How Hackers Hack The Unhackable
Blockchain technology was developed to offer secure, fast, transparent, and reliable transactions that were limited in traditional centralized systems. The security breaches that we have been seeing lately, have created doubts in the security of blockchain systems.
The blockchain comprises of a network of computers, also called nodes, in a secure network with each having access to an updated copy of the database.
With millions of nodes having access to the databases and each of the database being linked by a unique cryptographic hash, manipulating the blockchain is quite expensive and complicated.
Despite the security architecture of the blockchain, we’ve seen an increased rate of successful attacks, implying that the previously thought ‘unhackable’ blockchain is no longer a reality.
Let’s take a look at some examples of blockchain hacks
A popular financial service platform sector, DeFi, keeps experiencing security issues. Although DeFi products doubled to over 4 billion dollars in July and is now approaching over 5 billion dollars, the rate of attacks has also increased within this same period. Hackers have successfully stolen over 25 million dollars.
In August 2020, a DeFi project called Opyn was attacked by cybercriminals. The hackers stole about 371,000 dollars by exploiting Opyn’s native tokens.
Similarly, the vulnerability in the smart contract code of another DeFi Project led to hackers stealing 25 million dollars from the Lendf.me decentralized lending protocol and decentralized crypto exchange Uniswap.
Another hack occurred on June 28, due to code vulnerability of the smart contract. The hackers stole 500,000 dollars in ETH and other altcoins from the Balancer platform via an exploit of its token deflation mechanism that destroys 1% of the transaction amount upon each funds transfer.
As the application of blockchain technology and smart contracts become more diverse, hackers are also improving in their level of sophistication. Many companies that store vital information like financial data, contract/agreements, patient data, and employee details on the blockchain, are now being held ransom. The hackers launching an attack and leverage on the data for ransom and request for cryptocurrencies like Bitcoin or other altcoins that allows them to anonymously pocket the funds.
This kind of cyberattack is called Ransomware and often begins by running unverified updates on the blockchain.
Below are some of the techniques used by hackers to attack the blockchain
51% Attacks
This attack is common in platforms that use the proof of work to verify transactions in the mining process.
Because a vast amount of computing power is used to prove the worthiness of a miner to add data to the blockchain, a mining node can gain control over a majority of the mining power and create an alternative version of the blockchain called a FORK. The fork version gives the miner the power to double-spend and block transactions.
A miner with 51% of all mining power invariably, has control and influence over the blockchain.
Take the Bitcoin network as an example, it would take a crazy amount of money to gain 51% of the mining power. Bitcoin mining power cost over $260,000 per hour. Due to the expensive nature, research has shown that hackers tend to work in groups to attempt this kind of heist.
According to a report, Bitcoin Gold (BTG) network suffered a set of 51% attacks between January 23 and 24, as roughly 29 blocks were removed in two deep blockchain reorganizations. It was estimated that more than 7,000 BTG was double spent ($70,000) in two days.
Mitigating against 51% attacks, theoretically, is to ensure that no single node controls more than 50% of mining power. I know you must be finding it difficult to believe this having read the examples above, right?
Reentrancy Attacks and Smart Contract Vulnerabilities
Why do these vulnerabilities keep happening?
Well, as Blockchain developers add to the current ERC-777 protocol standard, the smart contract becomes vulnerable to reentrancy attacks. You may be wondering, what is a reentrancy attack? Before I explain that, I’ll explain ERC-777 protocol.
The ERC stands for Ethereum Request for Comments. It is a standardization used to describe a certain set of protocols indicated by its number (ERC-777) designed to be implemented on the Blockchain network.
In simple terms, a reentrancy attack is when a developer creates a function that makes an external call to another untrusted contract before it resolves any effects. It completely drains your smart contract of its ether.
So, how can we mitigate the risk of these vulnerabilities?
To significantly mitigate the security risk, you need to have a high level of security appliance. Your structured Blockchain security protocol methods in designing a complex smart contract just aren’t enough. Because it is impossible to fix discovered bugs of smart contracts once its code is written and deployed to the Blockchain ecosystem, you need advanced security analytics techniques that aid in significantly mitigating these persistent security risks like reentrancy attacks. Health Blockchain Security Services HCISS robust cybersecurity analytics system utilizes the advances of machine learning and artificial intelligence. To learn more, please visit hciss.org.
Distributed Denial of Service (DDoS)
In DDoS, hackers interfere and compromise the availability of blockchain networks. Large organizations are always targeted using this technique. Hackers don’t just use this technique to steal immediately. I will explain further.
With DDoS attacks, cybercriminals divert the attention of organizations with a vast amount of data, especially FinTechs, from more important security breaches. So, while the organisations are trying to fix the DDoS attack, the hacker will have enough time to either clone private data to steal funds or carry out malware.
A week ago, a group of cybercriminals breached the systems of Japanese video game giant, Capcom, and demanded $11 million after deploying ransomware and stealing vast amounts of data.
The company, in a press release on November 4 revealed that it detected unauthorized access to its internal networks a couple of days earlier, (a possible DDoS attack).
The hackers who breached Capcom, a group that uses the ransomware known as Ragnar Locker, claim to have stolen more than 1 TB of files, including accounting files, banking statements, financial reports, tax documents, intellectual property, proprietary business information, personal information of employees and customers, corporate contracts, emails, private chats, and various other types of information.
How can DDoS attacks be mitigated?
There are several ways of mitigating this attack and include having sufficient bandwidth to handle any malicious-based traffic spikes, a configuration of blockchain networks against DDoS attacks; as well as protecting a server by network firewalls and other specialized web application firewalls.
While security remains merit of blockchain technology, it isn’t free from vulnerabilities, and unintentional software bugs. This complicated grey area has constantly made it prone to cyberattacks. With hackers exploring and restrategizing on complicated methods to hack blockchain systems, more work must be done to keep them in check.
Written by Lucy Adegbe for Health Blockchain Security Security Services (HCISS) LLC
HCISS is a Blockchain Security Analytics company based in the USA.
We are specialized in providing Blockchain security analytics, Smart Contract Auditing and Blockchain Consulting and Research Services.
Do you want to discuss Blockchain Security Analytics with us? Make sure you reach out to us on our website, www.hciss.org
