The Blockchain Threat
This is the conclusion of a two-part series. Read part one here.
One of blockchain technology’s claims to fame is that it enables trustless interactions between parties. For the most part, this is a true statement.
Corrupt technology and fallible human actors can cause unwanted outcomes. But for better or worse, the truth of the matter is that we’ll never be able to do away with the need for trust. Humans must remain in the equation in some way or another.
Blockchains simply alter who we need to trust.
For example, when sending money to someone, banks normally function as the trusted intermediary. They take the money you want to send, and then they pass it on to your friend.
Thanks to “trustless” blockchains, folks can send money to a far-off friend without the need for a trustworthy bank.
And despite there being no direct middlemen involved, trust is still involved in the process.
We’re not required to trust a bank in this case, but we are still required to trust. We must place our trust in the developers of blockchains, smart contracts, wallets, and the like.
It isn’t a bank handling our money — it’s thousands (and thousands) of lines of code.
But what if that code contains mistakes, or is compromised in some way?
How Blockchains Can Be Compromised
Blockchains are vulnerable in four main ways:
- Phishing.
- Sybil attacks.
- Routing.
- 51% attacks.
Phishing: Phishing in the blockchain world is accomplished by targeting wallet key owners. A bad actor may send an official-looking email that prompts the reader to enter their wallet key credentials.
Sybil: In a Sybil attack, one bad actor tries to take over a network by creating multiple nodes on a blockchain network. They then crash the network by flooding it with false network identities.
Routing: As the blockchain passes data back and forth via large, real-time data transfers, bad actors can intercept said data before it gets to the ISP. Once they’ve intercepted the data, these hackers can steal your data and/or money, all without ever setting off an alarm.
51% Attacks: In order to exert control over a blockchain ledger, a participant must own more than 50% of the network. This is theoretically possible if a group of blockchain miners band their computing power together to attain more than half of the mining power on the network. From there, these bad actors could edit the ledger as they see fit.
Being able to prevent hacks from happening is the best-case scenario.
But clearly, this doesn’t work — more than $1.2 billion has been stolen so far this year… and that’s only money taken from decentralized finance (DeFi) platforms.
Since hackers often move faster than these platforms, it can seem futile to try and keep pace with them.
But keeping pace with the threat are exactly what several blockchain-based cybersecurity firms are doing.
The Cryptos Tackling Blockchain Security
Take CertiK, a blockchain cybersecurity firm that provides a variety of security solutions for the crypto world. CertiK performs audits of crypto projects, aiming to reveal any issues that could be exploited by bad actors. After first letting project developers fix their code, CertiK publishes these reports online to remain transparent in its ratings. And it keeps an updated “Web3 Security Leaderboard” on its website for all to see.
Obviously, not everyone has the time, energy, and expertise to manually dig through code to find potential flaws.
And that’s one reason CertiK exists — to manage the technical side of research for investors and end users.
CertiK also offers on-chain smart contract monitoring via its Skynet platform.
Skynet is powerful. It monitors on-chain activity in real time, which enables teams to not only detect unintended network usage but also monitor growth metrics.
SkyTrace is another of its monitoring tools. It’s like Skynet but is specifically designed to track wallets. SkyTrace detects suspicious activity and fraud, and it can also verify that wallets comply with certain regulations before being interacted with. And this feature is free for public use.
CertiK also offers penetration testing for wallets, exchanges, and decentralized applications (dApps) to help discover bugs and exploits before they’re taken advantage of.
Then there’s Lossless, which got its start when one of its founders was affected by a DeFi hack.
Wanting to take matters of security into their own hands, they worked diligently to find ways to mitigate risk to their own personal assets.
And somewhere along the way, they realized the significant impact their idea could have within the entire DeFi space. Lossless was born – the first and only DeFi hack mitigation tool.
Rather than attempt to prevent hacks from happening, it’s fast and effective at stopping malicious actors as quickly as possible.
When most hacks happen, the affected projects are quite hopeless. It’s entirely up to the hacker to return any stolen assets. Hopefully, there’s some way to prevent further damage, but this isn’t always the case.
With Lossless, hacking scenarios play out differently.
Here’s how it’s typically used:
- A project integrates Lossless’ code into its own, which enables certain functions like token freezing.
- When a bad actor attempts to steal funds in some way, finders — who have access to the Lossless SDK to build hack detection tools — can stake LSS tokens to temporarily freeze the affected ones. Other parties can add to this stake if they believe the finder to be correct in their assumption.
- Members from the Lossless team, the project team, and other Lossless committee members then meet to determine whether the hack is legitimate.
- If there is a hack, the bulk of the money that was frozen is returned to the project. As a reward for preventing a potentially crippling hack, a percentage of the recovered funds goes to the finder and others that staked to them, as well as to the Lossless team. This incentivizes finders to develop cutting-edge threat detection, and it provides funding for the crypto’s team.
- If there is no hack, the money is unfrozen, and the finder’s stake is confiscated. This ensures only threats that appear legitimate are reported and the ability to freeze transactions is not abused.
Freezing assets might sound antithetical to crypto’s decentralized tactics, but many would see the financial damage done through hacked funds far outweighing any inconveniences.
And perhaps the committee that determines whether a hack has occurred may someday be replaced with a more decentralized body of individuals. The sky is the limit in the future. But for most projects, some amount of centralization is necessary at the start.
And most likely, unless you’re moving vast amounts of money or completing bizarre transactions, you’ll never be affected by it.
For many with money invested in DeFi protocols, the peace of mind a Lossless integration allows far outweighs any cons.
#vicarius_blog #blockchain
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About vRx
vRx is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.