Blockchain security

Blockchain Vulnerabilities: Imperfections of the Perfect System

August 7, 2018 by David Balaban

The whole cryptocurrency and blockchain craze has attracted both fans and critics of the new tech, but the flip side is that it has lured cybercrooks, too. After Bitcoin prices reached the mind-blowing point of $20,000, malicious players got busy looking for weak links in the blockchain. The bad news for regular users is that threat actors have evidently found imperfections in the way cryptocurrencies are stored and transferred.

Blockchain-Related Attacks

If a cryptocurrency exchange gets hacked because it has gaping security holes, such as improper handling of wallet keys, blaming it on Bitcoin and the blockchain is a misconception. It’s like securing the door to your house. If you lock it and lose the keys, and thieves find them and rob your place, it won’t mean that the lock is lousy – it’s the human error to blame. All threats to the blockchain, therefore, come down to people’s negligence, overconfidence or indifference to the fundamentals of crypto-security. To prevent hackers from compromising cryptocurrency assets, it is imperative to know the sources and vectors of their activity at different levels.

Impact at the Network Level

Cybercriminals often use DDoS attacks to disrupt the IT infrastructure of well-protected companies. To pull off an incursion like that, they tend to stick with the following workflow:

First goes a network scan according to a predefined scenario that varies from case to case. The goal is to identify potentially vulnerable nodes. The selected nodes undergo an attack.

For instance, Lightning Network, a second-layer solution providing payment channels for the Bitcoin blockchain, fell victim to a DDoS attack in March 2018. The incursion was orchestrated by an anonymous hacking crew calling themselves BitPico, which leveraged a set of automated tools capable of connecting to hundreds of nodes. Lightning Network developers never actually found any vulnerabilities back then, but the onslaught knocked 200 nodes offline, which was a fifth of the entire network.

Another popular type of attack, known as the Sybil attack, assigns several identifiers to the same node and disrupts the operation of the whole network. This type of attack was previously known as pseudospoofing but gained its new name in 2002 after Microsoft Research expert Brian Zill suggested renaming it after the main character of the book Sybil, a woman suffering from dissociative identity disorder or “multiple personality disorder.” Like Sybil, the Sybil attack hosts multiple identities.

If you delve into the details, peer-to-peer networks like Bitcoin and Ethereum have no trusted nodes: therefore, every request is sent to a number of recipients. Meanwhile, users can have several identifiers from different nodes that can be used to share common resources. These multiple identifiers cause redundancy and allow for verifying the data independent of the network.

However, if you look at this approach from a different angle, it appears that all the available nodes that should represent different recipients of a request are controlled by the same user. If that user turns out to be a rogue player, all the subsequent transactions will close up at alias nodes.

Yet another common type of a network-layer attack is the Eclipse attack, which was discussed in 2015 in a report by a group of researchers from Boston University and the Hebrew University of Jerusalem headed by Ethan Heilman. The Eclipse attack allows malefactors to take control of a node and the associated data. These manipulations in a peer-to-peer network can enable a hacker to obfuscate nodes so that they only interact with contaminated counterparts.

Essentially, this incursion is the initial stage of deploying the so-called “51% attack.” Here is how the Eclipse works. The network contains three large mining nodes: two of them control 30% of the mining power each (60% total), and one controls the remaining 40%. If an attacker owns the latter, he or she can break the 40% down into two miners so that they cannot combine each other’s blocks.

In the aftermath of this, the criminal’s blockchain becomes a chain of the entire consensus block. Henceforth, the perpetrator can manipulate the node so that all the outbound connections are associated with malicious IP addresses. All it takes is inundating the peer-to-peer tables of the node with infected IP addresses, reloading the current connections of all the users – this happens routinely due to software updates and the like – and establishing new connections for the malefactors’ IPs only.

Impact at the User Level

Botnets are the main and the most straightforward tools on the present-day blockchain hackers’ hands. They typically proliferate via droppers – malicious apps camouflaged as pirated copies of licensed software. It’s common knowledge that cryptocurrency mining takes time, hefty computation resources and electric power. In order to save resources, crooks contaminate other people’s computers. In the upshot, regular users bring huge income to cybercriminals and don’t even know about it. For example, a Monero mining botnet called Smominru infected more than half a million servers across the globe in roughly six months, making 8900 XMR (worth about $2 million) for its operators.

