The blockchain is a trusted decentralized digital ledger. Bitcoin is known as the first generation blockchain and it's designed with hash uniqueness, cryptographic security, authentication, decentralized design etc to ensure its safety. It is very safe overall with preventing threats, such as the 51% power attack. Most of the security issues we hear about bitcoin are caused by the user losing the private keys or centralized exchanges being hacked.
Ethereum blockchain, also known as the representative of the second generation blockchain, is an open-sourced public blockchain with smart contract functions.
A peer-to-peer contract is handled by its decentralized virtual machine, powered by its dedicated cryptocurrency Ethereum/ETH. The majority of its security is heavily dependent on the programmer’s coding habits or reliance on limited programming tools. The mainstream blockchains such as Ethereum and EOS that support smart contract functions are primarily faced with security issues caused by smart contract vulnerabilities.
As the saying goes, whatever that has a great positive impact also has it's negative impact and blockchain cannot be left out. Blockchain has securities issues that need to be addressed before deploying it to any smart contract.
BLOCKCHAIN SECURITY PROBLEMS AND POSSIBLE SOLUTIONS
If one appears, certain cryptographic algorithms come under threat, some of which are used in current blockchain solutions.
Solution: in the case of such a problem arising, the functions computing the vulnerable encryption algorithms should be modified.
Blockchain security problem could result from hacker taking over 51% of the blockchain network. The core of the attack lies in the fact that a certain attacker has a capacity equal to 51% of the overall mining capacity of the network. In such instances the attacker can create their own blockchain with their own modifications, overtaking the main chain and taking its place. This allows the attacker, for example, to confirm only their own blocks and not those of others, and means that the attacker is able to acquire 100% of the new Bitcoins and block any transactions at their discretion.
Solution: There are mining algorithms which are designed to withstand the most popular mining equipment. So far as this equipment exerts the heaviest load with respect to the problem of 51%, these algorithms act as a defence mechanism.
In mining, there is a Proof-of-Stake principle in place of the standard Proof-of-Work principle. The idea is that the probability of a block being generated depends not on the capacity of the generation, but on the number of coins the miner already holds. In effect, to generate blocks in an amount of 51% and upwards, the miner must be in possession of 51% of the coins, meaning that among the network participants it is the hacker who in fact incurs the greatest losses.
In this way, commercial attacks are completely eliminated and hack with a view to sabotaging become difficult and expensive. Nonetheless, the technology is highly controversial and carries other risks with it, such as the monopolisation of the process of carrying out transactions of funds by one major coin holder.
Blockchain security problem could result from Distributed Denial Of Service(DDOS) attack which is done by sending large volumes of junk data to the transaction processing node in order to complicate its operation.
Solution: For example, version 0.7.0 of the Bitcoin Satoshi client blocks all suspicious nodes and transactions, prevents duplications of transactions, monitors the presence of DoS attacks, identifies intruders in the system, fixes errors, etc.
The problem of smart contracts lies in their immutability. If a vulnerability is discovered in a smart contract it cannot be fixed – the execution of the existing contract must be halted and a new contract with the vulnerabilities repaired added to the blockchain.
Solution: Rolling back transactions to the moment when a vulnerability or fork was discovered. For example, there was a situation with Ether where a vulnerability was discovered in the smart contract known as The DAO, and a
decision was made to roll back these transactions. Those who were against the decision created their own fork, Ethereum Classic.
By using a feature of the Solidity language, provided that mistakes were made in the writing of a contract, attackers can find a way to steal funds using another smart contract. Because of this vulnerability, the DAO contract led to the theft of $150 million. A detailed analysis of the vulnerability can be found here:
Solution: Check the contract code for possible vulnerabilities of this type.
Nonetheless, Blockchain has only one major vulnerability to speak of. The information on it is open - anyone can view it if they know how to work with blockchain. The most popular solution to this problem is to encrypt the data before uploading it.
Understanding how blockchain works
Notwithstanding, with all these few problems of blockchain security, blockchain has revolutionalized the way we do business; making it easier and more secure to transact without a third-party intermediary. Blockchain solves the issue of securing transactions within a settlement network. A settlement network in blockchain can be, for example, Bitcoin or Ethereum blockchain, where native cryptocurrency (Bitcoin or Ether) functions as the fungible settlement instrument. The blockchain works in a way that all transactions made by the settlement network users are picked up by nodes.
