Cryptocurrency is as hack-proof as it gets depending on the coin itself and on the hashing power that supports it. Their decentralized nature ensures that there is no single target to hack, and the blockchain itself ensures that no double-spending going on. Despite this, there have been some attack vectors that were exploited by hackers, allowing them to successfully (or not) game the system. The four hacks described below are some examples of attacks carried out on cryptocurrencies themselves. These show that despite all the advantages and wonders that crypto has brought us, there is still much to learn. We’ve also organized them by the severity of the hack, considering the funds that were actually lost and other factors.
4 – Steemit (Steem)
Three months ago Steemit, the blockchain-based blogging platform, was hacked. The hack was the result of a vulnerability on the Web browser front end and not on the cryptocurrency itself. Around 260 accounts were drained, resulting in the loss $85,000 worth of Steem Dollars and Steem, the cryptocurrency that fuels the platform.
Following the attack, trading of the cryptocurrency was halted on the Bittrex exchange and the hack was reported to police and other cyber crime authorities, including the FBI.
Following a hard-fork, the funds were retrieved and returned to their rightful owners. Since then, Steemit has increased security and no further problems have been identified. In Steemit, hard forks are easier to impliment due to their witnesses consensus mechanism in which only a small number of pre-selected users are required to vote.
3 – Krypton (KR) & Shift (SHF)
During August this year, two Ethereum clones, Shift and Krypton, were hacked using the same novel version of the 51% attack. A 51% attack consists in having more hashpower than the rest of the network’s miners. This allows the attacker to have a certain degree of control over transactions. That’s why it’s so important to have a decentralized network of miners. It is very unlikely that Bitcoin should suffer such an attack due to its high network hashrate.
The first attack was mounted on Shift and it did not result in the loss of funds. The second attack, however, resulted in the loss of 21,465 KR, $3000 at the time. The attacker was able to overpower the network with rented hashpower from NiceHash and used the 4miners mining pool to conduct the attack. He then deposited Krypton on Bittrex, a multi cryptocurrency exchange, sold them for Bitcoin and then rolled back the blockchain to reverse the transaction, thus keeping both the bitcoin and the Krypton coins previously sold.
Despite being a small-scale attack, many believe that the hack may have been a test drive before moving on to bigger Ethereum-based blockchains like Expanse, Ethereum Classic, or even Ethereum itself.
“This attack may be a ‘dry run’ intended as a proof of concept before targeting other Ethereum-based blockchains. Shift, another Ethereum type coin, was also targeted by a similar 51% attack last week. Ethereum based blockchains are being targeted predominantly because they’re easy to fork and manipulate offline while being used in conjunction with DDoS attacks. It is suspected that the attackers may be using these lower cap coins as a ‘testnet’ before targeting Ethereum Classic. This attack may be more difficult to scale up because of ETC’s larger aggregated hashing power.” Krypton developers
2 – Bitcoin (BTC)
On August 15, 2010 (block 74638), Jeff Garzik noticed that someone was able to generate a 184 billion Bitcoin transaction in one single block. This is troubling when you consider that the block reward at the time was 50 Bitcoins and that the total supply of Bitcoin is 21 million. This was possible due to a bug in which the code used for checking transactions before including them in a block didn’t account for the case of outputs so large that they overflowed when summed. The problem was fixed within five hours later and a hard fork took place, rolling the blockchain back and changing the consensus rules that rejected output value overflow transactions, as well as any transaction that paid more than 21 million bitcoins in an output.
This was the only major security flaw found and exploited in Bitcoin and it is a good thing it happened back in 2010, as it would have a devastating impact if the flaw was exploited today. Although no funds were lost during this attack, it can be considered as a significant landmark in the history of Bitcoin.
1 – The DAO (DAO)
During May this year, an Ethereum project called The DAO started its crowd sale stage that lasted for a month. During this time $150 million worth of Ether (12.7m ETH) were invested in the project, making it the highest funded crowdfunding project of all time.
The DAO stands for Decentralized Autonomous Organization, a Smart Contract system that allowed users to put their Ether in a decentralized venture capital fund, in exchange for an amount of DAO tokens that were proportional to the stake invested. Proposals would then be made by contractors and voted on by the DAO token holders. If a proposal reached a 20% quorum, it would them be funded and turned into a project. DAO token holders were entitled to the dividends generated by the project.
Token holders also had the possibility of recovering the invested Ether through the Splitting function, which basically would allow the holder to split from the major DAO to a child DAO in which he holds 100% of the tokens, thus allowing him to send the Ether inside said child DAO back to his Ether wallet.
A hacker discovered a flaw in this complex feature and initiated a split that removed his Ether from The DAO and sent them to a newly created child DAO. The code was programmed to send the ETH, check his balance and conclude if the Ether was send, the hacker took advantage of this and used a “recursive call bug” that allowed him to withdraw Ether into the new child DAO repeatedly before the smart contract had a chance to check the balance.
The hack was quickly noticed and the Ethereum team took action, spamming the network so that no more Ether was drained from the DAO and contacting exchanges to stop ETH and DAO trading. The hacker was able to drain $70 million worth of Ether (3.6m ETH).
The development team proposed two solutions, the first being a soft fork that would censor certain transactions, prohibiting the hacker from ever withdrawing the stolen funds. This solution did not return the stolen Ether to The DAO but it also meant that the hacker could not profit from his crimes. The soft-fork was applied but reversed shortly after due to an attack vector created by the fork itself, thus proving that Ethereum is indeed censorship resistant.
The second solution, the hard-fork which would return the Ether back to The DAO was then voted on and approved by the large majority Ether. The Ether was returned to a special smart contract address with the sole function of giving it back to DAO token holders.
Although the hacker did not manage to keep the Ether stolen, the hard fork caused a split in the Ethereum community and led to a considerable portion of users sticking to the old Ethereum blockchain in which the hard fork didn’t take place. This blockchain in which the hacker was allowed to keep the stolen funds was called Ethereum Classic.