Once Hailed As Unhackable, Blockchains Are Now Getting Hacked

schwit1 shares a report from MIT Technology Review: Early last month, the security team at Coinbase noticed something strange going on in Ethereum Classic, one of the cryptocurrencies people can buy and sell using Coinbase's popular exchange platform. Its blockchain, the history of all its transactions, was under attack. An attacker had somehow gained control of more than half of the network's computing power and was using it to rewrite the transaction history. That made it possible to spend the same cryptocurrency more than once -- known as "double spends." The attacker was spotted pulling this off to the tune of $1.1 million. Coinbase claims that no currency was actually stolen from any of its accounts. But a second popular exchange, Gate.io, has admitted it wasn't so lucky, losing around $200,000 to the attacker (who, strangely, returned half of it days later).

Just a year ago, this nightmare scenario was mostly theoretical. But the so-called 51% attack against Ethereum Classic was just the latest in a series of recent attacks on blockchains that have heightened the stakes for the nascent industry. [...] In short, while blockchain technology has been long touted for its security, under certain conditions it can be quite vulnerable. Sometimes shoddy execution can be blamed, or unintentional software bugs. Other times it's more of a gray area -- the complicated result of interactions between the code, the economics of the blockchain, and human greed. That's been known in theory since the technology's beginning. Now that so many blockchains are out in the world, we are learning what it actually means -- often the hard way.

Fake news

[jwymanm]

First off, 51% is an attack not a hack. Second, exchanges have ways to adjust minimum transaction confirmations to almost eliminate any threat from such attacks. A lot of wallets for PoS and other coins have added algorithms and checkpoints to practically eliminate most of the 51% attack vectors also. It's still an ongoing threat but if the coin still matters the ecosystem responds and shuts most attacks down pretty swiftly and with minimal to no loss.

Re: Fake news

[Anonymous Coward]

It depends how you define "hack." These days the meaning is pretty liberal but even by the standard "doing something that was not intended to be allowed by design" then yes a 51% is indeed a hack.

Robbing a bank with a crew could also technically be a "hack."

I'm only adding this because you make it seem like this is normal and should just be dealt with as "meh whatever" when I don't think that's the best approach.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Khyber]

" giving Hillary the position she rightfully would have won"

You fucking moron. She never once rightfully held ANYTHING.

"Hacks: The Inside Story of the Break-ins and Breakdowns that Put Donald Trump in the White House" is the book written by Donna Brazile that details it all.

Get your head out of your fucking ass.

Re:

[chill]

Which threshold was that? Gold is virtually unchanged over both a 1-year (-0.16%) and 5-year (+0.14%) period, according to the charts on Kitco.

Re:

[Shaitan]

"even by the standard "doing something that was not intended to be allowed by design" then yes a 51% is indeed a hack"

Not really, it was a known and accepted design trade-off. At least for Bitcoin and since it was known from essentially the beginning with regard to Bitcoin presumably anyone copying pieces of its tech understand that as well. The best defense against the 51% attack is a large and diverse mining base. Bitcoin has it... these others... not as much.

Re:

[Lanthanide]

81% of bitcoin mining is controlled by Chinese companies.

This flap over Huawei in 5G networks is due to the suspicion that the Chinese government can exert control over them whenever they please.

But that same rationale, the Chinese government can exert control over 81% of bitcoin mining hashrate whenever it chooses.

It just hasn't yet.

Re:

[codebonobo]

Bitmain hash rate has gone considerably in china due to pressure from outside ASIC manufactures. They no longer have the most efficient ASICs as several companies have better ASICs. Samsung is now making some of the best chips for other companies. The PBoC also is putting pressure of Chinese Hydro dam operators to no longer give away free excess hydro energy to the ASIC farms located in china(a big reason why so much mining was being done there) thus we are seeing mining farms migrate to other areas like Ca

Re: Fake news

[Anonymous Coward]

So, our amazing decentralized and unregulated currency of the future needs to be centralized in exchanges that agree on a common operating model. Hmmmmmmm, have we invented banking?

Re:

[Anonymous Coward]

its banking, but with blackjack, and hookers.

Re:

[codebonobo]

Bitcoin is highly regulated, the distinction is that it is more fungible than digital fiat for regulatory arbitrage. Thus regulation happens at the on ramps and off ramps , and you can ignore regulation elsewhere.

