Hexa Labs — A Security Analysis for Blockchain: June-July 2018

Dror Trieman
Aug 9, 2018 · 9 min read
Image by Marina Rudinsky

After several months working in Israel’s blockchain industry as security lead for Hexa Labs — Orbs’ sister company within the larger Hexa Group of companies — I’ve met dozens of managers, researchers, developers, lawyers, and business consultants working on innovative projects dealing with hundreds of millions of dollars in both fiat and cryptocurrency.

Most of these people told me they can’t keep pace with the tremendous number of security incidents in the blockchain domain. At least once a week, there seems to be news of another crypto heist, with last week’s major story covering the KICKICO breach.

I believe people in the industry should be aware of these security events, as well as relevant news and trends. When you hear about an incident, your first instinct should be to think whether or not that same attack vector can be used against your venture and if your current security plan mitigates this risk.

Even though the community embraces knowledge-sharing and the open-source philosophy, information on security breaches often remains confidential for obvious reasons. Usually, specific details are undisclosed such as damage scale, exact vulnerability, and the victim’s identity.

This blog delivers interesting blockchain security incidents and events in an executive-summary format. There are many posts on security incidents within the blockchain domain, here I’ll provide a high-level overview and try to focus on the essence and give references for further inspection.

Without further ado, let’s go over the security incidents of June-July 2018:

KICKICO (July 27, 2018)

KICKICO is a blockchain crowdfunding website for ICOs

Damage scale: 70,000,000 KickCoin (~$7.7M — estimated fiat value of stolen tokens during the hack)

Attack vector: Access to private key of a smart contract

What Happened

  • Several KickCoin token holders complained tokens disappeared from their wallets

Hexa Labs Thoughts

  • Hackers tried to disguise the heist with an interesting technique (reassign tokens ownership and total supply), but awareness by the token holders prevented more damage

References: Official statement by KICKICO, CoinFrenzy

Related Attacks

  • It is worth mentioning that KICKICO suffered several attacks during their ICO last year. Read more here

Hola Free VPN and MyEtherWallet (July 9, 2018)

Hola is a popular free VPN service; MyEtherWallet is a popular client-side interface for Ethereum wallets.

Damage scale: Unknown

Attack vector: Clients’ phishing

What Happened

  • Hackers gained access to Hola’s Google Chrome store account, and uploaded a malicious extension to the store

Hexa Labs Thoughts

  • It was a sophisticated attack which might have caused severe damage to Hola & MyEtherWallet users. It would be interesting to learn how Hola’s team discovered the hack

References: Official statement by Hola, MyEtherWallet urgent tweet

Related Attacks

Bancor (July 9, 2018)

Bancor is a blockchain project which allows immediate liquidity for ERC20 tokens.

Damage scale: $23.5 million (in Ether, NPXS, BNT)

Attack vector: Undisclosed

What Happened

  • A compromised wallet was used by the attackers to withdraw ETH, NPXS and BNT tokens from a BNT smart contract and other contracts

References: Bancor’s first detailed response, Bancor’s clarification, Leonid Beder’s post on the hack, BitRates

Tether (June 28, 2018)

Who was affected?: An undisclosed crypto-exchange was affected by rumors surrounding Tether (USDT)

Damage scale: Unknown

Attack vector: Lack of data validation

What Happened

  • A Chinese cyber-security company, SlowMist, published a post which recharged a Tether account on an exchange by changing the value of a field in a transaction

Hexa Labs Thoughts

  • At the root of this was a poor integration implementation by the exchange with the Tether currency. When listing a new cryptocurrency or token on a trading platform, it is critical to understand the intricacies of the new protocol.

References: SlowMist tweet, Nugget’s news video, CoinTelegraph

Bithumb (June 20, 2018)

Bithumb is a popular South Korean crypto-exchange

Damage scale: $17 million in cryptocurrency

Attack vector: Little information is available. What is known is a hot wallet was hacked, but details are scant.

What Happened

  • “We noticed that between last night and today early morning, about 350,000,000,000 KRW worth of cryptocurrencies have been stolen” — a deleted tweet by Bithumb

Hexa Labs Thoughts

  • It has been reported the heist happened at night, like many breaches. Using monitoring tools on hot wallets, cold wallets, and blockchains is crucial to detecting breaches as quickly as possible

References: CoinDesk, TheNextWeb, Bithumb report and announcement on compensation plan

Previous Attacks

  • A year ago, a hacker breached a Bithumb employee’s PC and stole details of some Bithumb users. An unknown amount of Bitcoin and Ether was also stolen

CoinRail (June 10, 2018)

CoinRail is another South Korean crypto-exchange.

Damage scale: Ether, NPXS, NPER and others ($40M)

Attack vector: Undisclosed

What Happened

  • Attackers hack CoinRail systems and a range of ERC-20 based tokens was stolen

Hexa Labs Thoughts

  • The Ocean, an ERC20 trading platform, claimed some addresses related to the hack were previously marked as suspicious. They suggested that exchanges should check if addresses with negative marks were interacting with their platforms. This idea sounds interesting, but the implementation should be considered carefully because it might affect honest blockchain users.

References: CoinsRail official statement, CoinDesk, The Ocean’s analysis, Bitcoin.Com

ZenCash (June 3, 2018)

Who: ZenCash is a privacy-oriented blockchain system built on zero-knowledge cryptography, using Equihash PoW protocol.

Damage scale: 22,900 ZEN ($687,000)

Attack vector: 51% Attack

What Happened

  • Equihash is a popular mining algorithm used by other currencies such as ZCash and Bitcoin Gold

Hexa Labs Thoughts

  • ZenCash notified their exchange partners about the attack almost immediately, as should be, but there’s massive reputation damage to this project

References: ZenCash official statement, Bitcoinist, ZenCash proposal to fight 51% attacks,

Previous Attacks

EOS Vulnerabilities (May-June-July … Honestly Ongoing)

Who: EOS, 3rd generation blockchain for decentralized apps

What Has Happened

  • EOS has raised almost $4 billion in a year-long ICO.

Hexa Labs Thoughts

  • Open-source practices prove themselves as a useful methodology. On the one hand, the business does a striptease putting its source code on Github for all to see. Yet on the other hand, the community helps in achieving more secure and efficient code

References: CryptoSlate, Beeping Computer, TheNextWeb, EOSIO declare Bug-Bounty program

About Hexa Labs

Hexa Labs is a blockchain solutions consultancy helping established large-scale consumer brands create their own fair and stable decentralised economies.

Among our clients you can find Zinc, PumaPay, COTI and other successful blockchain projects.

Visit us at Hexa-labs.com

The Orbs Blog

The Orbs Project Blog

Dror Trieman

Written by

The Orbs Blog

The Orbs Project Blog

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade