Slashdot Mirror

← Back to Stories (view on slashdot.org)

Once Hailed As Unhackable, Blockchains Are Now Getting Hacked (technologyreview.com)

Posted by BeauHD on from the expect-the-unexpected dept.

schwit1 shares a report from MIT Technology Review: Early last month, the security team at Coinbase noticed something strange going on in Ethereum Classic, one of the cryptocurrencies people can buy and sell using Coinbase's popular exchange platform. Its blockchain, the history of all its transactions, was under attack. An attacker had somehow gained control of more than half of the network's computing power and was using it to rewrite the transaction history. That made it possible to spend the same cryptocurrency more than once -- known as "double spends." The attacker was spotted pulling this off to the tune of $1.1 million. Coinbase claims that no currency was actually stolen from any of its accounts. But a second popular exchange, Gate.io, has admitted it wasn't so lucky, losing around $200,000 to the attacker (who, strangely, returned half of it days later).

Just a year ago, this nightmare scenario was mostly theoretical. But the so-called 51% attack against Ethereum Classic was just the latest in a series of recent attacks on blockchains that have heightened the stakes for the nascent industry. [...] In short, while blockchain technology has been long touted for its security, under certain conditions it can be quite vulnerable. Sometimes shoddy execution can be blamed, or unintentional software bugs. Other times it's more of a gray area -- the complicated result of interactions between the code, the economics of the blockchain, and human greed. That's been known in theory since the technology's beginning. Now that so many blockchains are out in the world, we are learning what it actually means -- often the hard way.

44 of 90 comments (clear)

  1. Fake news by jwymanm · · Score: 5, Interesting

    First off, 51% is an attack not a hack. Second, exchanges have ways to adjust minimum transaction confirmations to almost eliminate any threat from such attacks. A lot of wallets for PoS and other coins have added algorithms and checkpoints to practically eliminate most of the 51% attack vectors also. It's still an ongoing threat but if the coin still matters the ecosystem responds and shuts most attacks down pretty swiftly and with minimal to no loss.

    1. Re: Fake news by Anonymous Coward · · Score: 2, Informative

      It depends how you define "hack." These days the meaning is pretty liberal but even by the standard "doing something that was not intended to be allowed by design" then yes a 51% is indeed a hack.

      Robbing a bank with a crew could also technically be a "hack."

      I'm only adding this because you make it seem like this is normal and should just be dealt with as "meh whatever" when I don't think that's the best approach.

    2. Re: Fake news by Anonymous Coward · · Score: 4, Insightful

      So, our amazing decentralized and unregulated currency of the future needs to be centralized in exchanges that agree on a common operating model. Hmmmmmmm, have we invented banking?

    3. Re:Fake news by Anonymous Coward · · Score: 1

      Ethereum Classic is ETC, that one toy that people thought could stand up somehow against this sort of thing. Frankly, I'm surprised this sort of scenario didn't happen like a month after ETC decided to fork off of the main Ethereum chain.

      I guess now the question is: Will ETC reverse the double spends? (Or would that be kind of ironic because that's their very philosophy: to not undo the damage that was done when this happened to the main chain?)

      Maybe ETC will just stay as some kind of broken chain.

      I know one thing's for sure, if I owned ETC, I'd be dumping it for one of the larger, more stable cryptos. I'd also question why I'd had ever joined a smaller chain, knowing that 51% attacks like this can/will happen again in the future to small chains.

    4. Re: Fake news by Anonymous Coward · · Score: 2, Funny

      its banking, but with blackjack, and hookers.

    5. Re: Fake news by chill · · Score: 2

      Which threshold was that? Gold is virtually unchanged over both a 1-year (-0.16%) and 5-year (+0.14%) period, according to the charts on Kitco.

      --
      Learning HOW to think is more important than learning WHAT to think.
    6. Re:Fake news by LordKronos · · Score: 1

      So I suppose if you lost $10k or more in the hack, you be happy to say "oh that's alright...at least they shut it down pretty swiftly and with minimal to no loss", right?

