Hexa Labs — A Security Analysis for Blockchain: June-July 2018

Image by Marina Rudinsky

After several months working in Israel’s blockchain industry as security lead for Hexa Labs — Orbs’ sister company within the larger Hexa Group of companies — I’ve met dozens of managers, researchers, developers, lawyers, and business consultants working on innovative projects dealing with hundreds of millions of dollars in both fiat and cryptocurrency.

Most of these people told me they can’t keep pace with the tremendous number of security incidents in the blockchain domain. At least once a week, there seems to be news of another crypto heist, with last week’s major story covering the KICKICO breach.

I believe people in the industry should be aware of these security events, as well as relevant news and trends. When you hear about an incident, your first instinct should be to think whether or not that same attack vector can be used against your venture and if your current security plan mitigates this risk.

Even though the community embraces knowledge-sharing and the open-source philosophy, information on security breaches often remains confidential for obvious reasons. Usually, specific details are undisclosed such as damage scale, exact vulnerability, and the victim’s identity.

This blog delivers interesting blockchain security incidents and events in an executive-summary format. There are many posts on security incidents within the blockchain domain, here I’ll provide a high-level overview and try to focus on the essence and give references for further inspection.

Without further ado, let’s go over the security incidents of June-July 2018:

KICKICO (July 27, 2018)

KICKICO is a blockchain crowdfunding website for ICOs

Damage scale: 70,000,000 KickCoin (~$7.7M — estimated fiat value of stolen tokens during the hack)

Attack vector: Access to private key of a smart contract

What Happened

• Several KickCoin token holders complained tokens disappeared from their wallets
• The hackers who got access to the KickCoin smart contract owner destroyed 40 existing accounts and issued 40 new accounts with the same token balances. See these destroy and issuance examples from Etherscan
• By doing that, the total KickCoin token supply and token holders number stayed the same
• KICKICO team were able to change the smart contract owner value to a different account — their cold wallet account — thus stopping the heist
• KICKICO said they will return all lost tokens to their original owners
• KICKICO started to destroy the tokens the attackers issued, example from Etherscan

Hexa Labs Thoughts

• Hackers tried to disguise the heist with an interesting technique (reassign tokens ownership and total supply), but awareness by the token holders prevented more damage
• The KICKICO team acted fast to change the contract owner — a smart move minimizing damage and exposure
• It would be interesting to learn how the hackers got access to the token private key in the first place

References: Official statement by KICKICO, CoinFrenzy

Related Attacks

• It is worth mentioning that KICKICO suffered several attacks during their ICO last year. Read more here

Hola Free VPN and MyEtherWallet (July 9, 2018)

Hola is a popular free VPN service; MyEtherWallet is a popular client-side interface for Ethereum wallets.

Damage scale: Unknown

Attack vector: Clients’ phishing

What Happened

• Hackers gained access to Hola’s Google Chrome store account, and uploaded a malicious extension to the store
• Users which used the compromised extension were exposed to a phishing attack. When the user browsed MyEtherWallet in non-incognito mode, the extension injected a malicious JavaScript tag which redirected users to a phishing website
• Hola noticed the malicious version a few hours after it had been deployed. It is unknown precisely how many users downloaded and used that version. Hola replaced the malicious version with an official one
• Hola have notified both Google and MyEtherWallet, in addition to making sure the hacker’s site is down

Hexa Labs Thoughts

• It was a sophisticated attack which might have caused severe damage to Hola & MyEtherWallet users. It would be interesting to learn how Hola’s team discovered the hack
• It wasn’t disclosed how the Hola’s store account was compromised, but we suggest verifying and double-checking that all of your accounts are configured to require MFA, use a password-manager to generate strong passwords, and avoid password reuse.
• When using browser extensions for sensitive operations, make sure to understand the risks

References: Official statement by Hola, MyEtherWallet urgent tweet

Related Attacks

• At the end of July, Google removed the official Metamask’s Chrome extension from the Chrome Web Store, but left behind a fake one.

