The Orbs Blog
Published in

The Orbs Blog

Hexa Labs — A Security Analysis for Blockchain: June-July 2018

Image by Marina Rudinsky

KICKICO (July 27, 2018)

What Happened

  • Several KickCoin token holders complained tokens disappeared from their wallets
  • The hackers who got access to the KickCoin smart contract owner destroyed 40 existing accounts and issued 40 new accounts with the same token balances. See these destroy and issuance examples from Etherscan
  • By doing that, the total KickCoin token supply and token holders number stayed the same
  • KICKICO team were able to change the smart contract owner value to a different account — their cold wallet account — thus stopping the heist
  • KICKICO said they will return all lost tokens to their original owners
  • KICKICO started to destroy the tokens the attackers issued, example from Etherscan

Hexa Labs Thoughts

  • Hackers tried to disguise the heist with an interesting technique (reassign tokens ownership and total supply), but awareness by the token holders prevented more damage
  • The KICKICO team acted fast to change the contract owner — a smart move minimizing damage and exposure
  • It would be interesting to learn how the hackers got access to the token private key in the first place

Related Attacks

  • It is worth mentioning that KICKICO suffered several attacks during their ICO last year. Read more here

Hola Free VPN and MyEtherWallet (July 9, 2018)

What Happened

  • Hackers gained access to Hola’s Google Chrome store account, and uploaded a malicious extension to the store
  • Users which used the compromised extension were exposed to a phishing attack. When the user browsed MyEtherWallet in non-incognito mode, the extension injected a malicious JavaScript tag which redirected users to a phishing website
  • Hola noticed the malicious version a few hours after it had been deployed. It is unknown precisely how many users downloaded and used that version. Hola replaced the malicious version with an official one
  • Hola have notified both Google and MyEtherWallet, in addition to making sure the hacker’s site is down

Hexa Labs Thoughts

  • It was a sophisticated attack which might have caused severe damage to Hola & MyEtherWallet users. It would be interesting to learn how Hola’s team discovered the hack
  • It wasn’t disclosed how the Hola’s store account was compromised, but we suggest verifying and double-checking that all of your accounts are configured to require MFA, use a password-manager to generate strong passwords, and avoid password reuse.
  • When using browser extensions for sensitive operations, make sure to understand the risks

Related Attacks

Bancor (July 9, 2018)

What Happened

  • A compromised wallet was used by the attackers to withdraw ETH, NPXS and BNT tokens from a BNT smart contract and other contracts
  • Bancor says no client wallets were compromised
  • A safety hatch protocol feature was used to freeze the stolen BNT tokens
  • The Bancor trading platform was shut down for a few days
  • $10 million of BNT tokens were recovered
  • A compromised wallet means someone attained the ability to generate and sign legitimate transactions. We don’t know how the wallet was compromised, but we suggest making sure to use proper multi-signature wallets and hardware wallets to control high-profile accounts.

Tether (June 28, 2018)

What Happened

  • A Chinese cyber-security company, SlowMist, published a post which recharged a Tether account on an exchange by changing the value of a field in a transaction
  • A rumor about a vulnerability in the Tether mechanism was spread online
  • Several exchanges announced they weren’t exposed to said vulnerability
  • SlowMist claims the vulnerable exchange suspended Tether trade
  • After further investigation, SlowMist claimed “This vulnerability is not the USDT’s own vulnerability, but some [unnamed] exchange platform’s databases do not strictly verify the status of the ‘valid’ parameter.”
  • The name of the exchange has still not been disclosed

Hexa Labs Thoughts

  • At the root of this was a poor integration implementation by the exchange with the Tether currency. When listing a new cryptocurrency or token on a trading platform, it is critical to understand the intricacies of the new protocol.