    7. Re: Fake news by Shaitan · · Score: 1

      "even by the standard "doing something that was not intended to be allowed by design" then yes a 51% is indeed a hack"

      Not really, it was a known and accepted design trade-off. At least for Bitcoin and since it was known from essentially the beginning with regard to Bitcoin presumably anyone copying pieces of its tech understand that as well. The best defense against the 51% attack is a large and diverse mining base. Bitcoin has it... these others... not as much.

    8. Re: Fake news by Lanthanide · · Score: 1

      81% of bitcoin mining is controlled by Chinese companies.

      This flap over Huawei in 5G networks is due to the suspicion that the Chinese government can exert control over them whenever they please.

      But that same rationale, the Chinese government can exert control over 81% of bitcoin mining hashrate whenever it chooses.

      It just hasn't yet.

    9. Re: Fake news by codebonobo · · Score: 2

      Bitmain hash rate has gone considerably in china due to pressure from outside ASIC manufactures. They no longer have the most efficient ASICs as several companies have better ASICs. Samsung is now making some of the best chips for other companies. The PBoC also is putting pressure of Chinese Hydro dam operators to no longer give away free excess hydro energy to the ASIC farms located in china(a big reason why so much mining was being done there) thus we are seeing mining farms migrate to other areas like Canada where there is cheep electricity from renewable sources(mainly hydro). Most mining is still done in China but its now down to around 55-60% - https://www.blockchain.com/en/...

    10. Re: Fake news by codebonobo · · Score: 1

      Bitcoin is highly regulated, the distinction is that it is more fungible than digital fiat for regulatory arbitrage. Thus regulation happens at the on ramps and off ramps , and you can ignore regulation elsewhere.

    11. Re:Fake news by MrL0G1C · · Score: 1

      "GPUs are on firesale to the point where it's going to hurt Nvidia's stock price."

      Well I hope so, My GTX970 cost £230, now a 2070 costs double that and the 2080ti's are stupidly expensive, I'd like to see the prices come back down to sane levels. The memory cartel is in part to blame.

      --
      Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
  2. It's as if someone had massive capacity by WillAffleckUW · · Score: 1

    If I didn't know better, it would be as if someone had massive computing and decryption capacity to break codes and decided that North Korea and Russia were not going to keep getting the money they've been getting.

    Either that or someone got bored.

    --
    -- Tigger warning: This post may contain tiggers! --
    1. Re:It's as if someone had massive capacity by Shikaku · · Score: 1

      Bored. Depending on the currency the cost to 51% attack is cheap sometimes but these costs are for only an hour. https://www.crypto51.app/ there would be a lot of effort for someone to have free reign over a small market cap and most of those transactions would be rejected by the legit miners.

  3. NSA has been looking at cryptocurrency use by AHuxley · · Score: 1

    https://theintercept.com/2018/... (March 21 2018)
    Recall OAKSTAR and MONKEYROCKET.
    Thats internet use with search, password details and MAC. With bait software.

    --
    Domestic spying is now "Benign Information Gathering"
  4. Chinese lottery backdoor found? by Misagon · · Score: 1

    Who in their right mind have not suspected that one cryptocurrency network or other had not been designed for Chinese Lottery attacks against hashing functions in the first place?
    Of course, there would need to be a backdoor somewhere, of some fashion. And of course some attacker would find it sooner or later.

    --
    "We mustn't be caught by surprise by our own advancing technology" -- Aldous Huxley
  5. Surprise! by DalM · · Score: 1, Insightful

    When you put billions in wealth out in the open for the world to see, and then encourage and reward every evil doer in the world to use it for their evil things, the evil doers will figure out ways to do evil.

