Slashdot Mirror

← Back to Stories (view on slashdot.org)

Once Hailed As Unhackable, Blockchains Are Now Getting Hacked (technologyreview.com)

Posted by BeauHD on from the expect-the-unexpected dept.

schwit1 shares a report from MIT Technology Review: Early last month, the security team at Coinbase noticed something strange going on in Ethereum Classic, one of the cryptocurrencies people can buy and sell using Coinbase's popular exchange platform. Its blockchain, the history of all its transactions, was under attack. An attacker had somehow gained control of more than half of the network's computing power and was using it to rewrite the transaction history. That made it possible to spend the same cryptocurrency more than once -- known as "double spends." The attacker was spotted pulling this off to the tune of $1.1 million. Coinbase claims that no currency was actually stolen from any of its accounts. But a second popular exchange, Gate.io, has admitted it wasn't so lucky, losing around $200,000 to the attacker (who, strangely, returned half of it days later).

Just a year ago, this nightmare scenario was mostly theoretical. But the so-called 51% attack against Ethereum Classic was just the latest in a series of recent attacks on blockchains that have heightened the stakes for the nascent industry. [...] In short, while blockchain technology has been long touted for its security, under certain conditions it can be quite vulnerable. Sometimes shoddy execution can be blamed, or unintentional software bugs. Other times it's more of a gray area -- the complicated result of interactions between the code, the economics of the blockchain, and human greed. That's been known in theory since the technology's beginning. Now that so many blockchains are out in the world, we are learning what it actually means -- often the hard way.

14 of 90 comments (clear)

  1. Fake news by jwymanm · · Score: 5, Interesting

    First off, 51% is an attack not a hack. Second, exchanges have ways to adjust minimum transaction confirmations to almost eliminate any threat from such attacks. A lot of wallets for PoS and other coins have added algorithms and checkpoints to practically eliminate most of the 51% attack vectors also. It's still an ongoing threat but if the coin still matters the ecosystem responds and shuts most attacks down pretty swiftly and with minimal to no loss.

    1. Re: Fake news by Anonymous Coward · · Score: 2, Informative

      It depends how you define "hack." These days the meaning is pretty liberal but even by the standard "doing something that was not intended to be allowed by design" then yes a 51% is indeed a hack.

      Robbing a bank with a crew could also technically be a "hack."

      I'm only adding this because you make it seem like this is normal and should just be dealt with as "meh whatever" when I don't think that's the best approach.

    2. Re: Fake news by Anonymous Coward · · Score: 4, Insightful

      So, our amazing decentralized and unregulated currency of the future needs to be centralized in exchanges that agree on a common operating model. Hmmmmmmm, have we invented banking?

    3. Re: Fake news by Anonymous Coward · · Score: 2, Funny

      its banking, but with blackjack, and hookers.

    4. Re: Fake news by chill · · Score: 2

      Which threshold was that? Gold is virtually unchanged over both a 1-year (-0.16%) and 5-year (+0.14%) period, according to the charts on Kitco.

      --
      Learning HOW to think is more important than learning WHAT to think.
    5. Re: Fake news by codebonobo · · Score: 2

      Bitmain hash rate has gone considerably in china due to pressure from outside ASIC manufactures. They no longer have the most efficient ASICs as several companies have better ASICs. Samsung is now making some of the best chips for other companies. The PBoC also is putting pressure of Chinese Hydro dam operators to no longer give away free excess hydro energy to the ASIC farms located in china(a big reason why so much mining was being done there) thus we are seeing mining farms migrate to other areas like Canada where there is cheep electricity from renewable sources(mainly hydro). Most mining is still done in China but its now down to around 55-60% - https://www.blockchain.com/en/...

  2. long known by gravewax · · Score: 3

    Mostly theoretical lol, no it fucking wasn't. It was a well known vulnerability that hadn't been extensively exploited yet. that is not "theoretical", their was no doubt about the vulnerability or that it has been used many times.

  3. 1.1 million isn't what I'd call minimal by rsilvergun · · Score: 3, Insightful

    I suppose it depends on how evenly distributed it was, but still.

    Also, a chain is only as strong as it's weakest link. Maybe I'm misunderstanding but it sounds like you're counting on the exchanges for security. Given how quickly they spin up that seems like a recipe for disaster.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  4. Dying people are dying! by emeitner · · Score: 5, Insightful

    Sensationalistic crap. No one ever claimed blockchains are unhackable by nature of being blockchains. A blockchain’s security is proportional to the number an diversity of devices mining and nodes forming the consensus. Dying forks like Ethereum Classic are bound to get hacked. That is just part of the final death throes of a blockchain.
    Move along. Nothing to see here.

