The Double-Edged Sword of Blockchain Innovation
In an era characterized by unprecedented digital innovation, one frontier stands out as both a beacon of potential and a minefield of risk: the blockchain industry. Renowned for its capabilities of instigating transformative changes across sectors, blockchain technology is now ubiquitous, powering cryptocurrencies and underpinning a host of revolutionary applications. However, along with its promise, it bears a swath of threats that are continually evolving in complexity and sophistication. Blockchain network attacks, fake stake attacks, and forced API attacks represent just the tip of the iceberg. These, among others, have emerged as substantial challenges threatening to undermine the industry’s credibility and its future growth trajectory. This article explores these common threats, providing a comprehensive analysis aimed at arming industry stakeholders with the knowledge they need to navigate this intriguing yet daunting digital frontier.
The Dark Side of Blockchain: Common Threats and Countermeasures
While the inherent security of blockchain technology makes it resistant to data modification, it is far from immune to a variety of cyber threats. The technology’s decentralized nature, often seen as a strength, can also create vulnerabilities. Anonymous transactions and the lack of centralized authority make the blockchain an attractive target for malicious actors. Moreover, as the adoption of blockchain technology and digital assets accelerates, it simultaneously opens a larger surface for potential threats. The year 2022 marked an unprecedented peak in crypto-related attacks, with losses amounting to $3.8 billion, a figure that was primarily driven by vulnerabilities exploited within decentralized finance (DeFi) protocols. Helping companies and users understand these threats, and how to best mitigate them, is crucial for the industry to keep growing and innovating in a secure environment. By charting out the landscape of these risks, we hope to equip industry participants with the insights needed to navigate this dynamic digital frontier safely.
Blockchain Network Attacks
Attacks on blockchain networks, including those known as 51% attacks, constitute a significant threat in the blockchain realm. A 51% attack materializes when a group of miner’s command over half of a network’s mining hash rate, or computational power. These malefactors can then manipulate the network by selectively excluding or altering transaction orders. This manipulation can lead to ‘double spending’, a scenario where the meme coins are fraudulently used more than once. Mitigating a 51% attack necessitates a well-distributed, decentralized network, the promotion of miner diversity, and the integration of consensus algorithms that are resilient to such attacks.
Despite their potential impact, 51% attacks are relatively unlikely to impact well-established blockchain networks due to their prohibitive cost. Consequently, these attacks are primarily a concern for emerging blockchain projects. For instance, as of June 7, 2023, the three dominant Bitcoin mining pools collectively accounted for 66.87% of the network’s hash rate. To match this computational power, an attacker would incur fixed costs of approximately $7.9 billion. Similarly, conducting a 51% attack on Ethereum’s (ETH) network would cost a staggering $18 billion, as an attacker would need to possess over half of the 19.3 million ETH currently staked in the network, equating to more than 9.8 million ETH.
Fake Stake Attacks
These attacks are specific to Proof of Stake (PoS) blockchains. Attackers with a very little stake create an alternative version of the blockchain where they hold a much larger stake. This fraudulent chain can then be presented as legitimate to other nodes due a flaw in the PoS validation process for a selected blockchain. After attacking the nodes with the intent to hinder or crash them, the threat actor disrupts the competition for block rewards and transaction fees and may have a disproportionate chance at receiving these rewards.
Steps to mitigate an organization’s risk with blockchains susceptible to this type of attack is to develop a process for analyzing blockchain-related projects within its third-party risk management process and perform due diligence on the selected proof-of-stake blockchain to determine susceptibility. In general, larger blockchain networks with higher staking requirements and higher nonce (unknown value to be calculated) difficulty levels are less susceptible to this type of attack.
Sandwich Attacks
A sandwich attack is a prevalent type of front-running attack commonly seen on DeFi platforms that employ automated market makers (AMMs). In this scenario, a malevolent actor identifies a pending transaction from a user and rapidly places a transaction (the first ‘slice’ of the sandwich) with a higher gas price (price to transmit and process transactions) to ensure it is processed ahead of the user’s transaction. Following this, the attacker swiftly executes another transaction (the second ‘slice’) right after the user’s transaction, capitalizing on the induced price change.