  6. long known by gravewax · · Score: 3

    Mostly theoretical lol, no it fucking wasn't. It was a well known vulnerability that hadn't been extensively exploited yet. that is not "theoretical", their was no doubt about the vulnerability or that it has been used many times.

  7. 1.1 million isn't what I'd call minimal by rsilvergun · · Score: 3, Insightful

    I suppose it depends on how evenly distributed it was, but still.

    Also, a chain is only as strong as it's weakest link. Maybe I'm misunderstanding but it sounds like you're counting on the exchanges for security. Given how quickly they spin up that seems like a recipe for disaster.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  8. Bitcoin is sound money / Scarcity is relevant by slashways · · Score: 1, Interesting

    This is the reason we have Bitcoin; Bitcoin is sound money, and the software running Bitcoin is designed to run for decades. And we have the word: Cryptocurrencies, Bitcoin is alone, others are just scams for most of them, or useless for the remaining. Bitcoin defined scarcity; the others are just a way for some software developers to print money. A 51% attack is just a reminder that you can't secure any software junk.

  9. Well designed coins will prevail. by andreas.falley · · Score: 1

    The problem with many of these coins that get hacked is that they were designed with a rushed software developer's mindset, not a true and methodical engineering one. There was a huge rush to market after bitcoin took off, and only after bitcoin took off did its flaws begin to manifest themselves. Cryptocoin networks should not be like some typical software companies code, where if there's a bug, you just patch or fix it. Sadly many coin were developed that way, and the flaws kept permeating through these coins because lazy coders "borrowed code" from other coins. On the other hand, you have a project like Cardano, where every element was designed from the ground up from peer-reviewed research papers that were submitted to top infosec conferences and vetted by 3 panels of experts in their field just to be accepted. Written in Haskell so that every function could be mapped to lambda calculus and mathematically analyzed in a formal manner, and then all the code is audited by a third party prior to release. Sooner or later all coin projects will have to be designed that way, by adults and not by some eager hackers trying to get rich.

    1. Re:Well designed coins will prevail. by Pinky's+Brain · · Score: 1

      These attacks are simply a result of market cap falling too low and hashing power being cheaply available.

  10. Dying people are dying! by emeitner · · Score: 5, Insightful

    Sensationalistic crap. No one ever claimed blockchains are unhackable by nature of being blockchains. A blockchain’s security is proportional to the number an diversity of devices mining and nodes forming the consensus. Dying forks like Ethereum Classic are bound to get hacked. That is just part of the final death throes of a blockchain.
    Move along. Nothing to see here.

    --
    Guru Meditation #6d416769.21610a21
  11. Etherium Classic? by Chris+Mattern · · Score: 1

    It's probably better than New Etherium, anyways.

    1. Re:Etherium Classic? by hawk · · Score: 1

      I'm holding out for Etherium 98 . . .

  12. Corruption, not theft, is the problem. by mveloso · · Score: 1

    There is no protection against a 51% attack that wipes the entire ledger.

    People focus on the supposed "incorruptibility" aspect of blockchain, but with 51% of the network you can erase it completely. That's the real problem, that an actor could theoretically wipe the whole chain out, start-to-finish.

    1. Re:Corruption, not theft, is the problem. by codebonobo · · Score: 1

      There is no protection against a 51% attack that wipes the entire ledger.

      Technically there is. You can set checkpoints to avoid massive reorgs, and with chains like Bitcoin there becomes insurmountable limitations for the amount of energy you would need to spend in a race condition to reorg the chain with a sufficient depth. Thus there are limitations in physics one must also consider as well. The problem with checkpoints is this introduces other attack vectors and makes the chain much more centralized so they no longer exist in Bitcoin, but are found in altcoins with much less security

      That's the real problem, that an actor could theoretically wipe the whole chain out, start-to-finish.

      What you need to clarify is the fact that the old ledger or chain will still exist and users would simply need to hard fork to ignore the attack after it occurs removing the attack or any theft.

