Holes in Blockchain Security

Early last month the security team at Coinbase noticed something strange going on in Ethereum Classic, which is one of the cryptocurrencies people can buy and sell using Coinbase’s popular exchange platform. Its blockchain, the history of all its transactions, was under attack.

An attacker had somehow gained control of more than half of the network’s computing power and was using it to rewrite the transaction history. That made it possible to spend the same cryptocurrency more than once—known as “double spends.” The attacker was spotted pulling this off to the tune of $1.1 million. Coinbase claims that no currency was actually stolen from any of its accounts. But a second popular exchange, Gate.io, has admitted it wasn’t so lucky, losing around $200,000 to the attacker (who, strangely, returned half of it days later).

In total, hackers have stolen nearly $2 billion worth of cryptocurrency since the beginning of 2017, mostly from exchanges, and that’s just what has been revealed publicly. These are not just opportunistic lone attackers, either. Sophisticated cybercrime organizations are now doing it too: analytics firm Chainalysis recently said that just two groups, both of which are apparently still active, may have stolen a combined $1 billion from exchanges.

We shouldn’t be surprised. Blockchains are particularly attractive to thieves because fraudulent transactions can’t be reversed as they often can be in the traditional financial system. Besides that, we’ve long known that just as blockchains have unique security features, they have unique vulnerabilities. Marketing slogans and headlines that called the technology “unhackable” were dead wrong.

Both Blockchain implementation weaknesses and algorithm shortfalls are being exploited. While implementation flaws are being actively addressed, intrinsic flaws, which where theorized from the beginning are harder to mitigate. These are showing up due to the plethora of blockchains (over 1500) now operating and under attack. While it can be incredibly expensive to successfully exploit a large blockchain like Bitcoin, smaller blockchains require a smaller number of successful mining nodes which allow the blockchain to be modified or forked, as you would find in a 51% attack. If you must use cryptocurrency, use large implementations like Bitcoin.

h/t technologyreview.com