Bancor (July 9, 2018)

Bancor is a blockchain project which allows immediate liquidity for ERC20 tokens.

Damage scale: $23.5 million (in Ether, NPXS, BNT)

Attack vector: Undisclosed

What Happened

• A compromised wallet was used by the attackers to withdraw ETH, NPXS and BNT tokens from a BNT smart contract and other contracts
• Bancor says no client wallets were compromised
• A safety hatch protocol feature was used to freeze the stolen BNT tokens
• The Bancor trading platform was shut down for a few days
• $10 million of BNT tokens were recovered
• A compromised wallet means someone attained the ability to generate and sign legitimate transactions. We don’t know how the wallet was compromised, but we suggest making sure to use proper multi-signature wallets and hardware wallets to control high-profile accounts.

References: Bancor’s first detailed response, Bancor’s clarification, Leonid Beder’s post on the hack, BitRates

Tether (June 28, 2018)

Who was affected?: An undisclosed crypto-exchange was affected by rumors surrounding Tether (USDT)

Damage scale: Unknown

Attack vector: Lack of data validation

What Happened

• A Chinese cyber-security company, SlowMist, published a post which recharged a Tether account on an exchange by changing the value of a field in a transaction
• A rumor about a vulnerability in the Tether mechanism was spread online
• Several exchanges announced they weren’t exposed to said vulnerability
• SlowMist claims the vulnerable exchange suspended Tether trade
• After further investigation, SlowMist claimed “This vulnerability is not the USDT’s own vulnerability, but some [unnamed] exchange platform’s databases do not strictly verify the status of the ‘valid’ parameter.”
• The name of the exchange has still not been disclosed

Hexa Labs Thoughts

• At the root of this was a poor integration implementation by the exchange with the Tether currency. When listing a new cryptocurrency or token on a trading platform, it is critical to understand the intricacies of the new protocol.

References: SlowMist tweet, Nugget’s news video, CoinTelegraph

Bithumb (June 20, 2018)

Bithumb is a popular South Korean crypto-exchange

Damage scale: $17 million in cryptocurrency

Attack vector: Little information is available. What is known is a hot wallet was hacked, but details are scant.

What Happened

• “We noticed that between last night and today early morning, about 350,000,000,000 KRW worth of cryptocurrencies have been stolen” — a deleted tweet by Bithumb
• All withdrawal services were temporarily halted and the company moved all cryptocurrencies to cold wallets
• Bithumb asked clients to stop depositing crypto in their wallets, but some clients reportedly continued doing so for some time afterwards
• Bithumb worked with the Korea Internet & Security Agency (KISA) and other entities to figure out how the hack took place

Hexa Labs Thoughts

• It has been reported the heist happened at night, like many breaches. Using monitoring tools on hot wallets, cold wallets, and blockchains is crucial to detecting breaches as quickly as possible

References: CoinDesk, TheNextWeb, Bithumb report and announcement on compensation plan

Previous Attacks

• A year ago, a hacker breached a Bithumb employee’s PC and stole details of some Bithumb users. An unknown amount of Bitcoin and Ether was also stolen

CoinRail (June 10, 2018)

CoinRail is another South Korean crypto-exchange.

Damage scale: Ether, NPXS, NPER and others ($40M)

Attack vector: Undisclosed

What Happened

• Attackers hack CoinRail systems and a range of ERC-20 based tokens was stolen
• All trade at CoinRail was suspended
• CoinRail claims 70% of the stolen funds can be recovered, but 30% is lost
• The hacker tried to sell some of the stolen tokens at IDEX, a decentralized asset exchange. CoinRail states that IDEX froze assets from the hacker wallet address
• CoinRail was reopened at mid-July but full recovery process isn’t completed yet

Hexa Labs Thoughts

• The Ocean, an ERC20 trading platform, claimed some addresses related to the hack were previously marked as suspicious. They suggested that exchanges should check if addresses with negative marks were interacting with their platforms. This idea sounds interesting, but the implementation should be considered carefully because it might affect honest blockchain users.

