Blockchains remain the rage, promising the safety people desired when buying and selling cryptocurrencies on exchange platforms. More significantly, many believe it will become the backbone of financial technology networks for decades to come.
But hackers are proving that if it’s man-made, it can be broken into, according to new research.
Research by the Massachusetts Institute of Technology Review found that hackers have stolen nearly $2 billion worth of cryptocurrency since the beginning of 2017, mostly from exchanges, and that’s just what has been revealed publicly. These are carried out not just by opportunistic lone attackers, but also by sophisticated cybercrime organizations, the report said. It pointed out that analytics firm Chainalysis recently said that just two groups, both of which are apparently still active, might have stolen a combined $1 billion from exchanges.
“We shouldn’t be surprised. Blockchains are particularly attractive to thieves because fraudulent transactions can’t be reversed as they often can be in the traditional financial system. Besides that, we’ve long known that just as blockchains have unique security features, they have unique vulnerabilities,’’ the report noted.
It added, “Marketing slogans and headlines that called the technology 'unhackable' were dead wrong.’’’
The MIT study cited incidents last month where a security team at Coinbase spotted something strange going on in Ethereum Classic (one of the cryptocurrencies people can buy and sell using Coinbases’s popular exchange platform). Security noticed that an attacker had somehow gained control of more than half—why the method is called a "51 percent attack"—of the network’s computing power through blockchain, the history of all the transactions, and was using it to rewrite the transaction history. That made it possible to spend the same cryptocurrency more than once—known as “double spends,” the report explained.
The attacker was seen pulling off a $1.1 million heist, but Coinbase said no currency was actually stolen from any of its accounts. Gate.io, another popular exchange, wasn’t so lucky. It admitted losing around $200,000 to the attacker, who days later returned half of the loot.
“Just a year ago, this nightmare scenario was mostly theoretical. But the so-called 51 percent attack against Ethereum Classic was just the latest in a series of recent attacks on blockchains that have heightened the stakes for the nascent industry,’’ the report said.
The 51 percent attack is an inherent risk in most cryptocurrencies, the report noted, pointing out that the hit against Ethereum Classic was the first against a top 20 currency. But toward the middle of 2018, attackers began springing such attacks on a series of relatively small, lightly traded coins, including Verge, Monacoin and Bitcoin Gold, stealing an estimated $20 million. In the fall, hackers stole around $100,000 using a series of attacks on a currency called Vertcoin.
In the MIT study, David Vorick, cofounder of the blockchain-based file storage platform Sia, predicted that 51 percent attacks will continue to grow in frequency and severity, and that exchanges will take the brunt of the damage caused by double spends. One thing driving this trend, he said, has been the rise of so-called hashrate marketplaces, which attackers can use to rent computing power for attacks. “Exchanges will ultimately need to be much more restrictive when selecting which cryptocurrencies to support,” Vorick wrote after the Ethereum Classic hack.
The report said that in addition to 51 percent attacks, there is a whole new level of blockchain security weaknesses whose implications researchers are just beginning to explore. Coincidentally, Ethereum Classic—specifically, the story behind its origin—is a good starting point for understanding them, too, it said.
Companies are creating ways to avert hacking threats, the report said. It points to AnChain.ai as one of several recent startups created to address the blockchain hacking. It uses artificial intelligence to monitor transactions and detect suspicious activity, and it can scan smart-contract code for known vulnerabilities.
It also noted that other companies, including Tsankov’s ChainSecurity, are developing auditing services based on an established computer science technique called formal verification. The goal is to prove mathematically that a contract’s code will actually do what its creators intended. These auditing tools, which have begun to emerge in the past year or so, have allowed smart-contract creators to eliminate many of the bugs that had been “low-hanging fruit,” said Tsankov. But the process can be expensive and time consuming.
The report added that it may also be possible to use additional smart contracts to set up blockchain-based “bug bounties.” These would encourage people to report flaws in return for a cryptocurrency reward, noted Philip Daian, a researcher at Cornell University’s Initiative for Cryptocurrencies and Contracts.
But making sure code is clean will only go so far, he said. “A blockchain, after all, is a complex economic system that depends on the unpredictable behavior of humans, and people will always be angling for new ways to game it,’’ Daian said. He and his colleagues have shown how attackers have already figured out how to profit by gaming popular Ethereum smart contracts, for instance.
In short, the report noted that while blockchain technology has been long touted for its security, under certain conditions it can be quite vulnerable. It pointed out that sometimes shoddy execution can be blamed, or unintentional software bugs. Other times it’s more of a gray area—the complicated result of interactions between the code, the economics of the blockchain and human greed. That’s been known in theory since the technology’s beginning, the report said.
But with all the blockchains out there, we are learning what it actually means—often the hard way, the report added.