Internet Security Blog - Hackology
Hacking Blockchain

Hack the unHackable Blockchain

Coinbase noticed something odd happening with Ethereum Classic last month. Ethereum Classic blockchain, the history of all its transactions, was under attack. In other words Ethereum Classic was being hacked.

An attacker had somehow gained control of more than half of the network’s computing power and was using it to rewrite the transaction history. That made it possible to spend the same cryptocurrency more than once—known as “double spends”. An attack on the Ethereum Classic blockchain may have helped hackers steal around $1.1 million worth of the currency from other users, according to Coinbase

we have identified a total of 15 reorganizations, 12 of which contained double spends, totaling 219,500 ETC approx ~$1.1 Million .

Bitcoin, Ethereum, Ethereum Classic, and similar blockchain networks are vulnerable to an attack in which one “miner” controls more than 50% of the network’s computing capacity
Just a year ago, this particular hack scenario was mostly theoretical. But the so-called 51% attack against Ethereum Classic was just the latest in a series of recent attacks on blockchain, it has put this upcoming industry of potential on a high alert.

Hackers have stolen nearly $2 billion worth of cryptocurrency since the beginning of 2017, mostly from exchanges, and that’s just what has been revealed publicly. Sophisticated cyber-crime organizations are now part of these hacks along with lone attackers stumbling upon a jack pot: analytics firm Chainalysis showed that just two groups, both of which might be still active, may have stolen a combined $1 billion worth of cryptocurrency and mostly from exchanges.

Why Hack Blockchain

Why Not ?
Blockchains are particularly attractive to hackers because fraudulent transactions can’t be reversed as they can be in traditional banking systems. Besides that, we’ve long known that just as blockchains have unique security features, they have unique vulnerabilities. All those who labelled blockchain as “unhackable” were dead wrong. Name of blockchain and cryptocurrency has been greatly exploited aswell , if you head over to my CryptoCurrency Articles , you will see from hidden miners to hacked exchanges , fake coins to fake websites. Everything is available in this new world of blockchain along with credible sources to get some crypto with good guides.

How Blockchain is Hacked

Lets first run a basic class of Blockchain and Cryptocurrency before we go into in-depth examples

Blockchain :  A cryptographic database maintained by a network of computers, each of which stores a copy of the most latest version.
Blockchain Protocol : A set of rules that dictate how the computers in the network, also known as nodes, should verify new transactions and add them to the database (or the blockchain) . The protocol employs cryptography, game theory to create incentives for the nodes to work toward securing the network instead of attacking. The incentive is what miners get in return amounts of the coin they mining. If employed properly this system can make it extremely difficult and expensive to add false transactions but relatively easy to verify valid ones.

As a blockchain gets complex , the programming or the blockchain protocol needs to be properly implemented because chances of mistakes greatly increase. Zcash—a cryptocurrency that uses extremely complicated math to allow private transactions revealed that they had secretly fixed a “cryptographic flaw” accidentally coded right into the protocol. An attacker could have exploited it to make unlimited counterfeit Zcash, luckily no one stumbled upon the flaw.

Ethereum’s developers created a new version of the transaction history that returned $50 million worth of cryptocurrency that had been stolen by a hacker. Not everyone switched, though, and those who kept using the old blockchain make up the Ethereum Classic community
The protocol isn’t the only thing that has to be secure. To trade cryptocurrency on your own, or run a node, you have to run a software known as a client, which can also contain vulnerabilities. In September 2018, developers of Bitcoin’s main client, had to scramble to fix a bug (in secret) that could have let attackers mint more bitcoins than the system is supposed to allow.

Majority of Crypto related hacks we read about are on Exchanges, And many of those hacks could be blamed on poor security practices. In January with the 51% attack against Ethereum Classic, things changed.