Re:

[Anonymous Coward]

Ethereum Classic is ETC, that one toy that people thought could stand up somehow against this sort of thing. Frankly, I'm surprised this sort of scenario didn't happen like a month after ETC decided to fork off of the main Ethereum chain.

I guess now the question is: Will ETC reverse the double spends? (Or would that be kind of ironic because that's their very philosophy: to not undo the damage that was done when this happened to the main chain?)

Maybe ETC will just stay as some kind of broken chain.

I know on

Re:

[MrL0G1C]

"GPUs are on firesale to the point where it's going to hurt Nvidia's stock price."

Well I hope so, My GTX970 cost £230, now a 2070 costs double that and the 2080ti's are stupidly expensive, I'd like to see the prices come back down to sane levels. The memory cartel is in part to blame.

Re:

[LordKronos]

So I suppose if you lost $10k or more in the hack, you be happy to say "oh that's alright...at least they shut it down pretty swiftly and with minimal to no loss", right?

1.1 million isn't what I'd call minimal

[rsilvergun]

I suppose it depends on how evenly distributed it was, but still.

Also, a chain is only as strong as it's weakest link. Maybe I'm misunderstanding but it sounds like you're counting on the exchanges for security. Given how quickly they spin up that seems like a recipe for disaster.

It's as if someone had massive capacity

[WillAffleckUW]

If I didn't know better, it would be as if someone had massive computing and decryption capacity to break codes and decided that North Korea and Russia were not going to keep getting the money they've been getting.

Either that or someone got bored.

Re:

[Shikaku]

Bored. Depending on the currency the cost to 51% attack is cheap sometimes but these costs are for only an hour. https://www.crypto51.app/ [crypto51.app] there would be a lot of effort for someone to have free reign over a small market cap and most of those transactions would be rejected by the legit miners.

NSA has been looking at cryptocurrency use

[AHuxley]

https://theintercept.com/2018/... [theintercept.com] (March 21 2018)
Recall OAKSTAR and MONKEYROCKET.
Thats internet use with search, password details and MAC. With bait software.

Chinese lottery backdoor found?

[Misagon]

Who in their right mind have not suspected that one cryptocurrency network or other had not been designed for Chinese Lottery attacks against hashing functions in the first place?
Of course, there would need to be a backdoor somewhere, of some fashion. And of course some attacker would find it sooner or later.

Surprise!

[Dallas May]

When you put billions in wealth out in the open for the world to see, and then encourage and reward every evil doer in the world to use it for their evil things, the evil doers will figure out ways to do evil.

long known

[gravewax]

Mostly theoretical lol, no it fucking wasn't. It was a well known vulnerability that hadn't been extensively exploited yet. that is not "theoretical", their was no doubt about the vulnerability or that it has been used many times.

Corruption, not theft, is the problem.

[mveloso]

There is no protection against a 51% attack that wipes the entire ledger.

People focus on the supposed "incorruptibility" aspect of blockchain, but with 51% of the network you can erase it completely. That's the real problem, that an actor could theoretically wipe the whole chain out, start-to-finish.

Re:

[codebonobo]

There is no protection against a 51% attack that wipes the entire ledger.

Technically there is. You can set checkpoints to avoid massive reorgs, and with chains like Bitcoin there becomes insurmountable limitations for the amount of energy you would need to spend in a race condition to reorg the chain with a sufficient depth. Thus there are limitations in physics one must also consider as well. The problem with checkpoints is this introduces other attack vectors and makes the chain much more centralized so they no longer exist in Bitcoin, but are found in altcoins with much less

Bitcoin is sound money / Scarcity is relevant

[slashways]

This is the reason we have Bitcoin; Bitcoin is sound money, and the software running Bitcoin is designed to run for decades. And we have the word: Cryptocurrencies, Bitcoin is alone, others are just scams for most of them, or useless for the remaining. Bitcoin defined scarcity; the others are just a way for some software developers to print money. A 51% attack is just a reminder that you can't secure any software junk.

Well designed coins will prevail.

[Andreas Falley]

The problem with many of these coins that get hacked is that they were designed with a rushed software developer's mindset, not a true and methodical engineering one. There was a huge rush to market after bitcoin took off, and only after bitcoin took off did its flaws begin to manifest themselves. Cryptocoin networks should not be like some typical software companies code, where if there's a bug, you just patch or fix it. Sadly many coin were developed that way, and the flaws kept permeating through these

Re:

[Pinky's Brain]

These attacks are simply a result of market cap falling too low and hashing power being cheaply available.

