Cryptocurrencies have been with us for more than a decade, and during this period there have been countless and increasing attacks, most of them for theft purposes, but others with malicious intent for various reasons.
In general, the information about the attack is not usually very revealing, although the date, the number stolen and the method used can be known, the attackers often remain hidden.
Security in Blockchain
The basic security of the blockchains is ‘Hashing’, a cryptographic process that generates an output of a fixed length, from an input of a variable length. This is achieved through the use of mathematical formulas called hash functions, which are implemented as hashing algorithms. Hash functions are deterministic, which means that as long as the input is not modified, the hashing algorithm will always produce the same output.
Almost all cryptocurrency protocols rely on cryptographic hashing to condense groups of transactions into blocks, and then link each block together, ultimately creating the blockchain.
Blockchains use different types of hash algorithms, such as MD5, SHA-1, and SHA-256. Bitcoin and Cardano use the SHA-256 algorithm, which has an output size of 256 bits.
While hashing and encryption are two different processes, they both convert readable data to unreadable text. The difference is that the encryption must be reversible in order to get back the hidden values, however, we cannot rehash a value, it is an irreversible, one-way mathematical operation.
To understand the concept of blockchain security, we need to know its related attributes. Briefly, they are:
- Integrity of transactions: every time a transaction is made between two nodes in the block chain, its content must remain secure.
- Tamper resistance: Nobody should be able to change data within an active transaction, or on the historical data already stored in the blocks.
- Consistency: The blockchain registry must be updated at the same time on all nodes.
- Access to the network and data: access of users to the data that is in the chain of blocks, at any time.
- Confidentiality of transactions: carry out point-to-point transactions without third parties acting as intermediaries, maintaining the confidentiality of transactions.
- User anonymity: users do not know each other, nor do they have to reveal their real identity, in order to participate in the network.
- Attack resistance: The security system should be designed to protect ledger content and transactions from malicious attacks, such as Distributed Denial of Service (DDoS) attacks, double-spend attacks, and consensus attacks (51% attack).
Types of Attacks
The most common types of attacks on the blockchain are:
The 51% attack is a direct attack on the consensus of a blockchain. A group of malicious nodes, which is capable of controlling more than 50% of the network’s hash rate, will be able to gain control to confirm and reverse completed transactions, causing the double spend problem. Double spending means that the same cryptocurrency can be spent more than once.
It is an attack that is executed by creating multiple identities of accounts or nodes. If enough fake identities are created to participate in network validation (nodes), attackers may be able to overcome the consensus of honest nodes, and so, on a large scale, it would be a 51% attack.
Similar to Sybil Attack, but with the difference that it targets a single node. It consists of isolating a node from the network, and then attacking with false information and disconnecting it from the valid data network.
Occurs when someone pretends to be an entity or company with a good reputation, with the intention of stealing the keys of a wallet, and asks for the introduction of personal data. Normally, they lure the user by telling them to change their password for the platform they operate on, or that there is an error, and that they need to re-enter the access credentials.
It consists of introducing malware into the system to obtain all the important data of the victim and encrypt them. Once encrypted, the victim does not have access to them, and that is when a ransom is demanded through a message or pop-up.
It is the direct hack to the wallets of the exchange itself, where it keeps its funds, as happened with Mt Gox in 2014, where 850,000 BTC were stolen.
A DeFi attack consists of accessing the blocked funds through some type of vulnerability in the protocol. Normally, they are done through flash loans or by manipulating oracles.
A Rug Pull consists of creating a worthless token, and listing it on a decentralized exchange (DEX), where it begins trading in a liquidity pool. The scammer convinces different investors to provide liquidity with cryptocurrencies, swapping with the promoted token, and raising its price. At a certain point, the scammers take away all the money invested in the pool (the value tokens), leaving the investors with a worthless token.
It is software that is installed on the victim’s device, to capture access credentials from the platforms where the victim operates, copying them and sending them to the hacker. Malware is typically installed remotely, but can be physically installed if the attacker has access to the device.
Cryptocurrency-based crime reached a new all-time high in 2021, and is still on the rise.
Illicit addresses received $14 billion over the year, up from $7.8 billion in 2020.
Adoption plays a major role in the interests of criminals. The total volume of transactions grew to USD 15.8 trillion in 2021, 567% more than the totals of 2020.
In the following graph we see the increase in hacks and stolen values, marking an all-time high in the year 2021.
The rise of DeFi leads to new opportunities in crypto crime. Two categories stand out for their growth, scams, and to a lesser extent, stolen funds. DeFi is a big part of the story for both of them.
