Blockchains and Security

Blockchain is a digital ledger that records transactions across many computers. It is a distributed database, meaning there are many copies of it and new information can be added only if all participants in the network agree.

Blockchain technology is a powerful tool for improving security and reliability: however, it is not without its risks and dangers.

EXPLOITS

The most prominent risk in blockchain technology is the vulnerability to exploits. These are threats to the blockchain that arise because of bugs or violations of assumptions in the system’s design. There are two types of exploits: those that exploit bugs (e.g., denial-of-service attacks) and those that take advantage of flaws in the system’s design (e.g., reentrancy). For example, an attacker can use a denial-of-service attack to make a node go offline by sending it an overwhelming number of messages or queries that it cannot handle.

REENTRANCY

A reentrancy exploit happens when an attacker sends two different transactions at the same time, one after another, with each transaction making changes on behalf of the attacker without waiting for the other transaction to finish executing first. The second transaction will be able to carry out its changes even before the first transaction returns a response. If a blockchain’s transactions are not atomic, that means that if an attacker sends two transactions at once, and the second transaction executes before the first one finishes executing, it can carry out its changes without waiting for the first transaction to finish. This is called reentrancy and is considered to be a major problem for blockchains like Ethereal due to its reliance on smart contracts. 

Other types of security concerns

Security in blockchains is a key concern for many investors and companies who are looking at ways to use blockchain technology in their business model. In addition to the ones stated above, there are various other risks that need to be addressed such as human errors, phishing attacks, and code vulnerabilities (especially in smart contracts enabled chains).

CODE VULNERABILITIES

Code vulnerabilities are a direct consequence of the smart contracts, a form of code supported by many Blockchains. Smart contracts are computer protocols that execute the terms of a contract. The best way to think about them is as a self-operating computer program that automatically executes when certain conditions are met.

The vulnerabilities in smart contracts are caused by poor coding and bugs in the code. There is a lot of risk within them, due to the difficulty of editing after they have been deployed. Bugs can be exploited by hackers, who can use them to steal money or data from the blockchain, eg. accessing functions of the code that shouldn’t have been executable. 

In the blockchain world, smart contracts are used to automate some of the processes that are usually done manually, but as always, automation increases the level of risk.

One of the most typical vulnerabilities is the reentrancy risk stated above, which affects smart contracts in a very common way due to their method based structure with self assessed access control.

PHISHING ATTACKS

On the other side, phishing is when someone steals your credentials for a service such as logging into your bank account or social media account, by pretending to be another person who you know from an email, text message, phone call, etc. Private keys are used to sign transactions on a blockchain which means that if someone were able to steal your private key, they would have access to your funds and to all the functions of the smart contracts you deployed.

Phishing scams are, in general, the most common type of cyberattack. Malicious actors use social engineering to gain access to your private key in order to take control of your account.

It’s usually a pattern comprised of four steps:

  1. Fraudsters will create a fake website that looks identical to the legitimate one;
  2. They will send spam emails or messages on social media sites like Facebook, Twitter, etc.;
  3. They will then trick you into entering your private key or mnemonic phrase on their site;
  4. And finally, they will steal the information they need from you and use them to act on your behalf.

Phishing is not a new phenomenon but it has become more sophisticated with the advent of social media and other online tools. It can be difficult for people to recognize phishing attempts because they are made to look like legitimate messages from trusted sources.

Human Errors

Last but not least, there are many types of human errors that can lead to security breaches in blockchain networks. The most common type of human error is social engineering, which is an attack that uses deception to gain access to private information or data. Human error is a big risk in blockchain security because of its complexity. Social engineering is a type of human error that can be mitigated by ensuring people are well trained in what to do and what not to do when interacting with blockchain technology. Social engineering attacks can occur when humans are given organizational information that they’re not supposed to have access to, like passwords or keys (as stated before). We just talked about the most common type of social engineering attack – phishing – but as stated before it doesn’t stop there: other vectors of attacks are:

  • spoofing, which is when someone pretends to be someone else through email or phone, usually with matching geographical location;
  • vishing, which is when hackers call a victim on the phone and persuade them to give information for something that doesn’t exist.

Malicious actors: scams and rug pulls

The crypto world is full of scam projects. It is important to be able to spot them before investing in a project.

  • A scam is an intentional deception or fraud, typically involving the use of false or misleading information designed to take advantage of others.
  • A rugpull is a tactic used by market manipulators that involves convincing investors into buying tokens often by issuing positive statements about the project’s prospects, while having the only intention to pull (as to remove) all the value injected by users to steal it.

The crypto market is not a safe place and there are many people who want to take advantage of the lack of knowledge and experience. Scam projects are often launched by developers with the intention to steal from investors. They promise unrealistic returns in order to get more attention for their project, but in most cases, they fail miserably or just disappear without a trace. Some other ways scammers try to take advantage of inexperienced investors are:

  • Promising guaranteed profits that cannot be achieved in reality
  • Selling tokens at a discounted rate
  • Creating fake ICOs
  • Promising free tokens in return for major assets

Scams are a major problem in the crypto space. With so many projects launching and tokens being distributed, it is becoming more and more difficult for the average user to distinguish between a scam and a legitimate project.

To defend yourself from those risks, you should only invest in tokens with liquidity lock-ups. This prevents the token from being sold on the market before its release date, which reduces the chance of a scam or rugpull happening. With locked liquidity, nobody is able to pull the invested value from the project. Is also very important to be aware of the circulating supply of the token you are invested in and of the distribution of the same (tokenomics).

Having actors with unlocked high percentages of the total supply is a concrete risk.