Blockchain’s main selling point is its security. More specifically, its immutability and reputation as unhackable. The distributed public ledger, with its consensus algorithm and decentralised Byzantine Fault Tolerance, offers transparency and ultimate protection. Or does it?
The other side of the blockchain ecosystem consists of reports of hacks, scams, bad projects and criminal attacks. But how much of this has to do with the technology being compromised and how much of it is human experience of the technology?
It is important, in getting to the bottom of this question, to understand the levels of security offered by blockchains. That also calls for differentiating between public and private chains, as well as different algorithms that add to the security.
Furthermore, when we are deciphering the level of ‘un-hackability’ of a blockchain, it makes sense to examine where there have been hacks or vulnerabilities, and look to those points of entry as areas of concern when it comes to the supposed pure security afforded by this technology.
There have been some high profile vulnerabilities in the code of blockchains such as Bitcoin and Zcash in recent times. Then there is the 51% attack, which has become more and more prevalent with proof-of-work algorithms such as Ethereum Classic, which actually suffered such an attack.
Nothing is Unhackable
There is a constant battle in the digital realm between the builders of different systems and the hackers that are trying to compromise them. In essence, nothing is unhackable; this is the viewpoint of professor Harald Vranken in the Computer Science faculty of the Open Universiteit Nederland.
“A general truth is that any system can be hacked - 100% security is unfeasible,” Vranken told BDJ. “The only difference is that some systems can be hacked more easily than others.”
“A general truth is that any system can be hacked - 100% security is unfeasible”
Vranken states that blockchains are then hackable, and it has more to do with the nature of them and the security measures that are ingrained in them. For example, a permissionless system with the proof-of-work algorithm such as the Bitcoin blockchain has not been hacked and has sufficient security, but that does not necessitate that it cannot be hacked.
“Hence, also blockchain systems are hackable for sure,” Vraken adds. “Blockchain systems can be divided roughly into public, permissionless systems and private, permissioned systems. Bitcoin is the prime example of a public blockchain, where everyone can read and write to. This requires strict security measures to prevent tampering and fraud. As far as we know, the proof-of-work algorithm provides sufficient security in practice to secure the blockchain and to prevent double spending, as long as no single party controls more than 50% of the nodes that do the validation.”
The proof-of-work algorithm is currently a good system that has not been directly compromised, but, as Vranken hints at, there are instances where the blockchain can be compromised such as the 51% attack, as well as vulnerabilities in the code.
Security is Paramount
Other blockchain algorithms, notably the proof-of-stake, are a little different and depending on their makeup, have more vulnerabilities that could be exploited by hackers. Ethereum is a blockchain that is looking to transition from the proof-of-work algorithm to proof-of-stake in order to increase transaction speeds, but while still ensuring ultimate security.
Vitalik Buterin, the co-founder of Ethereum, recently took a swipe at other proof-of-stake blockchains stating that they have sacrificed security for speed, as well as decentralisation.
“There are a lot of horrible misconceptions because the purpose of a consensus algorithm is not to make a blockchain fast. The purpose of a consensus algorithm is to keep a blockchain safe,” Buterin said .
“The reason why things like proof-of-work can process relatively few transactions is because, with the way it works, it becomes unsafe if computers spend maybe more than 10% mining and verifying blocks.
“The purpose of a consensus algorithm is not to make a blockchain fast. The purpose of a consensus algorithm is to keep a blockchain safe”
“A lot of the time, when a blockchain project claims: ‘we can do 3,500 TPS (transactions per second) because we have a different algorithm’, what we really mean is we are a centralised pile of trash that only works because we have seven nodes running the entire thing.”
Ethereum is looking to make the changes to its algorithm through its Casper upgrade, which has implemented a process by which it can punish all malicious elements.
How Casper Works
The validators stake a portion of their Ethers as stake. After that, they will start validating the blocks. Meaning, when they discover a block which they think can be added to the chain, they will validate it by placing a bet on it. If the block gets appended, then the validators will get a reward proportionate to their bets. However, if a validator acts in a malicious manner and tries to do a ‘nothing at stake’, they will immediately be reprimanded, and all of their stake will be slashed.
It is clear that Casper is designed to work in a trustless system and be more Byzantine Fault Tolerant in order to preserve a high level of security that, currently, should not be breached.
Points of Entry
With all this being said, even on the oldest blockchain, Bitcoin, there have been scares where the blockchain was in danger of being compromised. Most recently, the CVE-2018-17144 vulnerability was brought to light. This was essentially a bug in the code that had gone unnoticed for years that could have been exploited to create double-spends.
“Possible weaknesses, however, may be present in the software implementations,” Vranken adds. “CVE-2018-17144 is an example of this. Even more, the software implementing wallets is an attractive target for hackers, since that is the place where users store and manage their currencies. If a hacker can get access to your computer system and manages to find the keys and data related to your currencies on your disk, your currencies are stolen.
