull out get back their Ethereum in exchange with their DAO tokens. The mechanism comprises two simple steps:
- Return of Ethereum to token holders.
- Tokens are then retrieved back and the transaction will be registered on the blockchain network.
A hacker exploited the unforeseen flaw in the system that allows him/her to repeat the first step without going through the second step. The attacker was able to siphon $50 million worth of Ethereum from DAO’s network. In the end, this incident enraged the community and attempted to minimise the damage by using soft-fork but it was all in vain. This resulted in splitting of the community and the creation of Ethereum Classic (ETHC).
Other man-made errors such as mistakes made when writing code, the inability to follow security protocols and even bad working attitude of employees. All these malpractices are the main reason the exchanges getting hacked.
Hence it is crucial for companies to adopt proper security measures to ensure the safety of their user’s assets, for instance, WorldQuest International. WorldQuest International is Malaysia’s leading blockchain solution company for finance and technology. They utilize Host Security Module (HSM), which employs military-grade cryptography so that all the encrypted passwords and private keys for the blockchain can be securely kept away. Their servers are also protected by a high-grade firewall against infiltrators.
Blockchain is still a budding, robust technology and evolving each passing day. But it has already numerous successful story of organisations, such as banks, implementing this emerging technology.
“84% expect blockchain to provide more security than most conventional systems,” says Deloitte.
So before placing your assets in any exchanges or vendors, it is important to do your research about it first. The silver linings of these hacks are that people are paying more attention to it and developers are making improvements to stop letting the hacks from happening again.