Dying people are dying!

[emeitner]

Sensationalistic crap. No one ever claimed blockchains are unhackable by nature of being blockchains. A blockchain’s security is proportional to the number an diversity of devices mining and nodes forming the consensus. Dying forks like Ethereum Classic are bound to get hacked. That is just part of the final death throes of a blockchain.
Move along. Nothing to see here.

Etherium Classic?

[Chris Mattern]

It's probably better than New Etherium, anyways.

Re:

[hawk]

I'm holding out for Etherium 98 . . .

Big hash power can be directed at small coins

[qubezz]

The problem here is the diversity of "me too" get rich quick coins which have much less proof-of-work power protecting their block chain. If I've got generic compute power that is 5% of Bitcoin's hash rate, I can point it at any of these other scamcoins and be 95%. There can be only one secure cryptocurrency, unless the other late-comers uses a vastly different and completely computationally incompatible proof-of-work scheme.

XRP is not vulnerable to this attack

[Lanthanide]

Yet another advantage of XRP is that it doesn't use mining to secure it's ledger, so this sort of attack is not possible.

To attack XRP would require 81% of all validators to collude. Since there is no direct monetary incentive to run a validating node, and clients can choose which nodes they can trust, if anyone were to pull off an 81% attack against XRP it would suggest the coin was no longer useful for any serious purpose whatsoever.

Re:

[hraponssi]

You are comparing something centralized (XRP) to decentralized (most other blockchains). Naturally the pros and cons differ.

Re:

[DontBeAMoran]

I wonder how different it is for other coins which use something like Proof-of-stake, like Reddcoin. I know you can run a staking wallet on something as small as a Raspberry Pi, so basically anyone can help strengthen the network.

Re:

[Lanthanide]

Except XRP is not centralised in any meaningful way.

Proof of stake?

[bradley13]

It seems to me that this is yet another reason to get rid of "proof of work" and go to "proof of stake". With proof of stake, you still have a possible 51% attack, but you have no motivation to do so. If some group owns 51% of a currency, and starts stealing, they will tank the value of their own stake.

Re:

[140Mandak262Jamuna]

It is not 50% of the total value of the currency. It is the 50% of the computing power that verifies correctness. Once you have 51% of the votes to verify it, you own ALL the value in that currency.

Everyone knew about 50% verification vote issue. Once state actors get into the game private people stand no chance against this. That is why when it was very comical to read about crypto currency reigning supreme over state issued fiat currencies.

Re:

[codebonobo]

Proof of Stake is not new or very interesting, and exists as a form with fiat currency already.Proof of stake has many more attack vectors(nothing at stake attacks, long range attacks, short range attacks , stake grinding attacks) than proof of work and ultimately is either less efficient or less secure.

Further reading -

https://medium.com/@tuurdemeester/critique-of-buterins-a-proof-of-stake-design-philosophy-49fc9ebb36c6

https://download.wpsoftware.net/bitcoin/pos.pdf

https://en.bitcoin.it/wiki/Proof_of_Stake

What if the founders cash out

[rsilvergun]

wouldn't that make the scenario you're describing profitable to them? Or if somebody just does what Bain capital and other leveraged buyout firms do and buys up 51% of the stock to again cash out?

no hack but attacks maybe more likely

[hraponssi]

So no hack, but the fundamentals still hold. These types of attacks have been going over the years so nothing much new.

Of course, there have been many years to develop ASIC's and FPGA algorithms for many coin algos. And since miners started dumping their GPU's, maybe cheaper to get a big, more generic hash power. Especially these smaller coins can then be vulnerable, and there can only be so many reasonable hash variants or resources for constant changes.

PoS is an interesting alternative but many still valu

We know

[nospam007]

"Coinbase claims that no currency was actually stolen from any of its accounts."

No data gets ever 'stolen', not movies, not music, not passwords not cryptocurrencies.
They just get copied.

What a man can make, a man can break

[Sqreater]

And that applies also to quantum cryptography due to its vulnerable nodes at least.

the real problem

[slashmydots]

This is why we don't need 600+ different cryptocurrencies. Someone with a fairly small ASIC farm can target a tiny blockchain and >50% it (that's the real name, not 51%) and steal everything.

Correct link to MIT Technology review article

[cocoabean]

The original link is to "Explainer: What is a blockchain?" from April 2018.

Correct link:
Once hailed as unhackable, blockchains are now getting hacked [technologyreview.com]