Blockchain technology has gained some serious traction over the past year. It’s now moot for discussions to simply focus on blockchain’s basic capability to provide secure record keeping. Many projects have proven that the technology can do just that. Critics are now more concerned about blockchain’s dependability as it gets applied to more varied use cases.
However, this increasing adoption is also revealing issues with the technology. Among those typically highlighted is scalability. Bitcoin and Ethereum, currently the top public blockchains, both experience bottlenecks when transaction volumes increase. Bitcoin’s slow confirmation times have also been part of the reason why it has failed to gain usage for day-to-day payments. Several decentralized applications (dapps) were also forced to move on from Ethereum as a platform after episodes of network congestion due to high usage.
However, while scalability isn’t something to gloss over, crypto stakeholders should actually be more concerned about security. There are already measures that seek to address scalability issues like the Lightning Network and Ethereum’s Casper fork. Other platforms already promise better scalability as well. Security threats, however, are growing rampant each passing day. Given the risks cyberattacks pose on the crypto space, delayed transactions could actually be viewed more as an annoyance compared to the impact of stolen tokens.
Here are three key security threats that crypto services have to look out for and how these can be mitigated.
1 – Web Application Breach
Blockchain, by itself, has proven to be quite secure. However, the services and dapps that use them are often the weak links in the system. There have already been plenty of reported security breaches that targeted dapps, exchanges, and initial coin offerings (ICOs). Security provider Incapsula recently reported an increase in malicious traffic aimed at crypto sites over the past year. The amount of value that flow through these services makes them prime marks for cybercriminals.
The hack on CoinDash’s ICO last year shows that attackers need not pull off very complicated attacks to steal tokens. In this case, the attacker breached the ICO website and simply replaced the contribution address. What was then worth $7 million in Ether tokens were sent to the fraudulent address instead.
To prevent such things from occurring, crypto services should secure all parts of their infrastructure especially public-facing channels such as websites and applications. The use of a web application firewall (WAF) helps beef up a website or application’s resilience against breaches. WAFs are designed to prevent the methods used by cybercriminals to breach websites including cross-site scripting, SQL injections, bot attacks, and illegal resource access.
2 – DDoS Attacks
Another way attackers seek to compromise crypto services is through distributed denial-of-service (DDoS) attacks. These attacks overwhelm a network using large volumes of traffic. Attackers use botnets – networks of compromised computers and devices – to consume a target network’s bandwidth. DDoS attacks typically render a site or service inaccessible to users. They can also mask other attacks such as data breaches or malware implantation.
Security firm Kaspersky notes that DDoS attacks now cost small to medium businesses (SMBs) an average of $120,000 per attack. For larger enterprises, the cost goes for $2 million. It may be tough to quantify the cost of crypto services for now but uptime is critical to their operations. Given the high volatility of the crypto market, any downtime for a crypto exchange can cost traders and the exchange itself hundreds of thousands if not millions of dollars in potential transactions.
Blockchain Startup Gladius.io has recently finished its ICO successfully, raising more than 20,000 Ether to create a decentralized platform for DDoS mitigation using people’s bandwidth. The startup is poised to screen out known malicious traffic preventing botnets from consuming the service’s resources and guarantee uptime by funnelling people’s bandwidth into nodes and pools and then sending it to websites under DDoS and hacking attacks.
The company is also developing a CDN to help load websites faster through serving and caching content in user’s machine, all through using bandwidth and computing power. The Alpha is set on hitting the market next month.
3 – Vulnerability Exploits
Some attacks seek to exploit vulnerabilities caused by developers themselves. Errors in code or faulty deployment can leave applications and services exposed. The DAO hack in 2016, for instance, was caused by a programming mistake in its smart contract. The attacker was able to take $50 million worth of Ether. The attack also forced Ethereum to create a hard fork to restore the platform’s integrity.
Another famous exploit hack is the Coincheck breach. The attack now currently ranks as the largest cryptocurrency heist in history with the perpetrators getting away with over $500 million worth of NEM tokens. Coincheck reportedly had lapses such as using a hot online single-signature wallet to facilitate NEM transactions. Secure practice recommends using a cold offline multi-signature wallet that requires several private keys to authorize transactions.
Developers should always abide by recommended security practices. This includes performing comprehensive security audits before going live with any of their services and updates. They can also engage external services like Hosho and HackerOne to perform code reviews since developers and testers may often be blind to their own tendencies and mistakes.
Many crypto stakeholders are preoccupied with concerns such as scalability. However, the reality is that cyber attacks pose a greater threat to the space. Cybercriminals are particularly keen on targeting crypto activities given the significant values that flow through the ecosystem. Unlike with traditional financial transactions where stop orders can be issued, cryptocurrency transactions are designed to be irreversible. This makes attackers all the more brazen knowing that, if successful, they can easily get away.
Falling victim to attacks can be catastrophic to any organization or venture. As such, ventures must prioritize security in their agenda. Ventures should create comprehensive security strategies that follow the best development practices and implement industry-grade security measures.