Impact at the Mining Level

The most common mining-level threat dubbed the “51% attack” gained notoriety in April 2018, when criminals were able to take control of Verge, a privacy-centric cryptocurrency platform. The compromise took place due to a coding bug. On May 22, crooks hit Verge again, affecting all the pools and all the miners. This caused all valid transactions to be rejected. These manipulations allowed the black hats to steal 35 million XVG tokens worth $1.75 million in just a few hours.

One more example of impact at the mining level is what’s called double-spending. It boils down to successfully spending the same funds twice. Bitcoin is tamper-proof in this regard owing to the verification of every transaction via the Proof-of-Work (PoW) consensus mechanism, where a payment is added to the blockchain only after it has been verified three times. However, the system suffered a malfunction in 2013 as the Bitcoin Core client v0.7 installed by a lot of users stopped updating block entries. Version 0.8, which had been released a month before, continued to operate normally. The problem was that the block number 225,430 was verified by Bitcoin 0.8 clients but rejected by Bitcoin 0.7 ones. This fork made the miner double-spend coins worth $10,000.

Another technique known as “selfish mining” is shaping up to be an issue of the future. This is a Bitcoin mining tactic where users team up to increase their income. This activity may centralize the network and undermine the original concept of a decentralized system.

China is the world’s central hub for combining mining resources, being a country where two-thirds of the global Bitcoin volume comes into existence. If “selfish mining” continues to thrive, then all players on the blockchain market will find themselves thrown back to a centralized economy, only in a modified electronic format.

Attacks That Aren’t Isolated to Blockchain

There are vectors of compromise applicable to all network-related technologies. Most of them are far from being intricate schemes for stealing money. However, the authors of blockchain-based projects often underestimate the most prosaic attack methods and fall victim to cybercriminals.

Phishing is one of the most common types of online fraud. It emerged in the 1990s and still remains on crooks’ list of favorites. According to the findings of Group-IB, phishing accounted for more than 50% of all losses incurred by blockchain projects in 2017. The classic attack workflow involves spam: users receive emails pretending to be from reputable companies, where they are instructed to confirm or update their personal information. Users follow the embedded links and unknowingly submit their account credentials to rogue login pages.

However, perpetrators went beyond simply imitating the look and feel of user accounts and started forging the websites of blockchain projects. As a result of a phishing campaign conducted in April 2018, hackers stole $150 million worth of Ether from the users of MyEtherWallet service. Their modus operandi was as follows:

  • Register a domain name similar to the genuine website
  • Replicate the site content and replace the wallet address with a rogue one
  • Use ads on the Internet to promote the copycat site
  • Intercept and reroute all users of the authentic wallet to their own site.

Avoiding phishing attacks is a no-brainer. Users should simply make sure all the characters in the domain name are correct, and that they visit the site from a browser bookmark or grab the link from a previously saved text document every time they go to the site.

Defacing is one more type of fraud where hackers compromise the websites of blockchain projects and replace the addresses for fundraising with links to their own wallets. The Israeli startup CoinDash fell victim to a defacing attack in July 2017; this caused it to lose about 40,000 Ether, worth over $7 million at the time, during the first three minutes of its ICO (Initial Coin Offering).

The websites of blockchain projects are often hacked because of weak passwords. In order to thwart this attack scenario, it is recommended to use strong, hard-to-guess passwords and enable two-factor authentication.

The social engineering attack vector is another widespread hoax aimed at manipulating users into handing over their sensitive information. Similarly to phishing, this one involves scammers impersonating representatives of a company who try to dupe users into disclosing their account credentials.

These are a few of the current concerns associated with blockchains and cryptocurrency. While this model continues to promise exciting possibilities for the future, a little caution and awareness of the possible risks will go a long way towards protecting you and your assets.


The Sybil Attack, John R. Doceur

Eclipse Attacks on Bitcoin’s Peer-to-Peer Network, Hebrew University/MSR Israel

A giant botnet is forcing Windows servers to mine cryptocurrency, ZDNet

11/12 March 2013 Chain Fork Information, Bitcoin

A successful DOUBLE SPEND US$10000 against OKPAY this morning., Bitcoin Forum

Think I got scammed/phished/hacked, /r/MyEtherWallet

$7 Million Lost in CoinDash ICO Hack, CoinDesk

Posted: August 7, 2018
Articles Author
David Balaban
View Profile

Notice: Undefined index: visitor_id12882 in /www/resourcesinfosecinstitute_601/public/wp-content/plugins/infosec-user-info/infosec-user-info.php on line 117