In case of a public blockchain, anyone can host a blockchain node or become a miner. These miners approve transactions in a cryptographic manner by using a consensus algorithm, which is applicable to that particular blockchain protocol.
In the case of Bitcoin or Ethereum, the network is secured by a Proof-of-Work consensus algorithm, which means that these miners (nodes) confirm transactions (mining) by using their computer's CPU power and therefore are rewarded with cryptocurrency for confirming these transactions, which are packed into a block. Alternative consensus mechanisms would be Proof-of-Stake, where the miners would stake cryptocurrency as a stake for verifying transactions.
The idea of the blockchain is that each node that is online, verifies these transactions and has the same copy of the transaction ledger. Imagine the verification process like this: 10 people gather into a meeting room and sign the same contract with the exact same content. If one of the 10 people later says something contrary to what was agreed to, there are 9 other nodes, who can prove otherwise. The only way to make a change is if 6 people come with alternative content- then the majority's opinion would be counted. This is called the 51% attack.
Since nodes are located in various places and hosted by vast amounts of different people who do not know each other, instead of one centralized entity, the public blockchain is called decentralized and thus adds more security by design. However, in reality, the miners are pooling and becoming more centralized. For example, currently, the top three miners mine over 70% of the blocks in Ethereum. As a result, what was created as a decentralized system became centralized. So now, two mining pools can agree to create a 51% attack. Smart Contracts security:
Blockchain technology enables users to create codes and deploy those codes on to the blockchain as one would deploy a code in a similar way on a server. Such codes are called Smart Contracts due to the reason that these Smart Contracts can execute transactions in a decentralized manner. For example, I could deploy a smart contract, and once this smart contract receives 1 Ether, that Ether can be redirected to my friend's address.
The interesting part is that once the code is deployed it cannot be changed. In other words, a hacker cannot penetrate a single database and change the data because this piece of code is replicated with all the nodes and requires changing the code with over 51% of the miners.
The issue with Smart Contracts is that since the code is only deployed once, it limits the ability for developers to fix bugs. With smart contracts, once deployed, the code cannot be changed, even if bugs are found. The only solution to mitigate such bugs or security issues is to carefully audit the smart contract code and think about what kinds of functions are required to be on a smart contract.
Looking at the bigger picture, it's hard to say whether developers can actually ever write bug-free code. Only time will tell.
Question is, what step one an exchange or trading company should take once hacked or attempted to hack?
Let's take the case of Conrail that was hacked a few months ago, they solved the problem quickly by transferring all cryptocurrencies to cold wallets. The thing is, this shouldn’t be the knee-jerk reaction, it should be the default position in the first place. We need safe and secure cryptocurrency storage; cold wallets that store data offline is the answer.
You don't have to wait until you are attacked before you take drastic measures to safeguard your money. It's is advised to take precautionary measures to ensure you identify possible bugs and patch it before hackers identify that for you.
One solution a lot of people are putting into play is bug bounties. If someone finds a bug or a security hole, that person has a better incentive and less risk to go to the creators of the technology and provide them with the bug so it can be patched safely before someone exploits it. The other side you have is: decentralized technologies are only secure long as they're decentralized.
One comment from Kyle Lu, CEO of Dapp regarding blockchain security issues. "The EOS smart contract security issues are the most popular topics in the field so we took EOS as an example to further explain the problem."
When we talk about blockchain security, we talk about the security of the blockchain itself and security of its application, mostly smart contracts.
The common attacks of EOS smart contracts include:
1. Find the rules of random number generation in the smart contract.
2. Replay attack. To add a hook, switch in the transfer method to lock in the reveal process. Every time when there is an obvious large profit being detected, it will repeatedly send a larger amount and turn on the switch, thus ensuring a large return every time.
3. Forging the EOS token. If the contract code does not detect whether the received EOS token is generated by Eosio.token, it trades the fake EOS token for the real EOS token.
Due to incompletion and irregularities in contract design, there are many other problems that can be raised such as Numeric overflow. Most of the security issues on ETH/EOS are caused by non-standard contract development.
Developing smart contracts requires new engineering thinking, and here are a few development tips:
1. Keep the contract function simple and ensure that the contracts and functions are modular.
2. Use contracts and tools that are already widely used.
3. Stop the contract immediately when there is an error to the smart contract.
4. Set limitations in the frequency and amount of transactions to the admin account.
If you find this article helpful, tells us what you think in the comment below.