Last month, the security team at Coinbase, a digital currency exchange headquartered in San Francisco, California, realized that Ethereum Classic, a cryptocurrency that can be bought and sold on its exchange platform, had been attacked. Hackers accessing Coinbase's network rewrote portions of the platform's transaction history enabling users to spend the same cryptocurrency more than once.
Coinbase claims that no money was stolen from its accounts in the hack, but the scare is only the latest incident in a string of cybercrime attacks on cryptocurrencies and their exchange platforms.
According to MIT's Technology Review, hackers have stolen an estimated $2 billion in cryptocurrencies since 2017. The hacks are not only carried out by individuals according to the report, but also by cybercrime organizations.
Cryptocurrency theft is becoming increasingly common, as fraudulent blockchain transactions cannot be reversed and are typically the result of unique vulnerabilities within the code.
A blockchain is a "time-stamped series of immutable record of data that is managed by cluster of computers not owned by a single entity," Blockgeeks.com states, adding, "each of these blocks of data are secured and bound to each other using cryptographic principles."
A blockchain protocol, on the other hand, is a set of guidelines outlining how computers within networks verify new transactions, which are then added to the database.
The more complicated a blockchain system, however, the more likely it is that errors can occur. In February, a company in charge of Zcash, a cryptocurrency which uses cryptography to provide enhanced privacy for users, revealed that it patched a "subtle cryptographic flaw," which could have been easily exploited. But protocols are not the only aspect of the software that can be exploited. To trade cryptocurrency, a software client is also required that accesses services made available by a cryptocurrency server, another piece of code susceptible to vulnerabilities.
The most common attacks are on cryptocurrency exchanges; those websites where users buy, trade, sell and hold cryptocurrencies. One such attack is referred to as a ‘51% attack,' in which a group of miners gain control of more than 50 percent of the network's computing power.
Bitcoin mining is the process of adding transaction records to a cryptocurrency's past transactions of blockchain. In a 51% attack, hackers can prevent new transactions from getting verified and reverse those transactions that were already completed.
According to website Crypto51, however, it would require enormous amounts of mining power — costing over $260,000 per hour — to attempt this sort of attack on popular blockchains. But a similar attack becomes less expensive with less popular cryptocurrencies.
In 2018, attackers conducted 51% attacks on less-popular cryptocurrencies such as Verge, Monacoin and Bitcoin Gold, stealing an estimated $20 million worth of cryptocurrency. A similar attack on Ethereum Classic resulted in a $1 million loss, according to Technologyreview.com.
David Vorick, cofounder of the blockchain-based file storage platform Sia, told the MIT paper that he expects 51% attacks to increase in frequency and severity.
"Exchanges will ultimately need to be much more restrictive when selecting which cryptocurrencies to support," noted Vorick.
In addition to 51% attacks, smart-contract — cryptocurrency exchange automation code that runs on blockchain networks — bugs are a noted blockchain security weak point. One way to exploit smart contract software is to "create a voting mechanism by which all the investors in a venture capital fund can collectively decide how to allocate the money," Technology Review reported.
In 2016, a fund to do exactly that — called the Decentralized Autonomous Organization (DAO) — was setup using Ethereum. A flaw in the smart contract, however, allowed an attacker to keep requesting money from accounts without the system making note of how much money was being withdrawn from the accounts, resulting in the theft of over $60 million worth of cryptocurrency.
While developers can end these attacks by building ‘centralized kill networks,' to stop all activities when hacks are detected, the pace to catch up with those exploiting code vulnerabilities has been slow.
Startups like AnChain.ai aim to quash these types of attacks by using artificial intelligence to detect suspicious activity while using smart-contract codes to scan for vulnerabilities.
Companies like Tsankov's ChainSecurity are developing auditing services using ‘formal verification,' a computer science technique that mathematically tests whether a contract's code will do what it is intended to do.
These auditing tools, while promised to be effective in ending currently known vulnerabilities, are known to be both expensive and time-consuming, however.