Inventory of blockchain attack methods (Part 1)
Inventory of Blockchain Attack Techniques (Part 2)
Blockchain is not as secure as we think. While security permeates all blockchain technologies, even the most robust blockchains are subject to attack by modern cybercriminals. Apriorit experts have analyzed attacks against Coincheck, Verge and Bancor exchanges that have significantly damaged the reputation of the blockchain itself.
Blockchains hold up well against traditional cyberattacks, but cybercriminals are coming up with new ways to specifically target blockchain technology. In this paper, we describe the main attack vectors against blockchain technology and look at the most significant blockchain attacks to date.
Cybercriminals have managed to misuse blockchain to perform malicious operations. Ransomware attacks like WannaCry and Petya would not have been as massive if attackers had not received cryptocurrency rewards. Now, it looks like hackers are considering exploiting blockchain security flaws as their main source of income.
In March 2019, white hat hackers discovered 43 vulnerabilities in various blockchain and cryptocurrency platforms in just 30 days. They even found vulnerabilities in famous platforms like Coinbase, EOS, and Tezos.
However, weaknesses are often difficult to detect because they can be hidden in inconspicuous places. For example, the Parity multi-signature wallet was hacked by compromising the library with the withdrawal function in it. The attackers managed to initialize the library itself as a wallet and claim ownership of it. As a result, 573 wallets were affected, $30 million worth of cryptocurrency was stolen, and another $180 million was rescued by the white hat hacking group and later returned to its rightful owners.
By attacking sprawling networks like Bitcoin and Ethereum, cybercriminals are showing they are smart enough to disprove the myth of blockchain security. Let us consider the five most common blockchain attack vectors:
Five Blockchain Attack Vectors
1. Blockchain network attack
A blockchain network includes nodes that create and run transactions and provide other services. For example, the Bitcoin network consists of nodes who send and receive transactions, and miners who add approved transactions to blocks. Cybercriminals look for network vulnerabilities and exploit them with the following types of attacks.
distributed denial of service
Distributed Denial of Service (DDoS) attacks are difficult to execute on blockchain networks, but they are possible.
When using DDoS to attack a blockchain network, the hacker intends to shut down the server by flooding it with requests that consume all of its processing resources. DDoS attackers aim to disconnect mining pools, e-wallets, cryptocurrency exchanges and other financial services from the network. Blockchains can also be DDoS-ed at their application layer using DDoS botnets.
In 2017, Bitfinex suffered a massive DDoS attack. This was especially inconvenient for the IOTA Foundation, which released their IOTA tokens on the platform a day before Bitfinex notified users of the attack. Three years later, in February 2020, Bitfinex experienced yet another DDoS attack, a day after the OKEx cryptocurrency exchange noticed a similar attack.
transaction malleability attack
Transaction malleability attacks aim to trick victims into paying twice. In the Bitcoin network, every transaction has a hash, which is the transaction ID. If an attacker manages to change the ID of a transaction, they can try to broadcast the transaction with the changed hash to the network and confirm it before the original transaction. If successful, the sender will consider the initial transaction a failure, and the funds will still be withdrawn from the sender's account. If the sender repeats the transaction, the same amount will be debited twice. Once the two transactions are confirmed by the miners, the hack is successful.
Bitcoin exchange Mt. Gox went bankrupt in 2014 due to a malleability attack. However, Bitcoin appears to have solved this problem by introducing the Segregated Witness (SegWit) process, which separates signature data from Bitcoin transactions with a non-malleable hash commitment to each signature.
time hijack
Timejacking exploits a theoretical vulnerability in Bitcoin's timestamp handling. During a time-hijacking attack, hackers change a node's network time counter and force the node to accept an alternate blockchain. This is achieved when a malicious user adds multiple fake peers to the network with inaccurate timestamps. However, time hijacking attacks can be prevented by limiting the accepted time range or using the node's system time.
Routing Attacks
Routing attacks can affect individual nodes as well as entire networks. The idea of this hack is to tamper with transactions before pushing them to peers. It is nearly impossible for other nodes to detect this tampering because hackers divide the network into partitions that cannot communicate with each other. Routing attacks actually consist of two separate attacks:
- Partition attack, which divides network nodes into different groups
- Delay attack, tampering with propagating messages and sending them to the network
witch attack
Sybil attacks are arranged by assigning multiple identifiers to the same node. Blockchain networks have no trusted nodes, and each request is sent to multiple nodes.
