A Security Analysis for Blockchain: November 2018

Image by Rachel Skiba

Hello community! In the last post we’ve analyzed EOS and Ethereum smart contract breaches alongside with hacking to Cryptocurrency exchanges. It feels like every month the mixture is about the same, and every two months we have a 51% attack.

This month we inspect a 51% attack on a small blockchain, along with the a cryptocurrency exchange which disappeared after a hack (or an exit scan), twitter scams, an ERC20 token scam, and an interesting study which shows that too many Ethereum smart contracts shared common code, and therefore share future vulnerabilities.

The post is end with more interesting blockchain security stories of the month.


Twitter scams — Target and Google accounts (13 November 2018)

Damage scale: $32,700 (in BTC)

What happened:

  • Hackers managed to publish a twit using the Target account (almost 2M followers), asking to send small amount of cryptocurrency in order to participate a $30M Bitcoin giveaway
  • Same target account was used in another twitter scam at the same week, taking over a menswear verified account and rename it to Elon Musk
  • Hackers got some BTC in these incidents
  • At the same day, Google G Suit’s account (over 800K followers) was twitted a similar message, asking users to send between 0.1 to 2 BTC and get ten times of the amount
  • Luckily, it seems nobody sent BTC to the address at the Google’s twit

Hexa Labs thoughts:

  • Everyone knows the Nigerian prince scam and that this kind of offers are too good to be true
  • Last month was the annual cyber-security awareness month, awareness to scams should be an integral part of the guidance and training

References: Report about hack of Target’s twitter account, Report about hack of Google’s twitter account

Related attacks: It’s not the same attack, but it reminds me somehow a tricky scam I’ve analyzed last year — the Minerium scam.

51% Attack on AurumCoin

Who: AurumCoin is a cryptocurrency which says it works according to the golden standard and the currency is intended to backed up by gold in the future.

Damage scale: $550,000 (in AU)

What happened:

  • AurumCoin claimed it was hit by 51% and some tokens are missing from Cryptopia’s wallet, the last is an Australian cryptocurrency exchange
  • It is assumed that an hacker sent AU tokens to Cryptopia wallet and change it for a different cryptocurrency, and then a 51% attack occurred and reversed the original AU tokens to Cryptopia
  • For some reason, AurumCoin accuse Cryptopia for the hack
  • AurumCoin is a small infrastructure with small number of miners, therefore low average hash rate. It is easy to rent hash power and perform a 51% attack

Hexa Labs thoughts:

  • Dealing with a small blockchain which uses a popular hash function involves risks, such as the 51% attacks, users should be aware of these risks when using these kind of cryptocurrencies

References: Report on the attack, Official statement on the hack by AurumCoin

Related attacks: 51% attack on Bitcoin Gold, 51% attack experiment on Einsteinium, 51% attack on Zen Cash — was published in the June-July analysis

MapleChange (29 October 2018)

Who: MapleChange was a small Canadian cryptocurrency exchange.

Damage scale: $6M (in Bitcoin)

What happened:

  • MapleChange revealed it has fallen a victim to a hack at a twit
  • The exchange also stated that “due to a bug, some people managed to withdraw our funds from the exchange” and they running an investigation
  • They also said no refund is available at the moment
  • After a day, MapleChange started a series of twits saying some of the alt-coins have returned to their original owners
  • Some light were shed on the vulnerability itself, critical code lines were commented out and caused the catastrophe
  • People from the crypto community says its all an exit scam by the MapleChange founders
  • Since October 30, there were no updates on the company’s twitter account

Hexa Labs thoughts:

  • When using a centralised crypto-exchanges this kind of scam/hack might happen, when it is also a small unknown exchange, the risk is much higher.

References: Report on the hack, Does the “hack” is actually an exit scam, Technical explanation about the exploit

Related attacks: See the Altex.Exchange case in the August analysis

Oyster Protocol (29 October 2018)

Who: Oyster Protocol is a data storage solution on top of IOTA DLT, with a match ERC20 token, Oyster (PRL), on top of Ethereum blockchain.

Damage scale: $300K (in PRL tokens)

What happened:

  • Oyster tokens’ trading volume went up by 900% in a short period of time
  • At the same time, the price of the token went down by 60%
  • Oyster officials released a statement that the Oyster smart contract has passed 3 different audits and no bugs were found
  • But at the second part of the statement, they also said “someone” took over the ownership of the contract and successfully minted new 3 million PRL tokens
  • This “someone” is actually the original co-founder and architect of Oyster project
  • The Oyster CEO said one of the recovery options is to deploy a new token and replace 1:1 ration with old PRL tokens, without the new 3 million which were minted

Hexa Labs thoughts:

  • This act reminds me the using of “safety hatch” by other blockchain projects, users should be aware that smart contract with safety hatches are susceptible to such incidents

References: Report on the hack

More Interesting Blockchain Security Stories

Bitcoin Cash established mining pool to attack its forks —SharkPool — A startup by Bitcoin Cash builds a mining pool to fight with its forks and alt-coins which “doesn’t fulfill Satoshi’s original vision for Crypto-currency”.

Most Ethereum smart contracts share common code — Research on the first 5 million blocks (now it has over 6.8M blocks) shows that less than 10% of Ethereum smart contracts are unique, therefore lots of smart contracts might share vulnerabilities.

Bitmain sues the hacker who hacked its Binance account — This case is interesting, because Binance and other service providers will be summons to court and might be required to deliver private information which will reveal the identity of the hacker.

Spray and pray attacks ask for BTC or your secret life will be exposed — Hackers spraying leaked email accounts to ask for BTC. They actually doing you a favour not locking your Check if your email account has been compromised in a data breach here.

Unbound releases open-source code for MPC — Multi Party Computation (MPC) is a hot domain in the crypto market with several startup companies which build MPC solutions. An interesting move by Unbounded. Here’s a link to the Github repo.