The Complete Guide To Blockchain Attacks
By Superorder.io on Altcoin Academy
Did you know that blockchains aren’t tamper-proof at all? It can be a revelation but it’s true. Yes, decentralized systems are protected from traditional hacker breaches. Nonetheless, they feature unique weak links exposed to modern attackers.
The majority of successful hacker attacks were focused on crypto exchanges with pretty traditional vulnerabilities. From January to June 2019, seven sites faced attacks and lost approximately tens of millions of dollars. In 2017–2018, exchanges lost around $882 million. Add $460 million stolen from Mt. Gox in 2014 and $72 million from Bitfinex in 2016 to get a pretty frightening image.
Well, centralized platforms and their users suffer more often. Still, there are several threats to blockchains themselves. Smart or rich and powerful teams can break them, steal money, and get control over data, most importantly. Thus, let’s look at the most popular attack types closely.
Blockchain Network Attacks
In a nutshell, any blockchain-based network consists of numerous nodes that record data, verify, and process it. The brightest example is financial data — nodes register, send, and receive transactions. Hackers can find and exploit the networks’ vulnerabilities using several approaches.
DoS And DDoS Attack
Denial-of-Service and Distributed Denial-of-Service threats are one of the most famous. In a nutshell, hackers target the chosen server or another client with myriads of requests generating harmful traffic and preventing users to access the service. In the case of DoS, this traffic comes from a single source while DDoS generates it from several points.
While DoS and DDoS are more often focused on traditional servers, hackers still can attack blockchains. Decentralized systems have better protection, though. Even if one or a few nodes are unavailable, blockchain still can function well. But it’s possible to target the application layer of any system to block its usage.
Hackers can focus on harming only one specific node instead of the entire system. In this scenario, a bad actor isolates the chosen node by hijacking links with other nodes. For this, he/she has to control enough host nodes in the botnet with unique IP addresses. A hacker forces the target node to restart and redirects its links to fake IPs.
As a result, the victim node becomes isolated from the chain so its owner doesn’t have a clear vision of the ongoing activity. Frauds can get control over pretty important nodes. They can easily steal data or enable double spending further attacks. Moreover, they can hijack mining power or even create a new fork.
This type is pretty simple as it doesn’t require complex cryptography approaches. Fraudulent parties just record specific transactions or entries and then repeat them. Sometimes, they can intercept original messages, too. Using this method, hackers get the ownership of valid data so they don’t have to encrypt it or fool the check systems.
Potentially, replay attacks can be very harmful. The catch is that any unchanged information like passwords or biometrics can be spotted and remembered. However, blockchains can protect themselves from replays relatively easily. They only should implement timestamps and limit the number of repeats for a given transaction.
Instead of eclipse ideas, this attack focuses on the entire blockchain. Thus, hackers don’t rewrite links of the chosen node by manipulating only one small subsystem but create several fake nodes surrounding the victim. It’s similar to creating fake accounts in social media. A large number of malicious nodes lead to gaining control over the network.
Specifically, hackers can perform double spending attacks or even 51% attacks. We will talk about them later. With enough Sybil nodes, frauds are able to rule the blockchain, create forks, steal money, and so on. For now, there are no guaranteed measures to prevent this attack. However, it’s possible to make it impractical.
Fact: the attack is named after Shirley Ardell Mason aka Sybil Dorsett, a woman with dissociative identity disorder and a hero of books and films.
Consensus Protocol Attacks
The next big category includes attacks on the mechanism of transactions’ verification and registration. As you know, all blockchains feature one or another protocol like PoW, PoS, etc. Bad actors can find vulnerabilities in these algorithms and exploit them.
Here’s one of the most famous threats that were considered the only one related to blockchains, initially. As you know, Proof-of-Work protocols require spending some computing power to verify and record each transaction. Miners use their machines to do this and get rewards in crypto. Because of the large number of nodes and high energy costs, no single entity can get full control over the network.
Almost. It’s still possible to produce or rent at least 51% of the system’s hash rate (power of all miners) to execute, validate, and modify data without other participants. Large mining pools or fraudulent teams have successfully performed this attack on Verge and Bitcoin Gold, for example. Hackers can reverse transactions, steal data or even create new forks to develop the project in the way they want.
The only problem is that 51% attacks require a lot of energy. Really, a lot. The longer you want to control a system the more money you will have to spend. Thus, long attacks are extremely rare as hackers tend to quickly get some money and retire.
Double Spending Attack
Well, we mentioned this term several times so let’s talk about it. Double spending is the main goal of the majority of attacks. It allows bad actors to use the same coins in several transactions. Eventually, only one deal will be registered making other records abandoned. This means that, for example, a man can sell 1 BTC to several buyers, get USD from all of them but transfer BTC only to one. Or don’t transfer at all.
Here are a few examples of double spending attacks:
- Finney. Provides for creating one pre-mined block with a transaction and putting the identical transaction right before this block is released. Thus, the second transaction will be considered invalid.
- Race. Creates two same transactions. The first one is sent to a buyer or seller who accepts it without confirmation from the network. The second one is distributed to the blockchain and confirmed instead of the first one.
- Simulated history. It’s based on a 51% idea, too. A hacker also sends two transactions but the second one is based on the alternative fork. Thus, even after confirmations, a hacker can push his/her fork to invalidate the first transaction.
It’s important to understand that double spending can be a consequence of almost any attack. While it’s barely possible to solve all issues, blockchains can implement new protection measures to prevent at least the most popular attacks.
Crypto Wallet Attacks
Apart from blockchains and applications, there are more targets for hackers. For example, they can try getting access to user crypto wallets, both cold and hot ones. Obviously, the main goal of these threats is money.
Yeah, here’s another revelation: cold wallets aren’t perfect, too. With enough knowledge and tech stuff, hackers can insert malware into these devices or steal data in more exotic ways. For example, Israeli researchers state that they can steal private keys via sound, heat, light, magnetic waves, etc. They also insist that it’s possible to infect wallets with malware. Scientists from DocDroid confirm these statements.
As far as hot wallets are directly connected to the Internet, it’s even easier to break them. As a rule, hackers utilize phishing or brute force attacks to get private keys, seed phrases, and PINs. More tech-savvy bad actors can exploit weaknesses of signature or key generation algorithms. For example, generators may feature low entropy and, respectively, insufficient randomness.
Smart Contract Attacks
Finally, the most elaborate layer of development-oriented blockchain platforms also can be under attack. Actually, smart contracts and decentralized applications are all about code, similarly to traditional software. And code may feature vulnerabilities. For instance, Ethereum’s Solidity features several potential entry points for frauds.
Moreover, virtual machines that execute smart contracts also can be hacked. In this case, blockchain’s immutability becomes a significant threat because even the smallest bugs can’t be fixed backward and lead to forking like in the case of DAO. There are other bugs and problems like access-related ones, too.
Simple Precautionary Measures
While it may be pretty difficult to prevent all types of attacks, especially the most tech-savvy ones, ordinary traders still can protect their money. There are a few quick points to know about:
- Cold wallets. Keep the main funds on protected storages. You can have some coins at crypto exchanges but remember that they’re extremely vulnerable.
- Internet hygiene. Don’t disclose your personal info like passwords/keys. Always check the sites’ addresses, the partners’ identity, emails, and other requests.
- Multi-factor authentication. Try using your phone as an extra security layer. With 2FA enabled, it will be much harder to get control over your accounts.
- Your own faults. We’re humans and we make errors. Typos and wrong wallet addresses may harm your crypto balance so be sure to double-check yourself.
Remember that knowledge is power. Being aware of major crypto/blockchain threats in the modern crypto community, you will be able to protect yourself. At least, partially. Do the best you can to increase security from the user side to mitigate risks and save coins. And always remember that the crypto world is risky and dangerous. But we love it.
And we love you so be sure to join our crypto trading terminal Superorder to get 14 days of free usage!