Despite much of the early hype, blockchain applications are not “unhackable.” In the last year, a handful of highly visible attacks against blockchain-based tools served as a reminder that there’s no such thing as flawless security. To know more about prevention strategy in Blockchain Applications read more…
How blockchain applications can be hacked, and what you can do to prevent it
1. How Blockchain Applications Can Be
Hacked, And What You Can Do To
Prevent It
Despite much of the early hype, blockchain applications are not
“unhackable.” In the last year, a handful of highly visible attacks against
blockchain-based tools served as a reminder that there’s no such thing as
flawless security. Luckily, none of the recent blockchain compromises have
done lasting damage to its overall public image. In fact, cryptocurrency is
more popular than ever before. With this in mind, spreading awareness of
blockchain security issues has become a key task for the crypto community.
Following these highly public incidents, developers and end users alike are
discussing ways in which cryptocurrency security can be compromised, and
the various countermeasures most effective against it.
The most notable cases of blockchain hacking have shown that it suffers from
the same security issues of older technologies. These attacks did not result
from the vulnerabilities in the blockchain itself, but the ways it was
implemented by a particular company or initiative. In other words, the issue
was not related to the technical protocol, but weaknesses introduced by
external developers.
This was certainly true in the case of Bitfinex, whose August 2016 hack
resulted in the total theft of $60 million worth of BTC. The issue here was not
the blockchain on which it was based, but the exchange’s specific encryption
strategy. Bitfinex used multi-signature wallets for its user accounts. This
works by distributing private keys between a numbers of different parties in
order to minimize the risk associated with centralizing key storage. One of the
keys that were distributed was obtained by a bad actor that proceeded to drain
Bitfinex accounts. This not only hurt individual investors, but sent the price of
Bitfinex stock tumbling by almost twenty percent.
Bitfinex made early promises to repay all of its investors in full, a goal it was
able to meet by April 2017. This helped to quell speculation that the exchange
was compromised from within and helped rebuild its overall reputation. The
repayment and overall recovery of Bitfinex marks it a success story, and today
the Hong Kong-based exchange has reasserted itself as a leading
cryptocurrency trading platform.
The takeaway from the attack on Bitfinex is that well-known hacking methods
are very much present in the cryptocurrency realm, no matter how strong the
2. blockchain might be. The attack did not reveal any weaknesses in blockchain
protocol itself, but a layer of encryption that was added to it. This additional
protection was the site of exploitation — i.e., the place where the private key
was taken.
Stealing private keys has been a hacking strategy since the rise of key-based
encryption, and often happens through social engineering. If social engineering
was indeed the culprit in this case, the attack may have simply been prevented
by sharper awareness and defensiveness. Even in the “unhackable” territory of
blockchain, there’s no shortcut for individual vigilance.
Another recent attack likewise stemmed not from protocol weakness, but
missteps taken by an external party. TheDAO hack was a very regrettable
affair: it not only resulted in net financial loss, but reflected poorly on the idea
of DAOs and undermined confidence in the Ethereum blockchain. The strong
controversy over the hard fork that resulted from theDAO hack stands as a
significant chapter in the Ethereum saga.
This incident resulted from a weakness in the smart contract written for it — not
the blockchain itself. Since its inception, Ethereum has been committed to
open source. Accordingly, it supports the type of third-party development that
was necessary to create theDAO. But there is risk associated with the creation
of third-party applications, even if the platform on which it is built has proven
strong. Developers make mistakes, especially when they’re not backed up by a
large and well-established team. Unfortunately, theDAO was an attractive
target for those who keen to exploit this type of oversight.
There’s no way to completely bypass the risk of placing assets in a network like
theDAO. However, there are certain measures that investors and end users
can take to protect themselves. First and foremost, it’s good to remember that
holding or investing your assets in a new technology does not necessarily
mean enhanced security. Instead, it may be more useful to think in terms of
different security. Traditional banks, exchanges and other forms of asset
growth and protection are liable to theft. So are those based on newer
3. methods? Just as you would do homework about a bank or potential stock
investment, it helps to become very savvy about the blockchain network you’re
interested in. Even if it runs on a robust platform like Ethereum, external
development projects can render it vulnerable. Learning about how it works,
and who is making it work, is important to making smart decisions about your
assets.
The aforementioned incidents demonstrate how external development can
compromise a secure blockchain. As noted, this does not have to do with the
design of the blockchain, but rather the way in which other software projects
interact with it. However, the security of the blockchain protocol itself is not
fail-proof. One potentially destructive feature of blockchain is that it’s possible
for bad actors to control a network by sheer virtue of computing power, since
all that’s required to validate a transaction is majority consensus. If more than
half of the processing power on a blockchain fell into the hands of a single
malicious entity — which could be one person controlling a number of nodes,
or a group of hackers working together — it could prove very destructive for
the other, well-intentioned members of the network.
This type of hack, known as a “51% Attack,” has not yet happened (as far as we
know). In reality, the computing power available to most people right now, it
would be extremely difficult to facilitate. And even if it did happen, it may not
be disastrous. Blockchain’s auditability means that it’s possible to quicly
detect double-spending fraud on the network. A temporarily successful 51%
attack may lead to those involved simply being kicked off the blockchain.
However, the advances in processing power provided by quantum computing
could make 51% attacks a very real threat. This has been hypothesized and
written on by many figures into the crypto community. As the widespread
adoption of quantum computing becomes more imminent, this is certainly an
issue to watch.
In short, well-known security practices are as essential to blockchain
applications as they are older technologies. It is important to remember that
all digital networks are rife with bad actors and vulnerabilities. A defensive
mindset is key to making sure your assets remain safe. If you are interested in
the long-term health of blockchain and cryptocurrency, the most important
step you can take is self-education. Being on the frontline of innovation means
keeping pace with emerging insights so you can confidently decide what
choices are best for you.