“How secure is it?”
This is the first question that crosses our minds when we hear of new technology, and blockchain technology is no different, as blockchain security issues are a matter of grave concern now.
Though blockchain arrived on the scene as a promising technology and even earned an unofficial moniker of being an “impenetrable technology” that could never be hacked, in a short time, things went south for this revolutionary technology in an equally shorter time. Just last year, cybercriminals stole $3.8 billion from crypto investors, proving blockchain is as vulnerable to exploitation as other technologies.
It doesn’t mean that this technology should be discarded; instead, people should become more aware of blockchain security vulnerabilities that currently exist and how to counter them.
So, this blog highlights the most prevalent blockchain security issues and how to prevent them. The information offered will help you safeguard your investment if you venture into blockchain technology.
Five Most Prominent Blockchain Security Issues and How to Mitigate Them Effectively
Let us take a look at the most common blockchain security issues along with the steps you can take to mitigate them.
Routing attacks are cyber attacks directed at an internet service provider to reduce their operational capacity or prevent users from accessing systems like blockchain.
To understand how routing attacks can target blockchain systems, we first need to know how blockchain technology works.
Here is a short scenario that will explain the entire process of blockchain technology and how a routing attack can disrupt it. I will take Bitcoin as an example.
Bitcoin works on a peer-to-peer network in which nodes use consensus mechanisms to agree on a blockchain as a shared record for all the transactions that have taken place so far or yet to take place.
Special nodes called Wallets are responsible for starting the transaction process and passing them in the network using a gossip protocol. Whereas, miners verify the most recent transactions, grouping them in a block, and adding them to the blockchain.
To complete the above process, miners solve a periodic puzzle.
Each time a miner creates a block, it broadcasts to all the nodes in the network and gets freshly mined bitcoins in return.
Aside from the most recent transaction, the block also contains a proof of work. It is a solution to the puzzle that each node can independently verify before transmitting the block further.
As miners work in parallel, several of them may find a block almost simultaneously. These blocks create forks in the blockchain, which are different versions of the blockchain. These conflicts are eventually resolved as subsequent blocks are attached to each chain, and one becomes longer.
The network automatically discards the shorter chains, eliminating the corresponding blocks while miners can claim their revenues.
Now, if a routing attack takes place on this blockchain system, here is what will happen.
Hackers will disrupt the Bitcoin network’s ability to reach a consensus through the routing attack.
To divert and cut all the connections connecting the various components, cybercriminals will perform an interception attack by taking over the IP prefixes of every component and selectively dropping the connections crossing the components while leaving the internal connections within components untouched.
If you look at the above image (b), it shows that the hacker has seized control over all prefixes on Bitcoin nodes in the gray zone and has complete control over the traffic toward these nodes as shown by the red lines. They would drop the connections between the clients within and outside the gray zone, thus creating a partition.
Such attacks are disastrous as they can act as a denial of service attack, where users can neither increase the number of transactions nor verify the ownership of their funds.
Also, this attack can lead to high revenue loss for miners as once the network reconnects; the shortest chains will get discarded, permanently depriving the miners of their rewards.
A real incident happened on this when a hacker redirected traffic from 19 internet providers to steal bitcoins.
Now, let's address the most crucial question.
How to Effectively Mitigate Routing Attack for Blockchain Security?
SABRE can protect bitcoins from partition attacks. It is an overlay network that receives, verifies, and transmits the blocks through special Bitcoin clients.
Besides regular connections, Bitcoin clients can connect to one or more relays of the SABRE network.
If a routing attack occurs, SABRE relays stay connected to other Bitcoin clients, allowing block transmission among the disconnected components.
Again look at the above image (b), it shows that while the users in the gray zone are isolated from the rest of the network, the block mined by node n is transmitted via the relay nodes as shown in orange to the whole network.
SABRE maintains transmissions by strategically choosing where to host relay nodes. A routing attack does not target those places which are not hosting any Bitcoin clients. So, SABRE rely on these places to maintain connectivity and transmit blocks on behalf of Bitcoin clients, even during an ongoing routing attack.
Remember, bitcoin clients only need one unhindered connection to a SABRE relay to remain protected.
In the above image, ASB, ASC, and ASD are selected by the SABRE network to host the relay nodes. All three are directly connected and have no Bitcoin clients.
So, during a routing attack, all the Bitcoin clients will maintain at least one connection to this relay network.
A 51% attack is an attack on cryptocurrency blockchain by a group of miners who have wrested control over more than 50% of the blockchain network's mining hash rate. By owning 51% of the nodes in the network, these miners now have the power to modify the blockchain as per their liking.
These miners will now have the authority to stop new transactions from getting confirmations, allowing them to halt payments between all users. They can also reverse transactions that were completed before they were in control, which will allow them to double spend a cryptocurrency.
Note: Double spending allows a person to give themselves back any cryptocurrency they had previously spent and use it again.
In January 2019, the Ethereum Classic Blockchain (ETC) fell victim to a 51% attack. The attackers gained majority control and performed a double spending attack. They also reversed the transactions that had already been confirmed, allowing them to spend ETC coins multiple times.