Rug pulls are common in DeFi for two reasons, one because of the marketing that easily attracts investors, even more so those looking for quick profits, and another because it is very easy, for those with the technical skills, to create new tokens and make to be listed on decentralized exchanges, even without a code audit.
Significant growth has also been seen in the use of DeFi protocols with illicit funds, a scattered practice in 2020, but more prevalent in 2021.
2020 saw the highest number of ransomware attacks, using extortion payments with cryptocurrencies.
The ransom paid by ransomware victims has different destinations chosen by the attackers. The following graphic shows them. In recent years, shipments to centralized exchanges have increased.
Interoperability is also under attack. As this functionality is developed to benefit industry adoption, it attracts crypto-criminals. Chain bridges allow assets to move between different blockchain protocols, and it is precisely on these protocols that the attack is concentrated.
Harmony, Sky Mavis, and Wormhole all saw blockchain exploits in excess of $100 million this year.
Are Regulations the Solution to the Problem?
If you ask me for a quick answer, I would say no. Regulations are not “the solution”, instead, education would have a better impact in solving this scourge. But I must deepen my idea.
Although the rules may discourage the actions of criminals to some extent, imposing legal sanctions before the regulations, the main basic problem is that the technology presents a complication for the victim and an opportunity for the attacker. Most people do not deeply understand the technology and how to have greater blockchain security, while attackers do. While anonymity on networks is a necessary feature to protect the privacy of honest users, it provides a greater incentive for criminals who also benefit from not being identified.
Most of the regulations, which are presented by regulators, aim to identify all the actors of the crypto ecosystem. And the first consequence is the loss of privacy, with the consequent risk to security itself.
The KYC (Know Your Customer) norm, which forces money and finance operators to collect the data of their clients, has brought headaches to more than one user, when they hack the database of the exchanges, and thus the criminals seize key information for the threat, extortion and theft of customer funds.
The KYC rule is a clear form of personal protection for customers. I leave at the end an article I wrote a while ago (1).
Education is the key, as they say, an educated society will not be easily deceived.
Another best practice for blockchain security are external audits, developed by companies that are dedicated to IT security, and bug bounty programs, where organizations and software developers, who are independently dedicated to finding bugs to report, are rewarded financially, especially those related to security exploits and vulnerabilities.
In a hearing at the US House Subcommittee on Commodity Exchanges, Energy and Credit on June 23, Cardano founder Charles Hoskinson gave his thoughts on the future of crypto regulation.
The purpose of the hearing was to discuss the effectiveness of current regulations, with a view to implementing a future framework. He focused on bridging the gap in regulatory oversight of the digital asset market.
The lack of understanding of the crypto industry by regulators is a sore point that does not favor growth. In recent times, this has been seen to manifest itself in numerous examples of heavy-handed enforcement action by US regulators.
Representing the industry, however, Hoskinson presented the developers’ position and explained how a public-private partnership would be in the best interest of all concerned.
He said input for crypto regulation should come from within the industry itself, and be handled by programmers and software developers.
Hoskinson suggested that the industry could create a “self-certification system” that could automatically monitor compliance until an anomaly is encountered, at which point a financial authority would review it.
To support this, he compared the self-regulation of the traditional banking system. “It’s not the SEC or the CFTC that’s looking to do KYC-AML, it’s the banks,” he said, adding “It’s a public-private partnership. What you have to do is set those limits, and then what we can do as innovators is to write programs that help to achieve it”.
As an expert witness, Hoskinson noted that “innovation makes specifics difficult” with respect to regulation.
Therefore, regulation should focus on principles, rather than formulating particular rules for individual events. Cardano’s founder gave as examples of principles deciding what risks to protect against, what rights users should have, and how to use the tools for the “greatest possible good”.
On the subject of regulating cryptocurrencies as commodities or securities, Hoskinson said the issue is more complex than resolving a binary argument.
“When you look at cryptocurrencies in general, I’ve always viewed them as financial stem cells. They’re more fundamental than a particular category, like a currency or a commodity.”
To that end, what trumps a binary argument is a holistic approach, taking into account public policy considerations, based on what regulators want to achieve, such as sanctions enforcement, consumer protection and/or market stability.
Hoskinson said: “So I don’t think it would be wise to say, is it a security, a commodity? Or fall into this temptation of, who’s the more permissive regulator, or what is the regulatory arbitrage? Rather just take a step back and say, what things do we want to guard against?”
(1)article: KYC, to Mass Surveillance Instrument