    --
    Guru Meditation #6d416769.21610a21
  5. Proof of stake? by bradley13 · · Score: 3, Interesting

    It seems to me that this is yet another reason to get rid of "proof of work" and go to "proof of stake". With proof of stake, you still have a possible 51% attack, but you have no motivation to do so. If some group owns 51% of a currency, and starts stealing, they will tank the value of their own stake.

    --
    Enjoy life! This is not a dress rehearsal.
    1. Re:Proof of stake? by codebonobo · · Score: 2

      Proof of Stake is not new or very interesting, and exists as a form with fiat currency already.Proof of stake has many more attack vectors(nothing at stake attacks, long range attacks, short range attacks , stake grinding attacks) than proof of work and ultimately is either less efficient or less secure.

      Further reading -

      https://medium.com/@tuurdemeester/critique-of-buterins-a-proof-of-stake-design-philosophy-49fc9ebb36c6

      https://download.wpsoftware.net/bitcoin/pos.pdf

      https://en.bitcoin.it/wiki/Proof_of_Stake

      http://www.truthcoin.info/blog/pow-cheapest/

      https://medium.com/@hugonguyen/work-is-timeless-stake-is-not-554c4450ce18

      There doesn't seem to be any foreseeable solutions to making proof of stake secure either besides obscuring the flaws. Bitcoin is deliberately made inefficient with proof of work as using provable work that is external to the blockchain is the only means to create real costs where the game theory supports a model where it is both profitable to secure BTC and extremely costly to attack it.

      With PoW (proof of work) you would need to be a tremendous amount of effort in order to censor 1-2 blocks with building many asic mining farms, and than burning the electricity continuously in order to attack bitcoin.

      https://www.youtube.com/watch?v=ncPyMUfNyVM

      https://www.youtube.com/watch?v=KUd8ZGgm6Qo

      With Proof of stake all I need to do is be an early adopter(s) , hack/kidnap an early adopter(s) , or convince many users to join a interest bearing bank account by staking their coins with my company(done many times before) to attack the network. Since Proof of work involves outside resources one can always objectively see and measure the hashrate and sources in realtime and one can cutoff such an attack because it involves outside resources.

      There are many different variations of proof of stake but the simplest way to understand this is by looking at those blockchain's as a democratic consensus mechanism where everyone's vote is weighted based upon how many coins or stake they control. Their staked coins than have an opportunity to create a block without proof of work and a dev controlling 51% of the coins gets to virtually mint ~51% on average of all the blocks . This presents another concern as the coins typically need to be in "hot wallets" to do so instead of cold storage leading to a more insecure environment.

      Since most PoS coins have massive premines where only a small number of devs control most of the coins this also presents another concern as those devs can be targeted by states , hackers, or attackers or as we often see with altcoin devs they pump and dump a project and than move onto a competing project to repeat this cycle over and over again thus have an incentive to attack their old project.

      With Proof of work , seizing the coins or stake of any individual or group of people doesn't effect the process of mining or securing the network directly at all . They can only try and spook the market by dumping coins at a discount while individuals like myself will happily buy up all the discounted coins.

      PoS is being sought because it is a clever marketing ploy to attract environmentalists who are concerned about the electricity used in PoW mining. They may have valid concerns that I also share but they fail to see all the external costs in PoS.

      http://www.truthcoin.info/blog/pos-still-pointless/

      It is akin to not adding up all the inefficiencies in coming to a consensus in a democratic presidential election.

  6. Re:XRP is not vulnerable to this attack by hraponssi · · Score: 2

    You are comparing something centralized (XRP) to decentralized (most other blockchains). Naturally the pros and cons differ.

  7. We know by nospam007 · · Score: 2

    "Coinbase claims that no currency was actually stolen from any of its accounts."

    No data gets ever 'stolen', not movies, not music, not passwords not cryptocurrencies.
    They just get copied.

  8. the real problem by slashmydots · · Score: 2

    This is why we don't need 600+ different cryptocurrencies. Someone with a fairly small ASIC farm can target a tiny blockchain and >50% it (that's the real name, not 51%) and steal everything.