In 2022 alone, there have been over 480,000 sandwich attacks, resulting in losses exceeding $190 million. Notably, these attacks tend to surge during periods of high DeFi activity, thereby exacerbating the vulnerability of the system.
To counteract the risk of sandwich attacks, organizations can resort to using DeFi platforms that provide options for slippage control. Slippage, in this context, refers to the difference between the expected price of a trade and the price at which the trade is executed. By keeping the allowed slippage to a minimum, the likelihood of a successful sandwich attack can be significantly diminished. This mitigation strategy plays a crucial role in securing the integrity of transactions and safeguarding the funds of users on DeFi platforms.
Rugpulls
A “rug pull” is a term frequently encountered in the realm of DeFi. It describes a scenario where developers of a digital asset project abruptly abandon their venture and take the investors’ funds with them. This event usually coincides with a steep drop in the project’s token price—hence the term “rug pull”, evoking an image of the rug being yanked out from beneath unsuspecting investors.
Preventive controls can considerably lessen the probability of such an event. Exchanges can implement safeguard measures, such as mechanisms to prevent the pool originator from draining the pool or surveillance systems to enforce a certain equity threshold to secure tokens in the pool. This could notably diminish the risk of rug pulls.
Moreover, organizations should instate processes to conduct thorough due diligence on project developers and creators before deciding to acquire or accept their tokens. A critical component of this due diligence involves identity verification. Given that developers behind fraudulent crypto projects often seek to preserve their anonymity, merely ensuring that a project openly lists its team members can significantly help to mitigate this risk.
The following common attack scenarios are not specific to the blockchain industry; however, these attacks are being leveraged to steal cryptocurrencies and digital assets.
Sim-Swapping Attacks
One common attack method seen in recent years is “sim-swapping.” Cybercriminals breach digital asset exchange accounts by first obtaining a user’s email and exchange password, often through the reuse of the same password from previous data breaches, and then acquiring the two-factor authentication (2FA) code. Many users rely on SMS-based 2FA, which sends the code directly to a phone number via text. However, this method is vulnerable as cybercriminals impersonate the phone number’s owner to port the number over to another phone they control.
The primary way to mitigate this “sim-swapping” risk is to use device-agnostic 2FA applications such as Google Authenticator, Authy, or physical 2FA keys like Yubikey. Even if the email and password to the exchange account have been breached, the only easy way for the cybercriminal to obtain the 2FA code is to physically obtain the device that generates the code. This makes device-agnostic 2FA significantly more protective against cybercriminals than SMS-based 2FA, which can be “sim-swapped”.
Forced API Trade Attacks
Trading firms must also be aware of “forced API trade attacks.” In these scenarios, a cybercriminal gains access to an API key that can only trade funds, not withdraw them to external, non-whitelisted addresses. The attacker can then force a trade of a highly liquid digital asset like BTC or ETH for a very low liquidity, newer digital asset. This results in the trading firm “selling” their highly liquid digital assets for significantly less than their worth.
Mitigation strategies for this type of attack include using IP-whitelisted API keys, ensuring secure practices around API key management, and refreshing, and restricting the trading firm’s velocity limits on highly illiquid digital asset markets. API key secrets should also only be stored in secure containers, and never exposed to public GitHub pages or other collaborative code repositories.
Securing the Future: Sustaining Innovation through Risk Mitigation in the Blockchain Industry
Mitigating risks in the blockchain and digital asset industry is not a one-off task, but rather an ongoing pursuit demanding continuous learning, vigilance, and resilience. As this dynamic field evolves, so too must our understanding of its threats and our strategies to combat them. While the cutting-edge qualities that make blockchain technology and digital assets revolutionary also render them attractive targets for cybercriminals, a robust understanding of the risk landscape, combined with comprehensive security measures, can significantly mitigate these risks. It is through this careful navigation of the digital frontier that we can ensure the blockchain and digital asset industry’s sustained growth and innovation. The future of this vibrant ecosystem relies on our collective commitment to securing its infrastructure, protecting its participants, and fostering a culture of security-first thinking.
This article was written by Hamilton Thomas, Nick Juffer, and Bassel Elbetanony