References: CoinsRail official statement, CoinDesk, The Ocean’s analysis, Bitcoin.Com

ZenCash (June 3, 2018)

Who: ZenCash is a privacy-oriented blockchain system built on zero-knowledge cryptography, using Equihash PoW protocol.

Damage scale: 22,900 ZEN ($687,000)

Attack vector: 51% Attack

What Happened

• Equihash is a popular mining algorithm used by other currencies such as ZCash and Bitcoin Gold
• It means a significant computing power is dedicated to compute Equihash and this computer power can be routed between several blockchains
• There are several commercial mining pools which offer Equihash computing power for rent
• The attackers probably rented Equihash computing power from mining pools and reorganized the ZenCash blockchain several times — the largest rollback being the reversal of 38 blocks within the ZenCash blockchain, which allowed the hacker to double-spend ZEN
• Mining pools contacted ZenCash about the attack and exchanges were notified to increase transactions confirmation with ZEN currency
• Less than two weeks after the attack, ZenCash published a proposal to modify the consensus protocol and use penalty system to reduce this risk
• ZenCash is revising their white paper. It is unclear if they will include proposals to fight 51% attacks or hard fork the blockchain

Hexa Labs Thoughts

• ZenCash notified their exchange partners about the attack almost immediately, as should be, but there’s massive reputation damage to this project
• When developing a decentralized project, choosing the right blockchain is a crucial decision for the future project success. One needs to consider the ecosystem and hackers from different vantage points, specifically of different phases of the venture, including before mass-adaption. In this case it was profitable for the hackers to rent hashing power and perform a 51% attack on the ZenCash blockchain

References: ZenCash official statement, Bitcoinist, ZenCash proposal to fight 51% attacks,

Previous Attacks

• Last May, a 51% attack took place on the Bitcoin Gold blockchain. In July, the Bitcoin Gold community changed the PoW algorithm to keep away ASIC miners and prevent future 51% attacks

EOS Vulnerabilities (May-June-July … Honestly Ongoing)

Who: EOS, 3rd generation blockchain for decentralized apps

What Has Happened

• EOS has raised almost $4 billion in a year-long ICO.
• The new blockchain promises to enable millions of transactions per second and eliminate transactions fees — solve some of Ethereum worst drawbacks
• A Chinese internet security firm, Qihoo 360, discovered several critical vulnerabilities at the platform just before the projected launch at June
• The bugs allowed an attacker to execute an arbitrary remote code on EOS nodes and even take full control of the node
• Around the same timeframe, hackers scanned the internet for EOS nodes which accidentally exposed private keys through an API misconfiguration. The scan started only a few hours after the Qihoo 360 report was released
• It seems like there’s no direct connection between the two, and the later related to a GitHub bug report which was published
• EOS have reported fixing all bugs. It also published its Bug-Bounty program
• A few days later, another white-hat hacker found bugs at EOS software and got a $120K reward from EOS
• The program is ongoing. EOS has paid out over $340,000 to ethical hackers.

Hexa Labs Thoughts

• Open-source practices prove themselves as a useful methodology. On the one hand, the business does a striptease putting its source code on Github for all to see. Yet on the other hand, the community helps in achieving more secure and efficient code
• Bug-Bounty programs make sense both for the business and the white-hat hackers

References: CryptoSlate, Beeping Computer, TheNextWeb, EOSIO declare Bug-Bounty program

About Hexa Labs

Hexa Labs is a blockchain solutions consultancy helping established large-scale consumer brands create their own fair and stable decentralised economies.

Among our clients you can find Zinc, PumaPay, COTI and other successful blockchain projects.

Visit us at Hexa-labs.com

Join the Orbs community:

• GitHub: https://github.com/orbs-network
• Telegram: https://t.me/orbs_network
• Twitter: https://twitter.com/orbs_network
• Reddit: https://www.reddit.com/r/ORBS_Network/
• Read the Orbs white papers: https://www.orbs.com/white-papers