denisismagilov - stock.adobe.com
Blockchain digitizes and distributes records across a network. With blockchain, transaction verification no longer relies on a single centralized institution. No single point of failure -- or corruption -- is not just an inherent security benefit of a decentralized structural paradigm, but also a fundamental philosophical and business driver.
Blockchain technology is composed of several built-in security features, such as cryptography, software mediated contracts and identity controls. The technology offers significant levels of data protection and integrity by enabling a distributed way to verify access, authenticate transaction records and maintain privacy.
Despite these security enhancements, however, the blockchain market has been rife with security issues.
Where there is money, there are hackers, and blockchain networks are proliferating both. Decentralized finance-related breaches constituted 76% of all major hacks in 2021, with over $1 billion lost in the third quarter alone, according to Atlas VPN. The third quarter of 2021 also had 20% more blockchain-based hacking incidents than in all of 2020, according to research by SlowMist.
Blockchain-based attacks come from outside actors, as well as insiders. Many of these hacks used common tactics, such as phishing, social engineering, attacking data in transit or targeting coding mistakes.
Here are five factors that have created issues for the blockchain security landscape.
1. New blockchain exploit tactics
New technologies come with new tools and methods for exploitation, and blockchain is no exception. A new class of cyber threats is emerging, involving tactics unique to blockchain networks. These include the following:
- 51% attacks are when the majority of a network conspires against a minority of participants, as seen in several incidents involving platforms such as Ethereum Classic, Verge Currency and ZenCash (now Horizen).
- Cryptojacking is when computers are hijacked for their computational power to mine cryptocurrencies. This is an example of backdoor and on-ramp exploits, which are similar to supply chain attacks but use the distributed nature of blockchain.
- Flash loan attacks are when smart contracts designed to support flash loans are attacked to siphon assets elsewhere. These attacks exploit uncollateralized loans by manipulating smart contract inputs, as seen in the $24 million attack on xToken.
- Rug pulls are when insiders -- such as crypto developers, criminal groups and paid influencers -- create hype about a project only to abandon it and run off with investors' funds. Such pump-and-dump schemes have resulted in billions of dollars of losses across over 1,300 scams in 2021 alone.
The proverbial cat-and-mouse game of cyber threats versus mitigation is also playing out across other technological advancements: AI, edge computing, IoT and quantum computing represent new tools for both security enhancement and malicious attacks.
2. The human risk factor
Recent blockchain attacks haven't focused so much on the technology, but on basic human vulnerabilities. For example, stolen cryptographic keys -- private digital signatures -- were the likely cause of crypto exchange Bitfinex's $73 million breach in 2016.
Endpoint vulnerabilities are also entry points for malicious actors, such as those at the device, app, wallet or third-party vendor level. Employees and vendor personnel are targets, too. The Bithumb crypto exchange, for example, was hacked using an employee's computer in 2017. Erroneous data input and developer incompetence, even with no malicious intent, are other risks to be aware of.
3. Not all blockchains are equal
Often overlooked in market discourse, there is a wide variation in blockchain architectures, especially when it comes to how different structures and components introduce security tradeoffs. Private versus public blockchains, for example, differ in whether known entities or unknown entities can join the network and participate in verification.
Different network configurations employ different components, which carry different security risks. These configurations create several questions: How is a consensus achieved? How is identity verified? How are sidechains and/or data in transit managed? What incentivizes miners?
As components, algorithms and uses for blockchain continue to evolve, so too will attack tactics and threat mitigation techniques.
4. Lack of regulation
While many blockchain advocates worry regulation will delay innovation, regulations and standards can indeed benefit security and innovation. The current market is suffering from high fragmentation, where different companies, consortia and products operate using different rules and protocols. This means developers can't learn from the mistakes and vulnerabilities of others -- never mind risks of low integration.
Just because centralized brokers can be corrupt doesn't mean decentralized record-keeping is immune to corruption. Smart contracts are not a replacement for compliance -- they aren't legally binding. From money laundering to counterfeit, privacy to scams, an unclear regulatory environment slows adoption and enables cybercriminals to thrive.
5. Cybersecurity talent crisis
The current cybersecurity landscape suffers from a major skills shortage. This challenge is more severe in the blockchain security space because even fewer cybersecurity professionals have blockchain expertise or grasp novel security risks of the emerging Web3 decentralized economy.
A look back and forward
2021 has breathed new life into the blockchain market through applications such as nonfungible tokens, record-breaking investment and market capitalization. However, market excitement and activity attract more than headlines and passionate adopters. The characteristics above reveal both the growing scope of existing cybersecurity challenges and the novel risks decentralized structures can enable.
The next generation Web3 opportunity is not just about empowering people through distributed governance -- technical, social and economic -- but about better securing the entire ecosystem in the process.