Rob Behnke
February 25th, 2021
A commonly stated misconception about blockchain technology is that it is unhackable. This statement shows up frequently in the media, commonly paired with a discussion of the latest blockchain hack.
Blockchain technology is designed with a number of different safeguards to help eliminate the need for trust within the network and to protect the distributed ledger against attackers. However, blockchain is certainly not unhackable as demonstrated by the number of blockchain hacks reported to date.
When talking about blockchain and its hackability, a good starting point is defining what is considered part of the blockchain. Blockchain technology is a large ecosystem, and many different types of systems can be connected to the blockchain.
At its core, blockchain technology refers to a system like Bitcoin. A blockchain network maintains a digital ledger recording some type of data. In Bitcoin’s case, this is primarily financial data, but the same structure can be used to hold any type of data.
Smart contract platforms take advantage of this by using the blockchain to store executable code. A smart contract platform includes software that implements both the basic blockchain protocol (which creates blocks full of code) and a virtual machine that maintains state and updates this state based on the code stored in the ledger.
While blockchain started as systems like Bitcoin, smart contract platforms and the code that they run are clearly part of “the blockchain”. Where the definition gets fuzzy is when external systems are integrated with the blockchain.
For example, a cryptocurrency exchange is clearly part of the blockchain space, but it is just an institution and a website involved with making transactions on the blockchain. Most blockchain hacks are actually hacks of cryptocurrency exchanges and have nothing to do with the security of the blockchain itself.
The blockchain protocol has a number of different incentives and safeguards designed to protect it against bad actors. However, no system is perfect. A blockchain protocol can be hacked or exploited in a number of different ways.
One of the most common causes of blockchain hacks is vulnerable implementations of blockchain protocols. A blockchain protocol may be very secure in theory, but it is only useful if it is implemented in code. Errors in implementing this code can make a theoretically secure protocol vulnerable to attack.
For example, the Bitcoin protocol is theoretically very secure. However, an implementation error in the Bitcoin software (an integer overflow vulnerability) created a flaw that was exploited in 2010 to create 184 billion Bitcoin out of thin air.
The blockchain is designed to take advantage of the greed of the nodes in the blockchain network. It includes incentives that make behaving properly the most profitable choice. However, these incentives do not always work out.
For example, take the block rewards used in blockchain consensus. The more mining power that a node has in a Proof of Work (PoW) blockchain, the more money they can make through block rewards. However, the network also doesn’t want any node to accumulate too much mining power because it breaks the blockchain (a 51% attack). Driving nodes to accumulate power is only useful up to a certain point.
The basic blockchain protocol described in the Bitcoin whitepaper is largely secure. When the biggest theoretical security issue that you have is that a system based on a majority vote breaks when the bad guys have a majority (i.e. a 51% attack), then the system is pretty well designed from a security perspective.
Many of the security issues that blockchains face occur when developers try to add additional features and functionality on top of the blockchain protocol. For example, the Verge cryptocurrency suffered an attack in 2018 in which the attacker was able to perform a 51% attack with only about 10% of the blockchain’s hash power by exploiting a combination of features within the system.
Blockchain is a relatively new technology. Smart contracts are even younger, and some applications of smart contracts – such as Decentralized Finance (DeFi) – are still in their infancy.
The youth of these technologies means that developers and security experts have not had the opportunity to fully research them and work all of the bugs out. As a result, many smart contracts are created with known vulnerabilities, and new vulnerabilities are occasionally discovered.
Blockchain technology is like any other software. It can have vulnerabilities – whether design flaws or implementation errors – that can be exploited by an attacker. The complexity and newness of blockchain ecosystems mean that these vulnerabilities can be difficult to detect and remediate.
Blockchain is definitely not unhackable. When planning and developing a blockchain-based system, it is vital to follow secure development best practices, such as performing a security audit before release.
To find out how to safeguard your blockchain solution from hacks, get in touch with our cybersecurity experts at Halborn at halborn@protonmail.com.