Blockchain technology is becoming widespread day by day and is being used in different industries. We can now even use cryptocurrencies to play games at sites like Ice Casino. Even if you have no technical expertise, you may have heard that blockchains are almost completely safe, providing users with both security and privacy. The problem is that this may not be as accurate as we think: blockchains also have vulnerabilities, and cyber attackers can exploit them as well. In this article, we will talk about the vulnerabilities of blockchains.
Some Attacks Are Simple
Although some vulnerabilities are indeed simple, it is not possible to develop a real defense against them. Distributed denial of service (DDoS) attacks are one of them. This attack is made by sending too many requests to the target server and after a while, the server cannot meet such intense requests and crashes.
Normally, blockchains should not be affected by this attack because decentralization is the basis of this technology. In other words, there is no specific server that cyber attackers can choose as a target. However, this does not apply to exchange sites. Even if there are decentralized exchanges that run entirely on the blockchain, they are few in number. The largest and busiest exchanges (e.g., Coinbase, Binance, etc.) all have traditional servers that are susceptible to DDoS attacks.
In 2017 and 2020, an exchange called “Bitfinex” suffered such an attack. This has also affected users, as most of the transactions on the blockchain are carried out through exchange sites. Unfortunately, there is no real defense against DDoS attacks: attackers can disable any server in the world if they have enough resources.
Some Attacks Are Complex
Attacks that directly exploit vulnerabilities in blockchains are a little more complex. In this regard, the most common attack is to persuade the chosen victim to pay twice. Imagine sending a payment via the Bitcoin blockchain but seeing a message that the payment has failed. Like any normal person, you try again. It would not even occur to you that this message is actually the result of a cyber-attack.
Every transaction performed in blockchains has an ID. Nodes and miners use this ID to confirm a transaction. An attacker can spoof the ID of your payment using different techniques and send it to the nodes for approval a few seconds ago. The node confirms the payment and then rejects yours because it has the same ID (this is the message you see on the screen). The victim repeats the same transaction and is tricked into making double payments.
It looks simple, but an exchange called Mt. Gox was scammed using this method in 2014 and had to go bankrupt. Modern blockchains include features such as “SegWit” to combat this vulnerability, but this problem is still known to affect a large number of blockchains. Moreover, there is a way to disable the SegWit feature: the Sybil attack.
We mentioned that transactions in blockchains are approved by nodes. The peculiarity of blockchains is that they do not use fixed nodes and have no trusted nodes – this is a requirement for them to remain decentralized. However, this also means that it won’t question new nodes. With different techniques, cyber attackers can add devices under their control to the blockchain as nodes and get the right to approve transactions. The rest is simple: they send the victim a message that the transaction could not be processed, forcing him to pay twice.
Botnets, Proof of Stake Algorithms, User Wallets – Oh My
In 2018, researchers at Boston University were able to use a botnet to trick the target node and transfer all transaction confirmation requests to computers under their control. Moreover, they only had to use two computers to do this. Buying a botnet is not a difficult task: you can rent hundreds of “zombie computers” for $0.50 per bot. Such an attack can be used to reject or completely stop all transaction requests passing through that node.
There are also some problems with blockchains that use the “Proof of Stake” algorithm, which is considered more secure against such attacks. Proof of Stake is an algorithm that grants miner or block validation status to users who only hold a certain number of coins. In other words, users who do not have a sizable amount of coins/tokens cannot perform any action other than sending and receiving money. Unfortunately, it is possible to gain control of coin/token balances that fit this description (for example, by hacking the user wallet), and in such a case, the cyber attacker can even change the blockchain history.
Of course, these examples do not mean that blockchains are not unreliable. On the contrary, they are still much safer when compared to traditional banking services. But it is not right to trust them 100% either: even decentralized systems can have security vulnerabilities.