There is no guarantee that routing attacks can be prevented. But you always be better prepared to keep the damage under control. Here is what you can do.
Six Ways To Effectively Mitigate 51% Attack for Blockchain Security
There are several measures you can take to prevent 51% attacks on your blockchain system. For example:
- Choose a reliable consensus mechanism that provides resistance against 51% attacks. Proof of work (POW) and Proof of Stake (POS) are two popular consensus algorithms used in blockchain networks. Here is a short explanation of how these two work.
Note: In proof of work, miners compete to solve computationally intensive puzzles to validate transactions and create new blocks. The network’s security relies on the fact that a majority of computational power is honest and not controlled by a single entity.
Note: In proof of stake, validators create blocks based on the amount of cryptocurrency they hold and are willing to stake it as collateral. A mechanism like this reduces the incentive for attackers to accumulate a majority stake because doing so would require a significant investment.
- Decentralization is the key! Ensure that your blockchain network is spread across multiple nodes and geographical regions. This will prevent a single entity from gaining control over the majority of computational power. Even if one node gets compromised, the rest of the network will continue to function in the blockchain.
- To discourage malicious behavior, provide appropriate economic incentives to miners or validators. Reward them for their honest participation. This will encourage them to act in the best interest of your blockchain’s security.
Note: You can offer block rewards, transaction fees, or create incentives like bonus rewards or reputation based systems. Take for example Tezos, a proof of stake blockchain where bakers are rewarded with block rewards and endorsement rewards for validating transactions and creating new blocks.
- Use real time network monitoring tools to detect any abnormal behavior. A monitoring software can detect changes in the distribution of mining power and notify network participants in case there is a 51% attack. Early detection will allow you to take necessary actions to mitigate the attack before it's too late.
- Hashrate distribution analysis can track mining power distribution.
- Network health monitoring can monitor node performance and connectivity.
- Peer-to-Peer network analysis can detect abnormal communication patterns.
- Block validation checks can ensure validity of mined blocks
- Introduce checkpoints. They are predetermined block heights that serve as reference points for the network. An attacker with a majority hash rate would need to recompute for all subsequent blocks, making the attack more challenging and resource intensive.
- Build a strong governance structure that involves active participation from network participants. This includes developers, miners, validators, and community members who can propose and vote on important decisions. A transparent governance structure will maintain network integrity and address potential vulnerabilities.
The measures I shared here will significantly reduce the risk of a 51% attack. Still, you should always stay alert! Continuously assess and improve your security measures to mitigate potential threats.
A Sybil attack occurs when a hacker uses a single node to create and operate many fake identities within a peer-to-peer network. These counterfeit identities bolster their influence by overwhelming all the honest network nodes, thus allowing the hacker to gain the majority of stake in the network while undermining the primary authority of the system.
Once the hackers have claimed the majority stake in the network, they can modify the blockchain network however they like. These cybercriminals can block network transmissions, preventing other users from accessing the blockchain network.
Sybil attacks are prerequisites to 51% attacks. As I explained in the previous section, this attack occurs when false nodes take up to 51% of or more of the network. Sybil nodes overwhelm the honest nodes within the network, allowing the hackers to gain control over the system through the 51% attack.
Since Sybil nodes are compromised, they also pose a serious privacy risk as nodes handle the flow of information within the network.
So, hackers can use a Sybil node to obtain information like a user’s IP address from other nodes in the network and create more fake nodes in the process.
The Ethereum DAO hack that took place in 2016 was a Sybil attack. The hackers created multiple fraudulent identities to steal the DAO funds.
The DAO allowed token holders to vote on proposals regarding the allocation of funds. Every token represented a voting right, and voting power was proportional to the number of tokens held.
The hackers exploited this mechanism by creating numerous Sybil accounts and using them to accumulate many tokens, allowing them to steal the DAO funds. It was a $60 million hack.
So, how can we prevent a Sybil attack? There is one possible way.
The Best Way to Mitigate Sybil Attack Effectively for Blockchain Security
I suggest verifying the participant’s identities within the blockchain network to prevent Sybil attacks.
Sybil attacks can be prevented through identity validation, as they will reveal the true identity of hostile entities. Verification happens when a central authority verifies the identity of the individuals in the network. They can even perform reverse lookups to determine the IP address of all the participants within the network.
You can validate the identities directly or indirectly. Here is a short explanation of what these two are:
Direct verification happens when a system sends a query to the central authority to check the identities of remote participants.
The system here relies on previously accepted identities that other networks have vouched for in terms of authenticity.
For identity validation, you can use information like phone numbers, credit cards, and IP addresses.
But there is also one downside to it.
Although identity validation can provide accountability, it will come at the cost of anonymity, which is essential for peer-to-peer networks.
Selfish Mining Attacks
A selfish mining attack occurs when a miner intentionally withholds their successfully validated blocks from getting broadcasted to the rest of the mining pool network.
They secretly move forward and continue to mine the next block, thus demonstrating additional proof of work compared to other miners in the mining pool. This allows them to claim more block rewards, including financial ones.
