Image for post
Image for post

The Complete Guide To Blockchain Attacks

By Superorder.io on Altcoin Academy

Superorder.io
Jun 29, 2019 · 8 min read

Did you know that blockchains aren’t tamper-proof at all? It can be a revelation but it’s true. Yes, decentralized systems are protected from traditional hacker breaches. Nonetheless, they feature unique weak links exposed to modern attackers.

The majority of successful hacker attacks were focused on crypto exchanges with pretty traditional vulnerabilities. From January to June 2019, seven sites faced attacks and lost approximately tens of millions of dollars. In 2017–2018, exchanges lost around $882 million. Add $460 million stolen from Mt. Gox in 2014 and $72 million from Bitfinex in 2016 to get a pretty frightening image.

Well, centralized platforms and their users suffer more often. Still, there are several threats to blockchains themselves. Smart or rich and powerful teams can break them, steal money, and get control over data, most importantly. Thus, let’s look at the most popular attack types closely.

Blockchain Network Attacks

In a nutshell, any blockchain-based network consists of numerous nodes that record data, verify, and process it. The brightest example is financial data — nodes register, send, and receive transactions. Hackers can find and exploit the networks’ vulnerabilities using several approaches.

DoS And DDoS Attack

Image for post
Image for post
DDoS attack by Peter van Driel from the Noun Project

Denial-of-Service and Distributed Denial-of-Service threats are one of the most famous. In a nutshell, hackers target the chosen server or another client with myriads of requests generating harmful traffic and preventing users to access the service. In the case of DoS, this traffic comes from a single source while DDoS generates it from several points.

While DoS and DDoS are more often focused on traditional servers, hackers still can attack blockchains. Decentralized systems have better protection, though. Even if one or a few nodes are unavailable, blockchain still can function well. But it’s possible to target the application layer of any system to block its usage.

Eclipse Attack

Image for post
Image for post
Eclipse by Saepul Nahwan from the Noun Project

Hackers can focus on harming only one specific node instead of the entire system. In this scenario, a bad actor isolates the chosen node by hijacking links with other nodes. For this, he/she has to control enough host nodes in the botnet with unique IP addresses. A hacker forces the target node to restart and redirects its links to fake IPs.

As a result, the victim node becomes isolated from the chain so its owner doesn’t have a clear vision of the ongoing activity. Frauds can get control over pretty important nodes. They can easily steal data or enable double spending further attacks. Moreover, they can hijack mining power or even create a new fork.

Replay Attack

Image for post
Image for post
replay by Bhavik Limbani from the Noun Project

This type is pretty simple as it doesn’t require complex cryptography approaches. Fraudulent parties just record specific transactions or entries and then repeat them. Sometimes, they can intercept original messages, too. Using this method, hackers get the ownership of valid data so they don’t have to encrypt it or fool the check systems.

Potentially, replay attacks can be very harmful. The catch is that any unchanged information like passwords or biometrics can be spotted and remembered. However, blockchains can protect themselves from replays relatively easily. They only should implement timestamps and limit the number of repeats for a given transaction.

Sybil Attack

Image for post
Image for post
around by Leszek Pietrzak from the Noun Project

Instead of eclipse ideas, this attack focuses on the entire blockchain. Thus, hackers don’t rewrite links of the chosen node by manipulating only one small subsystem but create several fake nodes surrounding the victim. It’s similar to creating fake accounts in social media. A large number of malicious nodes lead to gaining control over the network.

Specifically, hackers can perform double spending attacks or even 51% attacks. We will talk about them later. With enough Sybil nodes, frauds are able to rule the blockchain, create forks, steal money, and so on. For now, there are no guaranteed measures to prevent this attack. However, it’s possible to make it impractical.

Fact: the attack is named after Shirley Ardell Mason aka Sybil Dorsett, a woman with dissociative identity disorder and a hero of books and films.

Consensus Protocol Attacks

The next big category includes attacks on the mechanism of transactions’ verification and registration. As you know, all blockchains feature one or another protocol like PoW, PoS, etc. Bad actors can find vulnerabilities in these algorithms and exploit them.

51% Attack

Image for post
Image for post
Percent by José Manuel de Laá from the Noun Project

Here’s one of the most famous threats that were considered the only one related to blockchains, initially. As you know, Proof-of-Work protocols require spending some computing power to verify and record each transaction. Miners use their machines to do this and get rewards in crypto. Because of the large number of nodes and high energy costs, no single entity can get full control over the network.

Almost. It’s still possible to produce or rent at least 51% of the system’s hash rate (power of all miners) to execute, validate, and modify data without other participants. Large mining pools or fraudulent teams have successfully performed this attack on Verge and Bitcoin Gold, for example. Hackers can reverse transactions, steal data or even create new forks to develop the project in the way they want.