Figure 1. Sybil attack
During a Sybil attack, hackers take control of multiple nodes in the network. The victim is then surrounded by fake nodes that close all transactions. Finally, victims are open to double-spend attacks. Sybil attacks are difficult to detect and prevent, but the following measures may be effective: increasing the cost of creating new identities, requiring some type of trust to join a network, or determining user power based on reputation.
Eclipse attack
An eclipse attack requires the hacker to control a large number of IP addresses or have a distributed botnet. The attacker then overwrites the address in the victim node's "attempted" table and waits for the victim node to reboot. After restarting, all outbound connections from the victim node will be redirected to an attacker-controlled IP address. This prevents victims from getting the deals they are interested in. Researchers at Boston University launched an eclipse attack on the Ethereum network and managed to pull it off using just one or two machines.
Remote Attacks on Proof-of-Stake Networks
The remote attack targets networks that use a proof-of-stake (PoS) consensus algorithm, in which users mine or validate block transactions based on the amount of coins they hold.
These attacks can be divided into three categories:
- Simple - A simple implementation of a proof-of-stake protocol when nodes do not check block timestamps
- Post-mortem corruption - attempting to mint more blocks than the main chain in a given timeframe
- Stake bleeding - copying transactions from an honestly maintained blockchain to a private blockchain maintained by an attacker
When conducting a remote attack, the hacker uses a purchased or stolen private key with a sizable token balance that has been used for verification in the past. Hackers can then generate an alternate history of the blockchain and increase rewards based on PoS verification.
2. User wallet attack
In fact, blockchain and cybersecurity go together like salt and pepper until people interact with them. It may sound surprising, but blockchain users pose the greatest security threat. People who understand the use of blockchain in cybersecurity tend to overestimate the security of blockchain and ignore its weaknesses. User wallet credentials are a prime target for cybercriminals.
To obtain wallet credentials, hackers have tried traditional methods such as phishing and dictionary attacks as well as new and sophisticated methods such as finding weaknesses in encryption algorithms. Below is an overview of the most common methods of attacking user wallets.
Phishing
In 2018, there was an attack on IOTA wallets by iotaseed.io (now defunct), a fake online seed generator. Hackers used the service to conduct phishing campaigns and collect logs with secret seeds. As a result, in January 2018, hackers managed to steal over $4 million worth of IOTA from victims' wallets.
dictionary attack
In these attacks, hackers try to crack the victim's cryptographic hash and salt by trying the hash of common passwords such as password1. By converting plaintext passwords to cryptographic hashes, attackers can find wallet credentials.
vulnerable signature
Blockchain networks use various encryption algorithms to create user signatures, but they can also be vulnerable. For example, Bitcoin uses the ECDSA cryptographic algorithm to automatically generate unique private keys. However, it appears that ECDSA has insufficient entropy, which can lead to the same random value appearing in multiple signatures. IOTA is also facing cryptographic issues with its old Curl hash function.
flawed key generation
Exploiting a vulnerability in key generation, a hacker known as Johoe obtained private keys provided by Blockchain.info in December 2014. This attack occurred due to a bug that occurred during a code update resulting in poor randomness in the generation of public input user keys. Although this vulnerability was quickly mitigated, it may still exist in the ECDSA algorithm.
Attacks on Cold Wallets
Hardware wallets or cold wallets can also be hacked. For example, researchers exploited a vulnerability in the Nano S Ledger wallet to launch an Evil Maid attack. Thanks to this hack, the researchers obtained the private key as well as the victim's PIN, recovery seed, and password.
The most recent cold wallet attack occurred in 2019, when the UPbit cryptocurrency exchange was transferring funds to cold wallets. This is a common method of freezing cryptocurrency when you anticipate a cyber attack. Hackers managed to steal 342,000 ETH, apparently because they knew the timing of the transaction.
Attacks on Hot Wallets
Hot wallets are internet-connected applications used to store private encryption keys. While owners of cryptocurrency exchanges claim they keep user data in their wallets off the network, the $500 million attack on Coincheck in 2018 proved that wasn't always the case.
In June 2019, an attack on GateHub resulted in unauthorized access to dozens of native XRP wallets and theft of crypto assets. Singapore-based cryptocurrency exchange Bitrue also suffered a hot wallet attack almost simultaneously due to system vulnerabilities. As a result, hackers managed to steal over $4.5 million worth of XRP and $237,500 in ADA.