“If a hacker can get access to your computer system and manages to find the keys and data related to your currencies on your disk, your currencies are stolen”
“For private blockchains, security measures are of a different nature. These blockchains are operated by private partners, and securing the blockchain is similar to securing other applications and environments operated by them.”
It is fairly obvious that a hack that occurs at the exchange and wallet level does not really have anything to do with the blockchain itself being compromised. Rather, it is related to poor implementation of software and code in managing the tokens produced from the chain.
However, it is relevant to note that the same coding errors can be loaded onto the blockchain code, such as in the case of the CVE-2018-17144 vulnerability, and thus allow it to be hacked.
The Zcash blockchain is another that recently reported a similar vulnerability. In March of last year, an engineer for the Zerocoin Electric Coin Company identified an error in a seminal cryptography paper that served as a foundation for a host of virtual coins, including Zcash’s.
The flawed paper described the mathematical underpinnings of certain ‘zero-knowledge’ proofs. Ultimately, an attacker could have exploited the vulnerability to mint an infinite amount of counterfeit Zcash.
Joseph Bonneau, an assistant professor at New York University, explains how bugs in (any) code are common and, of course, will always pose risks in terms of creating vulnerabilities.
“This is, of course, a falsehood,” Bonneau said when posed the question if blockchains are totally un-hackable. “I think as this incident [the CVE-2018-17144 vulnerability] shows there is a big risk of bugs in the code that most blockchain nodes run.
“I don't think it makes sense to point to developers. All software has bugs in its life cycle. The fact that the protocol is not very forgiving of software bugs - right now - is the fundamental problem.”
The 51% problem
One of the more well known ‘hacks’ for blockchains is the 51% attack. The 51% hack refers to an attack on a proof-of-work blockchain by a group of miners controlling more than 50% of the network's mining hash rate, or computing power.
The attackers would be able to prevent new transactions from gaining confirmations, allowing them to halt payments between some or all users. They would also be able to reverse transactions that were completed while they were in control of the network, meaning they could double-spend coins.
These attacks have been seen before on smaller less established permissionless blockchains, but recently, Ethereum Classic was compromised in this way.
“Governance is still missing for decentralised blockchains, which is a dilemma since these systems were invented for not having to rely on third parties”
“I can only speculate about the motives of the actors involved in this attack,” adds Vranken. “A quick win might be possible, and of course a substantial amount of money is involved, but it also might be an attack targeting the general trust in blockchains.
“What it does show is that at the end, when you as a customer are the victim of an attack, you lose your money and it will be very hard to get it back. This is a big difference with the classic financial system operated by banks, where you as a customer have some guarantees that you will get your money back in case of some major incident.
“Governance is still missing for decentralised blockchains, which is a dilemma since these systems were invented for not having to rely on third parties. In theory, this is fantastic, but in the daily practice of the real world there are limitations - as is the case with any technology.”
Remains Hypothetically Safe
Answering the question or whether blockchain can or cannot be hacked is complicated as there are certain definitions of both blockchain, and hacking, that need to be established. Differentiating between permissioned and permissionless blockchain affects the answer to this question, as does defining hacking.
There are instances where exchanges and wallets are hacked, and easily so, but this is removed from the blockchain. Then there are the bugs in the code and the vulnerabilities that these bring. But, on a hypothetical level, the technology as it stands today is beyond the reach of hackers, but that may not last forever.
While blockchain is being built explicitly with security in mind, traditional banks and their online services are seriously vulnerable to hacking. A report from Positive Technologies found that the number-one threat is an attack on the web application user and that a quite ridiculous 87% of the banking web applications tested were susceptible to these attacks. Of course, if the hacker gains access to a banking web application, money can be stolen with relative ease. Similarly, government apps are also leaky, targets on account of being made by an altogether unsavvy group.
In the most common instance, the victim will receive an email, for instance, posing as being from a trusted entity like their bank, which will infect the device with malware. Banks simply don’t have robust enough security on their web applications to deal with that level of access to user information. The main vulnerabilities in banking networks, according to the report, come from outdated software, sensitive data stored in cleartext, dictionary passwords and the use of insecure data transfer protocols. And so, while blockchain’s security credentials may not yet be infallible, perhaps a system built on a foundation of providing security will be far safer than the currently preferred alternative.
Illustrations by Kseniya Forbender
To contact the editor responsible for this story:
Margarita Khartanovich at [email protected]
- How Blockchain Can Reshape Charitable Donations
- Blockchain’s Scaling Crises: Can Sidechains Be A Potential Solution?
- Hacking Blockchain: Is it Really Secure?
- Regional Strengths Are Shaping AI’s Evolution in Asia
- Credit Card vs. Bitcoin: How Do You Pay for Your Coffee?
- Do You Trust AI? This Is What You Must Understand to Do So