These miners will keep their private chain in wrap and reveal it only where there is an opportunity to get better rewards from the mining pool.
Japanese Cryptocurrency Monacoin was hit by a selfish mining attack in 2018 which caused a loss of $90,000 in damages.
Two Ways To Mitigate Selfish Mining Attacks for Blockchain Security
- Randomly assign miners to the blockchain whenever a fork occurs. A fork happens whenever there is a change to blockchain’s protocol or rules.
- Set threshold limits for mining pools on the blockchain. Such thresholds are also called a share target which allows miners to submit a share, which is a hash, approximately every five seconds to them. This will keep all miners at a similar level where no one will have any advantage over others.
Scammers often scam people into giving up their private keys or personal information. They would then proceed to steal people’s cryptocurrency funds. This type of cryptocurrency scam is called a phishing attack.
The scammers would send an email or message to the victim in the form of a cryptocurrency or wallet exchange, which will be a link to a fake website that looks almost legitimate. Once the user clicks on the link and if they insert their login information, the scammer gains access to their account.
MyEtherWallet users were targeted with phishing attacks in January 2019. It is an online wallet used for storing and managing Ethereum (ETH) and other ERC-20 tokens. The scammers sent phishing emails to the users asking for their private keys.
Another scam happened with LocalBitcoins, which is a peer-to-peer Bitcoin trading website. The scammers cleverly directed users to a phishing website from LocalBitcoins' official forums and stole their login credentials. Before any action could be taken, many users reported that they were robbed of their wallets. The exact figures of stolen funds are believed to be more than $28,000. LocalBitcoins were forced to disable their services temporarily.
Awareness is essential if you want to avoid falling prey to phishing attacks.
Ten Tips to Protect Yourself From Crypto Phishing Attacks by Scammers
- Avoid clicking on downloads or links from sources that feel suspicious in nature. If it has misspellings, excessive pop-ups, or asks for personal information, then it's best to steer clear away from them.
- Always keep your operating system and software up to date. It is essential for security as updates often come with patches for known vulnerabilities, which can safeguard you from potential cyberattacks.
- Use strong passwords. It should be 12 to 14 characters long with a combination of lowercase, uppercase letters, numbers, and special characters.
- Activate two-factor authentication, which is an identity and access management security method. To access your account, 2FA requires two forms of identification. Password is the first factor; the second is usually a security code.
- This is no brainer, but avoid giving out personal information like your wallet address or wallet keys to strangers or even someone you know, as it's better to feel safe than sorry.
- Ensure that whatever cryptocurrency exchange and wallet you use is from a reputable source. Check user reviews, ratings, and feedback from reliable sources. See if the platform has a strong track record, has transparent operations, follows regulatory compliance, and provides foolproof security measures like two-factor authentication.
- If a website looks suspicious, stay away from it. Look for red flags such as poor design or outdated layout, grammatical errors or misspellings, and excessive ads or pop-ups. Check for a secure HTTPS connection and a valid SSL certificate
- Be careful when you download browser extensions. Check their source and ensure it's trustworthy. Install it from the official sources like Chrome Web store or Firefox Add-ons. Check their ratings, reviews, and developer information. Also review your browser extensions permissions and update them frequently.
- If you are using public wifi, use a VPN before connecting to the internet. Public Wifi networks lack encryption, and are prone to man-in-the-middle attacks. Hackers often set up fake Wifi networks that act as legitimate ones, which tricks users into connecting to them. This way cybercriminals can gain access to your personal data.
- Again, this is basic, but be careful of emails that contain attachments or links, especially if they come from suspicious sources. Examine its content and tone. Suspicious emails often have grammatical errors, poor formatting, or persistent tone. They often contain requests for personal or financial information. Check if the sender’s email address matches the official email domain of the organization they claim to represent.
There is no doubt that blockchain technology offers many benefits. But, it is also essential to be aware of the numerous security risks associated with this technology. Highlighting them along with their mitigation was the purpose of this blog. Although, no solution is entirely foolproof.
Before going public with your blockchain, implement robust security protocols, and perform regular audits on time. You can even hire blockchain security companies for these tasks, as prevention is better than cure.
Cyber attacks will become more sophisticated as blockchain technology grows more prominent in the future. So, keep yourself well informed about the emerging threats that will arise occasionally.
What Are the Types of Blockchain?
There are three types of blockchains:
In private blockchains, only specific users have access to them. A person would require an invitation to join a private blockchain where they get accepted only if their identity is authenticated and verified. The network operators carry forth the entire process by following a clearly defined set of protocols.
A public blockchain allows anyone to join and participate in its core activities. These blockchains are self governed and decentralized in nature. All you need is an internet connection to join the network.
Consortium blockchains are a group of private blockchains each owned by different institutions that have teamed up together to share information and improve their existing workflows, transparency, and accountability.
What Are the Privacy Issues With Blockchain
Any sensitive information that the blockchain stores can be seen by all the participants in the network. For example, healthcare records, financial transactions, identity verification, genetic and biometric data, criminal records, etc. So, this is a significant privacy concern in the blockchain.