How Blockchain Applications Can Be Hacked, And What You Can Do To Prevent It
Despite much of the early hype, blockchain applications are not “unhackable.” In the last year, a handful of highly visible attacks against blockchain-based tools served as a reminder that there’s no such thing as flawless security. Luckily, none of the recent blockchain compromises have done lasting damage to its overall public image. In fact, cryptocurrency is more popular than ever before. With this in mind, spreading awareness of blockchain security issues has become a key task for the crypto community. Following these highly public incidents, developers and end users alike are discussing ways in which cryptocurrency security can be compromised, and the various countermeasures most effective against it.
The most notable cases of blockchain hacking have shown that it suffers from the same security issues of older technologies. These attacks did not result from the vulnerabilities in the blockchain itself, but the ways it was implemented by a particular company or initiative. In other words, the issue was not related to the technical protocol, but weaknesses introduced by external developers.
This was certainly true in the case of Bitfinex, whose August 2016 hack resulted in the total theft of $60 million worth of BTC. The issue here was not the blockchain on which it was based, but the exchange’s specific encryption strategy. Bitfinex used multi-signature wallets for its user accounts. This works by distributing private keys between a number of different parties in order to minimize the risk associated with centralizing key storage. One of the keys that was distributed was obtained by a bad actor who proceeded to drain Bitfinex accounts. This not only hurt individual investors, but sent the price of Bitfinex stock tumbling by almost twenty percent.
Bitfinex made early promises to repay all of its investors in full, a goal it was able to meet by April 2017. This helped to quell speculation that the exchange was compromised from within and helped rebuild its overall reputation. The repayment and overall recovery of Bitfinex marks it a success story, and today the Hong Kong-based exchange has reasserted itself as a leading cryptocurrency trading platform.
The takeaway from the attack on Bitfinex is that well-known hacking methods are very much present in the cryptocurrency realm, no matter how strong the blockchain might be. The attack did not reveal any weaknesses in blockchain protocol itself, but a layer of encryption that was added to it. This additional protection was the site of exploitation — i.e., the place where the private key was taken.
Stealing private keys has been a hacking strategy since the rise of key-based encryption, and often happens through social engineering. If social engineering was indeed the culprit in this case, the attack may have simply been prevented by sharper awareness and defensiveness. Even in the “unhackable” territory of blockchain, there’s no shortcut for individual vigilance.
Another recent attack likewise stemmed not from protocol weakness, but missteps taken by an external party. The DAO hack was a very regrettable affair: it not only resulted in net financial loss, but reflected poorly on the idea of DAOs and undermined confidence in the Ethereum blockchain. The strong controversy over the hard fork that resulted from the DAO hack stands as a significant chapter in the Ethereum saga.
This incident resulted from a weakness in the smart contract written for it — not the blockchain itself. Since its inception, Ethereum has been committed to open source. Accordingly, it supports the type of third-party development that was necessary to create the DAO. But there is risk associated with the creation of third-party applications, even if the platform on which it is built has proven strong. Developers make mistakes, especially when they’re not backed up by a large and well-established team. Unfortunately, the DAO was an attractive target for those who keen to exploit this type of oversight.
There’s no way to completely bypass the risk of placing assets in a network like the DAO. However, there are certain measures that investors and end users can take to protect themselves. First and foremost, it’s good to remember that holding or investing your assets in a new technology does not necessarily mean enhanced security. Instead, it may be more useful to think in terms of different security. Traditional banks, exchanges and other forms of asset growth and protection are liable to theft. So are those based on newer methods. Just as you would do homework about a bank or potential stock investment, it helps to become very savvy about the blockchain network you’re interested in. Even if it runs on a robust platform like Ethereum, external development projects can render it vulnerable. Learning about how it works, and who is making it work, is important to making smart decisions about your assets.
The aforementioned incidents demonstrate how external development can compromise a secure blockchain. As noted, this does not have to do with the design of the blockchain, but rather the way in which other software projects interact with it. However, the security of the blockchain protocol itself is not fail-proof. One potentially destructive feature of blockchain is that it’s possible for bad actors to control a network by sheer virtue of computing power, since all that’s required to validate a transaction is majority consensus. If more than half of the processing power on a blockchain fell into the hands of a single malicious entity — which could be one person controlling a number of nodes, or a group of hackers working together — it could prove very destructive for the other, well-intentioned members of the network.
This type of hack, known as a “51% Attack,” has not yet happened (as far as we know). In reality, the computing power available to most people right now, it would be extremely difficult to facilitate. And even if it did happen, it may not be disastrous. Blockchain’s auditability means that it’s possible to quicly detect double-spending fraud on the network. A temporarily successful 51% attack may lead to those involved simply being kicked off the blockchain. However, the advances in processing power provided by quantum computing could make 51% attacks a very real threat. This has been hypothesized and written on by many figures into the crypto community. As the widespread adoption of quantum computing becomes more imminent, this is certainly an issue to watch.
In short, well-known security practices are as essential to blockchain applications as they are older technologies. It is important to remember that all digital networks are rife with bad actors and vulnerabilities. A defensive mindset is key to making sure your assets remain safe. If you are interested in the long-term health of blockchain and cryptocurrency, the most important step you can take is self-education. Being on the frontline of innovation means keeping pace with emerging insights so you can confidently decide what choices are best for you.