  13. Big hash power can be directed at small coins by qubezz · · Score: 1

    The problem here is the diversity of "me too" get rich quick coins which have much less proof-of-work power protecting their block chain. If I've got generic compute power that is 5% of Bitcoin's hash rate, I can point it at any of these other scamcoins and be 95%. There can be only one secure cryptocurrency, unless the other late-comers uses a vastly different and completely computationally incompatible proof-of-work scheme.

  14. Re:Fox faggots say "fake news" to hide from realit by jpaine619 · · Score: 1

    Trump hasn't solved any bubble problems. He's stuck in his bubble headed off to prison...

    What reality do you live in where Pence won't pardon him?

  15. XRP is not vulnerable to this attack by Lanthanide · · Score: 1

    Yet another advantage of XRP is that it doesn't use mining to secure it's ledger, so this sort of attack is not possible.

    To attack XRP would require 81% of all validators to collude. Since there is no direct monetary incentive to run a validating node, and clients can choose which nodes they can trust, if anyone were to pull off an 81% attack against XRP it would suggest the coin was no longer useful for any serious purpose whatsoever.

    1. Re:XRP is not vulnerable to this attack by hraponssi · · Score: 2

      You are comparing something centralized (XRP) to decentralized (most other blockchains). Naturally the pros and cons differ.

    2. Re:XRP is not vulnerable to this attack by DontBeAMoran · · Score: 1

      I wonder how different it is for other coins which use something like Proof-of-stake, like Reddcoin. I know you can run a staking wallet on something as small as a Raspberry Pi, so basically anyone can help strengthen the network.

      --
      #DeleteFacebook
    3. Re:XRP is not vulnerable to this attack by Lanthanide · · Score: 1

      Except XRP is not centralised in any meaningful way.

  16. Re:Fox faggots say "fake news" to hide from realit by jpaine619 · · Score: 1

    That would be constitutionally correct, although if you think Pelosi would resign you need to share whatever you're smoking.....

  17. Proof of stake? by bradley13 · · Score: 3, Interesting

    It seems to me that this is yet another reason to get rid of "proof of work" and go to "proof of stake". With proof of stake, you still have a possible 51% attack, but you have no motivation to do so. If some group owns 51% of a currency, and starts stealing, they will tank the value of their own stake.

    --
    Enjoy life! This is not a dress rehearsal.
    1. Re:Proof of stake? by 140Mandak262Jamuna · · Score: 1
      It is not 50% of the total value of the currency. It is the 50% of the computing power that verifies correctness. Once you have 51% of the votes to verify it, you own ALL the value in that currency.

      Everyone knew about 50% verification vote issue. Once state actors get into the game private people stand no chance against this. That is why when it was very comical to read about crypto currency reigning supreme over state issued fiat currencies.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    2. Re:Proof of stake? by codebonobo · · Score: 2

      Proof of Stake is not new or very interesting, and exists as a form with fiat currency already.Proof of stake has many more attack vectors(nothing at stake attacks, long range attacks, short range attacks , stake grinding attacks) than proof of work and ultimately is either less efficient or less secure.

      Further reading -

      https://medium.com/@tuurdemeester/critique-of-buterins-a-proof-of-stake-design-philosophy-49fc9ebb36c6

      https://download.wpsoftware.net/bitcoin/pos.pdf

      https://en.bitcoin.it/wiki/Proof_of_Stake

      http://www.truthcoin.info/blog/pow-cheapest/

      https://medium.com/@hugonguyen/work-is-timeless-stake-is-not-554c4450ce18

      There doesn't seem to be any foreseeable solutions to making proof of stake secure either besides obscuring the flaws. Bitcoin is deliberately made inefficient with proof of work as using provable work that is external to the blockchain is the only means to create real costs where the game theory supports a model where it is both profitable to secure BTC and extremely costly to attack it.