Bithumb (June 20, 2018)

What Happened

  • “We noticed that between last night and today early morning, about 350,000,000,000 KRW worth of cryptocurrencies have been stolen” — a deleted tweet by Bithumb
  • All withdrawal services were temporarily halted and the company moved all cryptocurrencies to cold wallets
  • Bithumb asked clients to stop depositing crypto in their wallets, but some clients reportedly continued doing so for some time afterwards
  • Bithumb worked with the Korea Internet & Security Agency (KISA) and other entities to figure out how the hack took place

Hexa Labs Thoughts

  • It has been reported the heist happened at night, like many breaches. Using monitoring tools on hot wallets, cold wallets, and blockchains is crucial to detecting breaches as quickly as possible

Previous Attacks

  • A year ago, a hacker breached a Bithumb employee’s PC and stole details of some Bithumb users. An unknown amount of Bitcoin and Ether was also stolen

CoinRail (June 10, 2018)

What Happened

  • Attackers hack CoinRail systems and a range of ERC-20 based tokens was stolen
  • All trade at CoinRail was suspended
  • CoinRail claims 70% of the stolen funds can be recovered, but 30% is lost
  • The hacker tried to sell some of the stolen tokens at IDEX, a decentralized asset exchange. CoinRail states that IDEX froze assets from the hacker wallet address
  • CoinRail was reopened at mid-July but full recovery process isn’t completed yet

Hexa Labs Thoughts

  • The Ocean, an ERC20 trading platform, claimed some addresses related to the hack were previously marked as suspicious. They suggested that exchanges should check if addresses with negative marks were interacting with their platforms. This idea sounds interesting, but the implementation should be considered carefully because it might affect honest blockchain users.

ZenCash (June 3, 2018)

Who: ZenCash is a privacy-oriented blockchain system built on zero-knowledge cryptography, using Equihash PoW protocol.

What Happened

  • Equihash is a popular mining algorithm used by other currencies such as ZCash and Bitcoin Gold
  • It means a significant computing power is dedicated to compute Equihash and this computer power can be routed between several blockchains
  • There are several commercial mining pools which offer Equihash computing power for rent
  • The attackers probably rented Equihash computing power from mining pools and reorganized the ZenCash blockchain several times — the largest rollback being the reversal of 38 blocks within the ZenCash blockchain, which allowed the hacker to double-spend ZEN
  • Mining pools contacted ZenCash about the attack and exchanges were notified to increase transactions confirmation with ZEN currency
  • Less than two weeks after the attack, ZenCash published a proposal to modify the consensus protocol and use penalty system to reduce this risk
  • ZenCash is revising their white paper. It is unclear if they will include proposals to fight 51% attacks or hard fork the blockchain

Hexa Labs Thoughts

  • ZenCash notified their exchange partners about the attack almost immediately, as should be, but there’s massive reputation damage to this project
  • When developing a decentralized project, choosing the right blockchain is a crucial decision for the future project success. One needs to consider the ecosystem and hackers from different vantage points, specifically of different phases of the venture, including before mass-adaption. In this case it was profitable for the hackers to rent hashing power and perform a 51% attack on the ZenCash blockchain

Previous Attacks

EOS Vulnerabilities (May-June-July … Honestly Ongoing)

Who: EOS, 3rd generation blockchain for decentralized apps

What Has Happened

  • EOS has raised almost $4 billion in a year-long ICO.
  • The new blockchain promises to enable millions of transactions per second and eliminate transactions fees — solve some of Ethereum worst drawbacks
  • A Chinese internet security firm, Qihoo 360, discovered several critical vulnerabilities at the platform just before the projected launch at June
  • The bugs allowed an attacker to execute an arbitrary remote code on EOS nodes and even take full control of the node
  • Around the same timeframe, hackers scanned the internet for EOS nodes which accidentally exposed private keys through an API misconfiguration. The scan started only a few hours after the Qihoo 360 report was released
  • It seems like there’s no direct connection between the two, and the later related to a GitHub bug report which was published
  • EOS have reported fixing all bugs. It also published its Bug-Bounty program
  • A few days later, another white-hat hacker found bugs at EOS software and got a $120K reward from EOS
  • The program is ongoing. EOS has paid out over $340,000 to ethical hackers.

Hexa Labs Thoughts

  • Open-source practices prove themselves as a useful methodology. On the one hand, the business does a striptease putting its source code on Github for all to see. Yet on the other hand, the community helps in achieving more secure and efficient code
  • Bug-Bounty programs make sense both for the business and the white-hat hackers

About Hexa Labs

Hexa Labs is a blockchain solutions consultancy helping established large-scale consumer brands create their own fair and stable decentralised economies.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store