The 51% rule

Blockchains based on proof of work as their protocol for verifying transactions are prone to 51% attack. The process, also known as mining, nodes spend vast amounts of computing power to prove themselves trustworthy enough to add information about new transactions to the database. If a miner somehow gains control of a majority of the network’s mining power can defraud other users by sending them payments and then creating an alternative version of the blockchain where the payments never happened. This new version is called a fork. The attacker, who controls most of the mining power, can make the fork the authoritative version of the chain and proceed to spend the same cryptocurrency again on the newly created blockchain. This “decentralized” form of ledger where no one controls anything turns out to be controlled by 1 entity and that is “who ever controls the maximum amount of mining power

51% Attack on Bitcoin : renting enough mining power to attack Bitcoin would currently cost more than $260,000 per hour. But it gets much cheaper quickly as you move down the list of the more than 1,500 cryptocurrencies out there. Slumping coin prices make it even less expensive, since they cause miners to turn off their machines, leaving networks with less protection.

Cost to 51 percent Attack top 5 Cryptocurrency
As you go down 1 hour cost to do a 51% Attack goes less

In mid of 2018, 51% attacks on a series of relatively small and lightly traded coins including Verge, Monacoin and Bitcoin Gold started to appear while stealing an estimated $20 million in total from these attacks. Same attacks happened on Vertcoin and hackers stole around $100,000. Ethereum Classic attack which resulted in more than $1 million, was the first cryptocurrency in the top-20 slot to fall victim to this attack. David Vorick founder of Sia says

51% attacks will continue to grow in frequency and severity, and that exchanges will take the brunt of the damage caused by double-spends. Exchanges will ultimately need to be much more restrictive when selecting which cryptocurrencies to support.

The not-so-Smart Contracts

A smart contract is a computer program that runs on a blockchain network. It can be used to automate the movement of cryptocurrency according to prescribed rules and conditions
51% attacks are not the only inherent weakness with blockchain, Smart contracts are another feature which can be greatly exploited.

Decentralized Autonomous Organization (DAO) a venture capital fund, was set up in 2016 using Ethereum. Shortly thereafter, an attacker stole more than $60 million worth of cryptocurrency by exploiting a smart contract flaw that governed the DAO. The flaw allowed the hacker to keep requesting money from accounts without the blockchain registering that the money had already been withdrawn.

Difference with traditional software and blockchain is that blockchain fixes are not simple to fix, although Windows 10 being a simple software cant get around their “faulty updates”, imagine a decentralized ledger , where once transaction is done can not be undone.

The only way to retrieve lost crypto is to rewrite history— in other words, to go back to the point on the blockchain before the attack happened, create a fork to a new blockchain while applying a fix so the attack can not happen, and have everyone on the network agree to use that one instead. That’s what Ethereum’s developers chose to do. A smaller group stuck with the original chain, which became Ethereum Classic.

In August 2018, AnChain, a security firm – identified five Ethereum addresses behind an extremely advanced attack that exploited a smart contract flaw in a popular gambling game to steal $4 million.

Not So Unhackable Blockchain

Blockchain, after all, is a complex economic system that depends on the unpredictable behavior of humans, and people will always be angling for new ways to exploit it. Recently independent auditing parties have entered the market to help and identify such flaws and attackers, while some companies are even using AI to combat.

Blockchain can be vulnerable under certain conditions and we have seen above, that people were really quick to create those certain conditions to take away the pride with which blockchain claimed “Unhackable”, There is alot to happen in the industry; good and bad, the risk factor involved with bad is really high as a single hacked exchange results in $64 Million stolen. Protocol bugs can be unintentional but still fatal, at times the interaction between code,economics of the blockchain and human lust for quick money creates another dangerous recipe. Now that so many blockchains are out in the world, we are learning what it actually means.

Where do you see Blockchain heading ? Lambo , Moon perhaps ? 

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get Wise

Subscribe to my newsletter to get latest InfoSec / Hacking News (1 Email/week)
Utopia p2p Ecosystem