image post

Blockchain Security Issues – The Harsh Truth

author image

Last updated May 15, 2020

In the beginning, blockchain came to solve some major trust issues created by centralization. Although decentralization is now possible, due to the events happening in the last years, more and more blockchain security issues came to surface.

And no matter how enthusiastic the crypto community is about the distributed ledger technologies, these issues must be acknowledged. In the end, that’s how technology improves. And the more these issues are outlined, the faster the smart people will come up with solutions.

So, whether you are a technical person or not, in this article you will find it easy to understand what makes Blockchain secure, how it can be hacked, and what needs further development.

How is Blockchain secure?

How is Blockchain secure

Blockchain is considered secure because it’s decentralized, has no single point of failure, and its data is immutable.

As we know, Blockchain is a continuously growing list of records organized in blocks. They are all linked and secured using cryptography. The system is maintained by multiple participants from within a network, which are responsible for securing the data. The fact that the participants are complete strangers to one another but share the same information makes the blockchain decentralized.

The immutability is achieved through the dependency established between the data recorded in blocks. All records contained in the blockchain are secured by a cryptographic key. That key is generated as a formula that expresses everything contained in previous records, including previous keys. The longer a blockchain gets, the more information a key will contain. 

So, even if an ill-intended individual manages to go back to a record and alter it, the changes he makes won’t be recognized by the chain.

How so? Well, the moment you change a past record everything that follows will change as well. Because the blockchain isn’t all stored in a single place, the databases will stick to the information most nodes recognize. 

So, if altering some data from the middle of the blockchain is that hard, why not try modifying something in from the latest block? Like spending twice the same cryptocurrency. (e.g.: double-spending)

Once a transaction happens it is recorded into the blockchain history. If someone tries to trick the system into spending the same amount again for a different purpose, it will result in a fork. However, the miners add blocks on the longest chain. Since creating a new block requires solving the increasingly more complicated formula, a hacker that wants to outgrow the main chain will have to go against the whole network at once. Because of the number of resources needed, the task will not be worth it.

You can find more details about the mechanism of the network in our article about how blockchain works.

Can Blockchain be hacked?

Can Blockchain be hacked

The answer is no, but yes.

Although blockchain is more secure then most of the centralized alternatives, people have found vulnerabilities that can be exploited.

While consensus mechanisms like Proof of Work, Proof of Stake, and Delegated Proof of Stake make attacks impractical, they don’t make them impossible. 

As smaller networks fell targets to malicious attacks, big cryptocurrencies like Bitcoin and Ethereum proved resistant to direct attacks over time.

Although smart contract issues are a reality, what users should fear is not the direct attacks to the network but watching out for the endpoints.

The most vulnerable endpoints for Blockchain are the places where the users interact with different services related to their assets. That includes:

  • Wallets;
  • Exchanges;
  • Personal email;
  • Social media;
  • Websites;
  • Various apps and dApps.

What are the main Blockchain security threats?

What are the main Blockchain security treats

51% attacks

The most well-known attack related to the blockchain is the 51% attack. This happens when an individual or a group manages to get 51% of the hashing power on a network and imposes his version of the truth.

In fault-tolerant systems like Bitcoin, when the network is presented with two different versions of the truth in the form of two distinct chains, the network will choose the longest one. The longest chain will hold the most difficulty.

A miner that has 51% of the hashing power is able to mine faster than the rest of the miners. This miner would theoretically be able to mine his own blocks without announcing the rest of the network.

The malicious miner can exchange 100 BTC to USD and include the transaction in the public blockchain, but not in the private blockchain he mines. After the transaction is completed, he can retain the funds by simply announcing the private chain to the network. And because it holds the most difficulty, the network will accept it.

This way, the miner gets the USD he exchanged and keeps his Bitcoins as well.

Sybil attacks

A Sybil attack is an attack in which a person tries to take over a network by creating multiple accounts or nodes. With enough nodes, a hacker can choose to refuse, receive, or transmit transactions from other persons.

In large scale Sybil attacks, an attacker can even get hold of the majority of the hashing power from the network and perform a 51% attack. 

Dusting attacks

A Dusting attack is a method to analyze blockchain transactions and find out users’ identities.

Because Bitcoin is open and decentralized, anyone can join the network and set up a wallet without providing personal information. The wallet will provide its user with an address that will work like a pseudonym.

All Bitcoin transactions are recorded to the Blockchain and will be associated with the provided addresses and will be open for anyone to see.

An attacker can attempt to break through a blockchain’s privacy by simply sending dust transactions to users’ wallets. In this case, dust is represented by very small amounts of a cryptocurrency that won’t even be noticed.

So, after sending these small amounts to multiple addresses, the attacker can perform a combined analysis to see which addresses belong to what wallets, then try to find out to whom those wallets belong.

The end goal of a dust attack is to eventually expose the identity of cryptocurrency users, and in the worst-case scenario, to blackmail them.

Phishing attacks

Another attack that targets especially the end-users of a cryptocurrency is the Phishing attack.

Phishing is a method to gather personal information through links, apps, websites, and emails

For Bitcoin, an attacker can try to imitate wallets, exchanges, and official websites and wait for BTC users to access their fake platforms. Through these platforms, he can gather public and private keys, credentials, and other types of personal information that can be used to steal cryptocurrency funds.

Major incidents

Blockchain Major incidents

Bitcoin Gold 51% attack

In May 2018 the Bitcoin Gold blockchain suffered a 51% attack in which it suffered a loss of more than $18 million. The malicious miner targeted several exchanges to extract his money. He waited for his transactions to be confirmed then removed blocks in order to double-spend his funds.

Also, in January 2020 the situation repeated itself. The network suffered another set of 51% attacks and roughly 29 blocks were removed in two deep blockchain reorganizations. More than 7,000 BTG ($70,000) were double-spent.

Although the BTG initiator wanted to create a truly decentralized network by employing the Equihash algorithm (Equihash 144, 5, or “Zhash”), which can be mined with a GPU, they only became an easier target for ill-intended parties. 

Ethereum Classic Coinbase

In January 2019 the US-based cryptocurrency exchange and wallet service Coinbase detected a 51 percent attack within Ethereum Classic, then stopped all ETC transactions.

Coinbase had identified 15 reorganizations, from which 12 contained double spendings. The loss for ETC was approximated to 219,500 ETC (~$1.1M). 

Following Coinbase, other exchanges like Coincheck and BitFlyer had halted ETC transactions.

Phishing through Google Chrome wallet extensions

In April 2020 Harry Denley, director of security at wallet provider MyCrypto, identified 49 fake wallet extensions pretending to be well-known crypto wallets inside Chrome Web Store.

The fake extensions were leaking personal information inputted by users to the hacker in order to drain their balances. 

Between the brands impersonated by the fake extensions were Ledger, Trezor, Electrum, MyEtherWallet, MetaMask, Exodus, and KeepKey.

Key Takeaways

  • Blockchain is considered secure because it’s decentralized, has no single point of failure, and its data is immutable.
  • Although blockchain is more secure then most of the centralized alternatives, people have found vulnerabilities that can be exploited.
  • The Blockchain security threats are the 51% attack, the Sybil Attack, the Dusting attack, and the Phishing attack.
Copy link
Powered by Social Snap