The Dark Side of Crypto — Systemic Risks

Amid the recent hubbub that Initial Coin Offerings (ICOs) and the rising valuations of many cryptocurrencies created, there is a much darker side of cryptocurrency where awareness needs to be raised. The much darker side of cryptocurrency is the systemic risks within the cryptocurrency ecosystem which could potentially massively disrupt the entire space. In this article, I’ll outline just a few of the systemic risks that cryptocurrency faces in the near-future, as well as the possible consequences of those systemic risks. I’ll also outline some steps that you can take to minimize your exposure to systemic risks to keep you, and your money, safe.

What is the main source of systemic risk for the cryptocurrency ecosystem? Hackers. Simply put, hackers follow wherever the money is. So it’s no wonder that hackers would be attracted to the cryptocurrency ecosystem, where the total market capitalization of cryptocurrencies is $165 billion (at the time of writing, at least). To give you an idea of how much money is in cryptocurrency, let’s put it this way: that’s larger than the market capitalizations of American Express, Capital One, PayPal, and Goldman Sachs. Furthermore, there’s evidence that there’s still a considerable amount of room for growth. Cryptocurrency researcher Willy Woo revealed that the number of Bitcoin users doubles approximately every 12 months, while Investors Tim Draper and John Mcafee have reaffirmed their belief that Bitcoin will rise above $200,000 in the long-term. Hackers are further incentivized to attack and disrupt the cryptocurrency ecosystem, because the maturity of the space and the security of new blockchain companies is much lower than established companies. At the same time, the payout for a successful hack is massive. On average, a successful attack on a bank will provide the hacker with $1.5 million. On average, a successful attack on a blockchain project returns $10s of million. Some examples of this include the Parity wallet breach with $30 million stolen, CoinDash hack, where $7 million was stolen, and Veritaseum where $8 million was stolen.

To give an example of the length that hackers are willing to go to in order to obtain Bitcoin, look at none other than the Amazon Cloud. According to a recent report by RedLock, hackers were able to hijack the Amazon Cloud services of two multinational companies and used those resources to mine Bitcoin.

Generally speaking, blockchain security risks can be classified into three categories:

  • Exchanges and Wallets
  • Forks and Upgrades
  • Smart Contracts and ICO websites

Exchanges and wallet service providers are often targets of hackers, since they act as centralized gateways into personal accounts and have access to their users’ private keys. Two big examples of exchange hacks would be the Mt. Gox and the Bitfinex hacks. $450 million was stolen from the Mt. Gox exchange, going down in history as the largest cryptocurrency hack by far. Another $72 million was stolen from Bitfinex. A recent glowing example of the wallet service breach is ClassicEtherWallet.com, where the hacker called the domain’s registry and convinced them he was the owner, gaining control over the domain and redirecting it to a phishing copy of a website.

A good way to protect yourself from the risk of having your money stolen in hacked exchanges is to only use exchanges when trading, and never to use exchanges as a way to store your cryptocurrency. Once you finish with any trading that you want to do, withdraw the cryptocurrency to your own wallet where you control the private keys or where the keys are stored in an encrypted offline hardware such as Ledger or Trezor.

Forks and upgrades are another important type of systemic risk that does not get enough attention and recognition among cryptocurrency enthusiasts. When a cryptocurrency is a “spin off” of another currency, it can cause confusion on the blockchain. An example of the confusion it can cause is with replay attacks, where a valid data transmission on one chain can be repeated on a forked chain. Some forks have protection against replay attacks, while others don’t. It’s important to ensure that the blockchain you’re using has replay protection, or else somebody could fraudulently replay your transactions. Furthermore, Hard forks are often very contentious within the cryptocurrency community, and if done either improperly or by a bad actor, the results can be catastrophic. Ethereum Classic, Bitcoin Cash, and Bitcoin Gold are all still very contentiously debated within the cryptocurrency community. It is advisable to avoid buying or selling the coin that will fork near the fork date, so that all transactions can be properly reconciled on both ledgers.

Finally, the last but perhaps the most exploited types of systemic risks are with smart contracts and ICO websites that govern millions of dollars with several hundred lines of code. In case of websites, a popular attack technique is to switch the send address for the tokensale. By going around the often simple website security, the entire tokensale can be compromised this way. The perfect example of the smart contract breach is the Parity wallet, where hackers were able to steal $31 million by exploiting an unreported bug. Since then, Parity has implemented a bug bounty program, paying volunteers to find potential bugs within the wallet code.

Open source auditing for smart contracts like this is necessary for blockchain projects due to their complexity, and the amount of money they could potentially be handling. If your smart contract governs millions of dollars in assets or tokens, it’s important that the code is comprehensively reviewed by a large community of independent reviewers.

It’s also important to note that this review process requires trained human brains to find new vulnerabilities that haven’t been found yet (Zero-day exploits), since the automated verification tools tend to look for known patterns.

Rigorous human auditing of smart contracts will be a requirement in the future. Look at companies like Solidified which provides crowdsourced auditing of blockchain code and security. The demand for these types of services will increase as the complexity and size of smart contract ecosystem grows exponentially in the future.