Let's Talk

What Is Code Exploitation?

Rob Behnke

Blockchains are high-value targets for cybercriminals.  These systems are designed to store and process cryptocurrency and valuable information.  As demonstrated by numerous incidents, hacking a blockchain can net a significant financial gain for an attacker.

Blockchains can be “hacked” in a variety of different ways.  Some blockchain attacks take advantage of poor protection of private keys, either by the owner of a blockchain account or a cryptocurrency exchange.  Others target vulnerabilities in the blockchain protocol, like a 51% attack that takes advantage of the fact that Proof of Work consensus is based upon majority vote.

In some cases, cyberattackers take advantage of vulnerabilities within blockchain protocols or their implementations.  These code exploitation attacks leverage design or programming errors to break the blockchain system.

Inside Blockchain Code Vulnerabilities

Exploitable vulnerabilities in blockchain code can be classified in a few different ways.  One is based on the “type” of vulnerability that exists.  The other is where the issue is located in the blockchain stack.

Design vs. Implementation Vulnerabilities

Blockchain is commonly (and incorrectly) called “unhackable” because many of its security assumptions are based on cryptographic algorithms believed to be secure against modern systems.  

However, blockchain systems can “go wrong” in a couple of different ways:

  • Design vulnerabilities arise when blockchain architects fail to consider the impacts of the features built into their technologies.  A classic example of this is an attack against the Verge cryptocurrency.  By combining three intentional features of the cryptocurrency, an attacker was able to perform a 51% attack with roughly 10% of the blockchain’s hashpower.  This issue wasn’t made possible by any programming errors but by the design of the protocol itself.
  • Implementation errors can also undermine the security of a blockchain system.  The Bitcoin protocol is widely considered to be secure, but it has been hacked before.  This was possible because an attacker took advantage of programming errors like an integer overflow vulnerability.  While the design was secure, the implementation made the code vulnerable.

Exploiting the Blockchain Ecosystem

The blockchain is a complex, multi-layered ecosystem.  This means that design and implementation errors can exist at multiple different levels:

  • Blockchain Clients: The blockchain is implemented as software running on each node of the blockchain network.  If this software has design or programming errors, then an attacker can exploit them to attack the blockchain.  The Verge and Bitcoin hacks targeted this client code.
  • Smart Contracts: Smart contracts are programs that run on top of the blockchain.  Most of the recent DeFi hacks took advantage of vulnerabilities in smart contracts implementing DeFi functionality.
  • External Systems: Some organizations - like cryptocurrency exchanges - have external systems linked to the blockchain via smart contracts or APIs.  Exploitation of vulnerabilities within these external systems could allow an attacker to attack an account on the blockchain or the blockchain system as a whole.

Securing the Blockchain

Attacks against blockchain systems are increasingly taking advantage of design or implementation protocols in blockchain-related software.  As the functionality built into and on the blockchain becomes more sophisticated and complex, the opportunities for exploitation increase.

Minimizing the threat of code exploitation requires a comprehensive security audit before releasing new code.  This should include all levels of the blockchain ecosystem and consider both potential design and implementation issues.

LET’S CONNECT

We’re looking for passionate, blockchain-loving, offensive security engineers and white hat hackers to join the team.

For secure communications, use [email protected]

Contact Us

crossmenuchevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram