There have been more and more security hacks on blockchain, which claimed unhackable in marketing slogans and headlines just a year ago.
These news are shocking rather than surprising to us since blockchain are always attractive to thieves with its unique vulnerabilities.
Just last month, Coinbase lost its control of more than half of its network’s computing capacity, which allows the hacker to spend the same cryptocurrency again by rewriting the history transactions. Coinbase actually didn’t lose any and was luckier than Gate.io, who was hacked approximately $200,000 later.
Within 2 years, reports from analytics firm Chainalysis showed that with just two active cybercrime groups, $1 billion may have been stolen from exchanges. This contributes to the total number $2 billion stolen from all public reports, which makes the definition “unhackable” not realistic anymore.
To understand all these imperfections may help us with the future of blockchain technologies and digital assets.
How to hack a blockchain?
Theoretical, it’s way too expensive and difficult to hack a complex blockchain system. However, the more complex a blockchain is, the easier to make mistake in setting up the system, which leads to manipulative flaws for attackers to take control of the blockchain.
These happen on exchanges instead of blockchain directly. For example, Zcash secretly fixed a “subtle cryptographic flaw” – a part of its complicated protocol by chance, which allows attackers to create endless fake Zcash. Moreover, one of the developers of Bitcoin’s main client also secretly fix a hole in system which allows users to have more than the system allowance.
The 51% attack
By controlling more than 50% of network’s mining hashrate, the attackers would be able to manipulate the system for double-spend coins. The cost for this attempt is considerably expensive for popular crypto, but quickly decrease for the other 1,500 ones out there.
For the first half of 2018, attackers aimed to small traded coins and successfully stole totally $20 million from Verge, Monacoin, and Bitcoin Gold and. The attack $1 million worth on Ethereum Classic was the first to hit a top-20 currency.
According to David Vorick, co-founder of the blockchain-based file storage platform Sia, these kinds of attacks appear to happen more frequently and more seriously. Double-spends will finally make exchanges more restrictive on selecting cryptocurrency to support.
Smart contracts issues
Those weaknesses of blockchain security have reached a whole new level: smart contracts issues. Since transactions on blockchain can’t be reversed as simple as those on the traditional software, applying a smart contract requires no mistake made on the software. An example for this bug is $60 million worth of cryptocurrency of Decentralized Autonomous Organization (DAO) lost because of a unpredictable flaw in the smart contract.
On one hand, there are fixes and upgrades for smart contracts or a way to stop a detected hack. On the other hands, it would be too late if the users have already lost their money. However, rewriting blockchain history to the point before the attack, which means creating a new blockchain, moving everyone that agree to use the new one can actually help claim back the money effectively.
Smart contracts with bugs holding thousands or millions of dollars are attractive to thieves as much as banks or governments. Once a bug exists with visible source code on blockchain, hackers surely find it.
Are we able to fight back hackers?
There are companies offering different services to address the vulnerabilities of blockchain. Artificial intelligent is being used, for example in An.Chain to not only moderate transactions and identify suspicious activities but also detect smart contracts’ vulnerabilities. Other companies offer audit to imply a smart contract’ code in practice and its results. These have supported contract creators in excluding many bugs although it might cost money and time.
Additionally, Coinbase has rewarded many people reported bugs as a way to add small contracts. These “bug bounties” can encourage people in finding bugs for the creators. After all, that open complex system depends on people behaviours, and people always know how to manipulate it.
To sum up, we usually learn things in a hard way, and blockchain security is the same. The growth of blockchain means the growth of everything related, even scam or hack. Sometimes, it’s about unforeseen software bugs. Sometimes, the complex behaviours and interaction of humans enhance their greed in exploiting the system.