For some time now, we have been hearing about blockchain as a virtually invulnerable technology that is being implemented in industries such as the financial system and healthcare because of its security benefits. However, an article published by the MIT Technology Review assures that this may not be so and that, "just as the blockchain has unique security features, it also has unique vulnerabilities". In this line, it believes that this idea, already installed for some time, began to be tested especially in recent times and with the rise of new cryptocurrency projects.
You may be interested in Blockchain: what is it, how does it work and how is it being used in the market?
In addition to the emergence of new cryptocurrencies, the interest of other industries in adopting the use of blockchain made this technology more complex, increasing the margin of error due to the requirement of a more complex development. The article exemplifies this phenomenon by citing the case of Zcash, a cryptocurrency that uses a complex mathematical process to allow users to make transactions privately and which publicly revealed that they had to repair a cryptographic flaw in the protocol that, if exploited by an attacker, could have allowed the creation of unlimited fake Zcash.
ESET specialists opined in Trends 2019 that attacks targeting cryptocurrency theft will be talking about this year. In 2018, there were several cases of attacks of different nature that used malware with the aim of obtaining cryptocurrencies through illegal mining. Examples of this are the case of Kodi and the manipulation by cybercriminals to distribute cryptocurrency malware and the supply chain attack on Exchange gate.io, to name a few. However, something more serious and that took place in the first days of January 2019 was the 51% attack targeting Ethereum Classic in which cyber criminals managed to steal $1 million.
What is the 51% attack? It is a threat that any cryptocurrency is susceptible to, due to the fact that most are based on blockchains that use proof of work protocols to verify transactions. A blockchain protocol is a set of rules that determine how computers connected to a network should verify new transactions and add them to the database.
In the verification process (known as mining) the various nodes in a network consume large amounts of processing power to prove to each other that they are trustworthy enough to add information about a new transaction to the database. In this sense, "a miner who somehow gains control of a majority of a network's mining power can trick other users by sending them payments and then create an alternative version of the blockchain, called a fork, in which the payment never occurred, the Technology Review article explains. Therefore, an attacker who controls the largest percentage of the processing power can make the fork the most authoritative version of the blockchain and proceed to spend the same cryptocurrency again," it explains.
Carrying out a 51% attack against the most popular cryptocurrencies can be too costly because of the computational power it requires and the cost of achieving it, which led in 2018 to cybercriminals carrying out attacks of this type targeting lesser-known cryptocurrencies that require less computational power; managing to steal up to $120 million in total, the article explains. Recently, however, news broke recently of the first 51% attack affecting one of the top 20 most popular cryptocurrencies, the Ethereum Classic attack. And according to predictions, this type of attack will increase in frequency and severity.
Monero and the 51% increased risk of being a victim of attacks.
Recent research prepared by Binance states that the latest update (hard fork) that Monero introduced to its network, in early March 2019, includes an algorithm against ASIC miners - something that developers have been pursuing for several years now - as the Monero network was reportedly being dominated by these miners (they contributed 85% of the network's cumulative hash rate), which increases the risk of 51% attacks as a result of the possibility of centralizing the network.
This recent change resulted in a decrease in the difficulty of mining the network of 70% as a consequence of the exclusion of ASIC miners. However, this also increased the risk of a 51% attack on the cryptocurrency.
Security issues for smart contracts.
Blockchain technology is also used for smart contracts. A smart contract is a computer program that runs on a blockchain network and can be used for the exchange of currencies, property or anything of value. According to the MIT article, another use for smart contracts is to create a voting mechanism through which all investors in a venture capital fund can decide how to distribute the money.
One such fund (called Decentralized Autonomous Organization) that was created in 2016 under the name The Dao and uses the Ethereum blockchain system, was the victim of a cyber attack in which cyber criminals stole more than $60 million in cryptocurrencies by exploiting a flaw in a smart contract managed by this organization.
This attack made it clear that a bug in an active smart contract can have critical consequences, since relying on the blockchain it cannot be repaired with a patch. In this sense, smart contracts can be updated, but they cannot be rewritten, the article explains. For example, new contracts can be created that interact with other contracts or centralized kill switches can be created in a network to stop the activity once the attack is detected, although it may be too late, the article assures.
The only way to recover the money is to go to the point in the blockchain prior to the attack and create a fork for a new blockchain and get the entire network to agree to use that blockchain instead. This is what the Ethereum developers decided to do. And while most of the community agreed to switch to the new blockchain we know today as Ethereum, a small group did not want to and remained on the original blockchain, which was renamed Ethereum Classic.
In conclusion, blockchain technology continues to be a great tool for ensuring security, although cases have been identified that have made it vulnerable. This does not mean that it ceased to be secure, but rather that with the passage of time and the natural development of the technological ecosystem (including here the evolution of cybercrime) challenges arise that test any type of technology, such as blockchain. In this sense, we must not lose sight of the fact that the labels that are installed around the product, such as: "blockchain is a technology impossible to breach", are true until proven otherwise, because after all, as a rule in the world of security states: every technology is vulnerable.
As a result, although security technologies have improved, hackers are also improving themselves. Nothing stays perfectly safe all the time.