The only problem is that 51% attacks require a lot of energy. Really, a lot. The longer you want to control a system the more money you will have to spend. Thus, long attacks are extremely rare as hackers tend to quickly get some money and retire.

Double Spending Attack

Image for post
Image for post
budget spending by Vectors Market from the Noun Project

Well, we mentioned this term several times so let’s talk about it. Double spending is the main goal of the majority of attacks. It allows bad actors to use the same coins in several transactions. Eventually, only one deal will be registered making other records abandoned. This means that, for example, a man can sell 1 BTC to several buyers, get USD from all of them but transfer BTC only to one. Or don’t transfer at all.

Here are a few examples of double spending attacks:

  • Finney. Provides for creating one pre-mined block with a transaction and putting the identical transaction right before this block is released. Thus, the second transaction will be considered invalid.
  • Race. Creates two same transactions. The first one is sent to a buyer or seller who accepts it without confirmation from the network. The second one is distributed to the blockchain and confirmed instead of the first one.
  • Simulated history. It’s based on a 51% idea, too. A hacker also sends two transactions but the second one is based on the alternative fork. Thus, even after confirmations, a hacker can push his/her fork to invalidate the first transaction.

It’s important to understand that double spending can be a consequence of almost any attack. While it’s barely possible to solve all issues, blockchains can implement new protection measures to prevent at least the most popular attacks.

Crypto Wallet Attacks

Image for post
Image for post
Crypto wallet by Frühstück from the Noun Project

Apart from blockchains and applications, there are more targets for hackers. For example, they can try getting access to user crypto wallets, both cold and hot ones. Obviously, the main goal of these threats is money.

Cold Wallets

Yeah, here’s another revelation: cold wallets aren’t perfect, too. With enough knowledge and tech stuff, hackers can insert malware into these devices or steal data in more exotic ways. For example, Israeli researchers state that they can steal private keys via sound, heat, light, magnetic waves, etc. They also insist that it’s possible to infect wallets with malware. Scientists from DocDroid confirm these statements.

Hot Wallets

As far as hot wallets are directly connected to the Internet, it’s even easier to break them. As a rule, hackers utilize phishing or brute force attacks to get private keys, seed phrases, and PINs. More tech-savvy bad actors can exploit weaknesses of signature or key generation algorithms. For example, generators may feature low entropy and, respectively, insufficient randomness.

Smart Contract Attacks

Image for post
Image for post
smart contracts by Template from the Noun Project

Finally, the most elaborate layer of development-oriented blockchain platforms also can be under attack. Actually, smart contracts and decentralized applications are all about code, similarly to traditional software. And code may feature vulnerabilities. For instance, Ethereum’s Solidity features several potential entry points for frauds.

Moreover, virtual machines that execute smart contracts also can be hacked. In this case, blockchain’s immutability becomes a significant threat because even the smallest bugs can’t be fixed backward and lead to forking like in the case of DAO. There are other bugs and problems like access-related ones, too.

Simple Precautionary Measures

While it may be pretty difficult to prevent all types of attacks, especially the most tech-savvy ones, ordinary traders still can protect their money. There are a few quick points to know about:

  • Cold wallets. Keep the main funds on protected storages. You can have some coins at crypto exchanges but remember that they’re extremely vulnerable.
  • Internet hygiene. Don’t disclose your personal info like passwords/keys. Always check the sites’ addresses, the partners’ identity, emails, and other requests.
  • Multi-factor authentication. Try using your phone as an extra security layer. With 2FA enabled, it will be much harder to get control over your accounts.
  • Your own faults. We’re humans and we make errors. Typos and wrong wallet addresses may harm your crypto balance so be sure to double-check yourself.
Image for post
Image for post
Photo by Jonathan Chng on Unsplash

Remember that knowledge is power. Being aware of major crypto/blockchain threats in the modern crypto community, you will be able to protect yourself. At least, partially. Do the best you can to increase security from the user side to mitigate risks and save coins. And always remember that the crypto world is risky and dangerous. But we love it.

And we love you so be sure to join our crypto trading terminal Superorder to get 14 days of free usage!

The Capital

A publishing platform for professionals now available on https://thecapital.io

Sign up for Try The Capital Platform at thecapital.io

By The Capital

Head over to https://thecapital.io, sign up and publish your first article today! Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Superorder.io

Written by

Superorder Official Page. Build trading strategies using visual interface. Earn even at night!

The Capital

A publishing platform for professionals in business, finance, and tech

Superorder.io

Written by

Superorder Official Page. Build trading strategies using visual interface. Earn even at night!

The Capital

A publishing platform for professionals in business, finance, and tech

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store