      With PoW (proof of work) you would need to be a tremendous amount of effort in order to censor 1-2 blocks with building many asic mining farms, and than burning the electricity continuously in order to attack bitcoin.

      https://www.youtube.com/watch?v=ncPyMUfNyVM

      https://www.youtube.com/watch?v=KUd8ZGgm6Qo

      With Proof of stake all I need to do is be an early adopter(s) , hack/kidnap an early adopter(s) , or convince many users to join a interest bearing bank account by staking their coins with my company(done many times before) to attack the network. Since Proof of work involves outside resources one can always objectively see and measure the hashrate and sources in realtime and one can cutoff such an attack because it involves outside resources.

      There are many different variations of proof of stake but the simplest way to understand this is by looking at those blockchain's as a democratic consensus mechanism where everyone's vote is weighted based upon how many coins or stake they control. Their staked coins than have an opportunity to create a block without proof of work and a dev controlling 51% of the coins gets to virtually mint ~51% on average of all the blocks . This presents another concern as the coins typically need to be in "hot wallets" to do so instead of cold storage leading to a more insecure environment.

      Since most PoS coins have massive premines where only a small number of devs control most of the coins this also presents another concern as those devs can be targeted by states , hackers, or attackers or as we often see with altcoin devs they pump and dump a project and than move onto a competing project to repeat this cycle over and over again thus have an incentive to attack their old project.

      With Proof of work , seizing the coins or stake of any individual or group of people doesn't effect the process of mining or securing the network directly at all . They can only try and spook the market by dumping coins at a discount while individuals like myself will happily buy up all the discounted coins.

      PoS is being sought because it is a clever marketing ploy to attract environmentalists who are concerned about the electricity used in PoW mining. They may have valid concerns that I also share but they fail to see all the external costs in PoS.

      http://www.truthcoin.info/blog/pos-still-pointless/

      It is akin to not adding up all the inefficiencies in coming to a consensus in a democratic presidential election.

  18. no hack but attacks maybe more likely by hraponssi · · Score: 1

    So no hack, but the fundamentals still hold. These types of attacks have been going over the years so nothing much new.

    Of course, there have been many years to develop ASIC's and FPGA algorithms for many coin algos. And since miners started dumping their GPU's, maybe cheaper to get a big, more generic hash power. Especially these smaller coins can then be vulnerable, and there can only be so many reasonable hash variants or resources for constant changes.

    PoS is an interesting alternative but many still value their privacy and for that I guess it is not so good at this time.

  19. We know by nospam007 · · Score: 2

    "Coinbase claims that no currency was actually stolen from any of its accounts."

    No data gets ever 'stolen', not movies, not music, not passwords not cryptocurrencies.
    They just get copied.

  20. What a man can make, a man can break by Sqreater · · Score: 1

    And that applies also to quantum cryptography due to its vulnerable nodes at least.

    --
    E Proelio Veritas.
  21. Re:Fox faggots say "fake news" to hide from realit by Khyber · · Score: 1, Insightful

    " giving Hillary the position she rightfully would have won"

    You fucking moron. She never once rightfully held ANYTHING.

    "Hacks: The Inside Story of the Break-ins and Breakdowns that Put Donald Trump in the White House" is the book written by Donna Brazile that details it all.

    Get your head out of your fucking ass.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  22. the real problem by slashmydots · · Score: 2

    This is why we don't need 600+ different cryptocurrencies. Someone with a fairly small ASIC farm can target a tiny blockchain and >50% it (that's the real name, not 51%) and steal everything.

  23. What if the founders cash out by rsilvergun · · Score: 1

    wouldn't that make the scenario you're describing profitable to them? Or if somebody just does what Bain capital and other leveraged buyout firms do and buys up 51% of the stock to again cash out?

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  24. Correct link to MIT Technology review article by cocoabean · · Score: 1
    The original link is to "Explainer: What is a blockchain?" from April 2018.

    Correct link:
    Once hailed as unhackable, blockchains are now getting hacked