Mitigating Attacks in the Blockchain Ecosystem
As Blockchain technology and smart contracts are now penetrating into every sector with market size projected to grow by approximately $US 14.3 billion by 2025, capitalizing on loopholes in this technology has become quite lucrative for hackers.
While the security architecture of the blockchain makes the distributed ledger technology resistant to attacks, they are not totally immune to attacks. Cybercriminals are gradually moving from exchanges where they steal cryptocurrencies to other platforms where they carry out ransomware. In ransomware, the hackers leverage on valuable data like financial statements, contracts/agreements, employee data and even patients’ files and then hold the owners of these data to ransom.
It is, therefore, necessary to know the risks associated with blockchain and smart contract, which, by the way, vulnerabilities hackers relishes, and how to fix them. Below, I will be sharing three factors (which I feel you should know) that constitute risks to blockchain and smart contracts; and how to fix them.
1. Deployment of Untested Codes
Bearing in mind that blockchains are not solely dedicated to cryptocurrencies, developers are constantly experimenting on it by building smart contracts, decentralized apps (DAPPs) and more.
The implication is that many of these developers tend to deploy a large number of UNTESTED codes on the live blockchain. Think about this; financial firms, health organizations, energy companies and even the government are now adopting blockchain and smart contracts. So, you can imagine the number of untested codes within the Blockchain Ecosystem. A perfect example to explain the deployment of untested codes is the DAO Attack.
The Decentralized Autonomous Organization (DAO) is a public-sourced venture capital fund hosted on the blockchain to execute smart contracts for specific organizations.
Recall how the DAO built by Ethereum’s team in 2016 raised $150 million but became the first ever to be hacked? Many members of the Ethereum community had expressed concerns that the DAO code was vulnerable to attack. They paid little attention to a “recursive bug” which a hacker saw and pounced on it.
The DAO code was built to allow both a split and a transfer of tokens between accounts. The code also failed to update account balances fast enough to prevent transferring the same tokens more than once. These were big risks they overlooked.
The hacker used the split function to create a “child DAO” account and quickly made multiple transfer requests from their original, carting away about $55 million worth of Ether. This led to the DAO being devalued.
Two solutions that would have fixed this include:
- Smart Contract Auditing, and
- Complex code testing and review before deployment.
Future investors can consider both solutions above before deploying their codes on the live blockchain. Fortunately, HCISS offers both services (Visit hciss.org to reach out).
2. Public and Private Key-Associated Risks
Permit me, please, I will be keeping this real and simple.
The right combination of public and private keys is what gives access to data on the blockchain. Hackers know that trying to guess keys usually end in futility; hence they focus more on stealing keys. They may do this by attacking the entire system, personal computers or mobile devices.
The hackers can prey on the public or private keys when they are stored on these devices without properly being encrypted.
We can keep our keys from security breaches by running anti-malware scans regularly, storing the keys where can’t be read unauthorized and finally, protecting keys like our lives depend on them
3. Untested Scalability
While decentralized ledgers have been designed with inherent scalability, little attention has been paid to what happens at the full scale.
The blockchain usually scales by one block when a significant number of changes are made. While no security breach has been reported with regards to the expansion of the blockchain, Business Insider, in a 2016 report, reported that the Financial Stability Oversight Council (FSOC), a US government organization, were a bit sceptical.
Why?
They were scared that if the blockchain stretches to an unknown territory, there might limited responses due to inadequate experience in testing DLTs at full scale.
They also fear that the 51% attack may become rampant as mining firms are becoming dominant in countries with relatively cheap gas fees.
A broad range of Blockchain security analytics and predictive models which operates based on a combination of Quantum Analytics, Machine Learning and Artificial Intelligence can help.
Even though blockchain technology has proven itself to be far more secure than centralized systems, it isn’t completely free from vulnerabilities.
Mitigating cyberattacks in blockchains and smart contracts require a good understanding of these vulnerabilities, as well as deploying useful security analytics to offer protection.
Need to consult or partner with us? Visit our website — hciss.org
Written by Lucy Adegbe for Health Blockchain Security Services (HCISS) LCC
HCISS is a Blockchain Cybersecurity Analytics Services company based in the United States, with specialization in Smart Contracts security, Security Auditing, Research, and Risk Assessment Management Services.
