If Blockchain is unhackable, why have so many cryptocurrency companies been hacked?
Blockchains are not actually un-hackable.
What makes blockchain more secure than the current database solutions is the millions of users of a blockchain.
How does a blockchain work?
- Blockchain permanently stores information across a network of these users’ personal computers (nodes). In doing so, it decentralizes the network.
- In this decentralized network, the computers form a collection of accounts that record every transaction.
- To keep the records the same across all computers, computers seek to reach consensus with each other (there are many different consensus mechanisms).
- Based on the consensus mechanism, each computer competes to update the blockchain ledger with a new block, which is rewarded with some sort of financial compensation (this competition motivates a fair governance of the blockchain).
- Each block hasa timestamp and a link to the previous block, forming a chronological chain. This chain is reinforced through cryptography.
- All this ensures that records are the same across all computers and cannot be altered by others, making blockchain more secure than current database solutions.
But there’s still risk. To hack a decentralised system that is blockchain —
51% attack
The key problem a hacker would need to solve to create a 51% attack is acquiring the majority of the power that supports that specific blockchain. In other words, acquiring 51% of the nodes.
Depending on the consensus mechanism, this power could be computing power, coin supply, number of delegates, master nodes, or some other weight such as free storage space, and so on.
It is then possible to manipulate the blockchain in a multitude of ways, including shutting it down.
So far a perfect solution has not yet been found against a possible 51% attack. Verge experienced such an attack against its network recently. And mining pools for Proof of Work coins have come close and even reached 51% a number of times in the past — Ghash for Bitcoin, FlyPool for ZCash and F2Pool for Litecoin all did this.
But there is more.
Below are reduction in network service and double-spending attacks that are expensive to pull off, but nevertheless remain possible.
Routing Attack
This reduction in network service attack is made possible by compromised or cooperating Internet Service Provider (ISP). According to research, 3 ISPs route 60% of all transaction traffic for the Bitcoin network.
Luckily a routing attack has so far not been used. But the current routing situation would be a fast and convenient way for governments to switch off cryptocurrencies if they so decide.
Sybil attack
This is a double-spending attack in which a huge number of nodes on a single computer or network are owned by the same party and it manipulates the relaying of valid transactions or floods the network with bad transactions in order to disrupt network activity. Since blockchain transactions have a transaction fee, this kind of transaction flooding would be very expensive to pull off successfully.
Denial of Service Attack
A DDoS attack is an attempt by bad actors to cripple a server by flooding it with high volumes of traffic, crippling its speed or making it unreachable for the duration of the attack.
This reduction in network service attack is fairly common. To give you an idea, in 2007, Estonia was involved in the world's first cyberwar where, for three weeks straight, the country experienced a series of denial-of-service attacks that crippled the country's IT infrastructure. Estonia was, basically, offline to the rest of the world.
While the above attacks threaten the confidence in a cryptocurrency, they result in a minimal loss of funds and are therefore relatively small matters.
In addition to the 51% attack, the worst damage comes from…
Software bugs
As with any computer system, the largest vulnerability is human error. Human error often results in software bugs, which are errors, failures, flaws or faults in a computer program or system.
There are potential software bugs in blockchain code too, just like any other computer program and software out there, and they can be exploited by hackers (even though they can go unnoticed for a long time).
Other easy ways for unintended bugs and backdoors to appear are updates to the code.
- Perhaps the most visible example of such a hack is the famous Ethereum DAO hack, so bad that it forked a whole new cryptocurrency and haunts the Ethereum project to this day.
- The latest Bitcoin bug that was so bad that developers kept its full details a secret. It was reported that the vulnerability could be used not only to shut down a chunk of the network but also create new Bitcoin.
Hackers regularly comb through codes and updates to find such security vulnerabilities to take advantage of.
Why have so many cryptocurrency companies been hacked, you ask?
The security of cryptocurrency wallets, exchanges, and third-party custodian services remain critically bad.
Companies offering services related to cryptocurrencies, like exchanges and custodian services, employ a code too.
The software and programs created with this code are usually not on the blockchain, even though they deal with cryptocurrencies, which means they are centralised services and databases that are even more vulnerable to hackers than a blockchain is.
For example, most hacks to exchanges and custodian services have resulted from services storing customer’s cryptocurrencies on online wallets, better known as “hot wallets” (hack at Bitfinex, Zaif and many more). Hot wallets enable exchanges to execute trades fast. However, keeping cryptocurrencies in wallets connected to the Internet makes it possible, at one point or another, for hackers to take advantage of vulnerabilities in their systems.
Millions of dollars worth of Bitcoin and other cryptocurrencies have also been stolen over the years not just from exchanges and projects, but the compromised accounts of individuals themselves.
- Lose that piece of paper with your private key and you just created a door to get hacked.
- Use your Facebook password for your exchange, without 2-factor authentification enabled, and hackers that bought the Cambridge Analytica data on the dark web can cash out your exchange wallet.
So imagine a bad script in the exchange code that allows double-withdrawal for funds without registering it visibly (BitGrail’s RaiBlock/Nano hack). Or a cryptocurrency exchange database with passwords, cold storage private keys or whatever getting compromised the way that Facebook’s database was.
These services are still centralised middlemen, guarding the gates to cryptocurrencies with the same technology and logic that blockchain and cryptocurrencies evolved to overcome.
That’s why decentralised exchanges on the blockchain are a much-anticipated development. Even though they have a long way to go before they are mass adoption ready, especially for institutional interests.
Until the service and security infrastructure around blockchain and cryptocurrencies remains dependent on the old world structures, we will continue to have issues.
It’s not only the bad guys hacking stuff though.
There is an army of hackers out there that are the good guys. They work in a field called cybersecurity.
“An ethical hacker is a computer and networking expert who systematically, legitimately and with company's permission, attempts to penetrate a computer system or network to find security vulnerabilities that a malicious hacker could potentially exploit.”
Luckily, blockchains like Bitcoin and Ethereum are largely a community effort. And reputable cryptocurrency projects and service middlemen, like exchanges, employ an army of these good hackers to ensure the best security possible.
Which means we have a lot of ethical hackers and other key figures watching out for our backs and making sure bugs, hackers, misbehaving nodes and code are taken care of as fast and as best as possible. Most importantly, there are important steps you can take to secure your funds yourself too.
Use the “NOTIFY ME” button on my profile to get regular updates when I answer.
I’m also found on Hacker Noon // Twitter // LinkedIn
