H for Hacking: Can blockchain be hacked?
For a long time the cryptocurrency world has claimed the ‘unhackability’ of blockchain. While the cryptographic features of blockchain technology provide advanced security, it would be very bold to claim a blockchain cannot be hacked.
Let’s settle this once and for all – what can and cannot be hacked in blockchain.
Contrary to the claims, cryptocurrencies can and have been hacked more often than one would think.
Some of the most legendary hacks took place in the early years of the technology. For instance Mt. Gox has been hacked not once, but twice. First in 2011 for 2,609 BTC, then again in 2014 for more than 750,000 BTC. Or we can also look at the Decentralised Autonomous Organisation (DAO) hack, where a smart contract error has been exploited by an attacker, who managed to drain more than 3.6 million ether from the project. However, there is no need to go back so early in time. In 2019 one of the most famous trading platforms Binance lost $40 million USD due to a hot wallet vulnerability, followed by Upbit in November losing $49 million USD. According to their explanation an “abnormal transaction” resulted in a 342,000 ether loss in a few minutes.
The cryptocurrency world has developed a tunnel-vision when it comes to security. Instead of viewing security as a whole, they tend to disregard the surrounding vulnerabilities and focus only on the secure aspects of technology.
What makes blockchain secure
The claims that blockchain can be used well to reduce the attack surface in applications are not unfounded. This is due to the combined use of asymmetric encryption or public-key infrastructure, digital signatures and hashing.
Public-key infrastructure means that we can encode information which is mathematically infeasible to break. This means that the code would take too much time and computational power for attackers to solve. This is a much higher protection than most of our current user name and password combinations.
Hashing ensures that the information in the database cannot be changed per piece. As all the blocks are cryptographically connected, changing one element would change the whole chain. This means that one cannot just go in and re-route a past transaction without alerting the whole network of the changes.
Security is an end-to-end process
However, security is not just dependent on one single element. Security needs to be viewed as a whole from code to the user.
There are three aspects to consider at each junction:
- Cost – the time and effort a hacker would need to invest to get into the system and how costly it is to protect it
- Benefits – the benefit an attacker can gain from breaking into the system
- Usability – how easy it is for the end-user to navigate the system with the appropriate security features in place
Finding the right balance means that we protect each point of the system according to their potential risk, while keeping usability in mind. This is what cryptocurrencies have been inherently bad at doing.
The cryptographic infrastructure built into the blockchain network provides much better security than most systems today. However, if we go one step further we see that security depends also on the surrounding systems. Attackers realize that breaking the private key or hash structure itself is nearly impossible, so instead they focus their attacks on the auxiliary systems or on the user. For example, attackers aim to obtain a user’s private key not by guessing it, but breaking into where they store it. The current options for storage, whether online, on external hard drives, or on paper create often hard to use and dangerous solutions.
This is how so many cryptocurrency hacks could occur- by turning a blind eye to the ecosystem where blockchain is used. The supporting systems were poorly built, or required the user to jump through multiple hoops to have any security.
How can we ensure complete security
Security is not just a single piece of the network puzzle, nor a bolt-on feature. It is a perspective we need to view from the first line of code beyond the 10,000th user.
We need to examine each step of our processes through the three aspects of security and create safety from scratch.
As each network is different in terms of participants, information and communication requirements, we view security as unique to each network. At Qadre, we have designed our blockchain framework to be modular and easy to integrate with other systems – which means we can design the appropriate security for the specific use case.
Secondly, we cannot rely on security as a feature purely delivered by code. While we can consider something technically unbreakable now, innovative attackers can soon figure out a different way into the system. We need to continuously monitor threats and add our human capabilities to what the technology can deliver.
Last but not least, security often depends on implementation. While technology might work perfectly in theory, the real-world often brings unforeseen challenges. Develop, deliver and adjust the technology to actual needs.
Can blockchain be hacked? Yes, anything can be.
However, blockchain technology can provide a much better layer of security than what we rely on today. If you would like to climb deeper into the bits and bolts of blockchain security, get in touch.