SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
The challenges of securing the Ethereum blockchain
Thu, 21st Jun 2018
FYI, this story is more than a year old

During the past 18 months, blockchains and cryptocurrencies have emerged from technical obscurity to capture the attention of investors around the world. Some view them as a real alternative to existing currencies while others consider the trend nothing more than an electronic Ponzi scheme.

While Bitcoin has captured the lion's share of attention, another cryptocurrency and its associated blockchain is also gaining a strong following. The Ether cryptocurrency, based on the Ethereum blockchain, is the world's second largest and has a total value of more than $US24 billion.

Ether differs from Bitcoin because it comprises simple transactions and users have wallets that contain a certain balance. Bitcoin wallets, on the other hand, contain an accumulation of inputs and outputs that, in turn, add up to a monetary balance.

The Ethereum blockchain is also different from the one underpinning Bitcoin. It is built on the Ethereum Virtual Machine (EVM) which executes code in each node on the Ethereum network. All results are compared to ensure accuracy before they are added as blocks. The code used in this process is known as a smart contract.

Smart contracts are what sets Ethereum apart from rival platforms. They can be used to store data, logs or even entire applications. Many organisations are working on finding ways to use the technology to support legal transactions such as property purchases and proof of ownership systems.

The cybersecurity challenge

As Ethereum has gained popularity among technologists and investors, it has also captured increasing attention from cybercriminals. They have been busy finding ways to exploit the platform for financial gain.

During the past two years, cybercriminals have found code flaws, uncovered web application vulnerabilities, and used social engineering to steal more than $US100 million in Ether cryptocurrency.

One of the first hack attacks against Ethereum happened back in 2016. It involved an Ethereum-based venture capital fund, called the Decentralised Autonomous Organisation (DAO), that had been created to provide funding for new blockchain-based technology projects. Hackers found a flaw in the code used by DAO that allowed them to fraudulently withdraw Ether from the project. Using this flaw, they managed to steal currency that was, at that time, worth $US70 million.

Another target for criminals has been Ethereum-based Initial Coin Offerings (ICOs). These are used by blockchain start-ups to raise funds for new development projects. People buy tokens with Ether in the hope that the value of the tokens will increase once the project is a success. In 2017, $3.7 billion was raised on the Ethereum network through ICOs.

In July 2017, a business called InsureX was about to conduct an ICO to raise funds. Just before launch, hackers compromised the company's twitter account and posted an Ether wallet address claiming that it was a pre-ICO sale. This tricked some investors into sending more than $US400,000 to the fake account.

Just a few days later, a hacker was able to modify a wallet address on the website of a business called CoinDash which was also having an ICO. The amended address allowed the hacker to harvest investor funds worth $US13.7 million.

Working to secure Ethereum

In the wake of these incidents, attention has been focused on finding ways to reduce cyberattacks on Ethereum and make it more secure for users.

The Ethereum Foundation, the organisation charged with managing the evolution of the platform, has issued a range of bug bounties to encourage people to report any vulnerabilities that they discover. Bounty payments are scaled depending on the severity of the bug uncovered and are paid in either Ether or Bitcoin. Many organisations planning an ICO are taking a similar path by posting their code online ahead of a launch and asking people to check for weaknesses.

If hackers do succeed in stealing a large amount of Ether, the community also has the option of undertaking what's known as a ‘hard fork'. In essence, this means a new copy of the Ethereum blockchain is created that does not contain the illegal transactions and users are encouraged to use it rather than the initial blockchain.

While a hard fork works, it can be very difficult to achieve as it requires a majority of people to agree to the creation of a new blockchain. Some argue that it also goes against the immutable nature of blockchains which is one of the features that makes them so attractive in the first place.

The bottom line is that it's vital for developers to check the code within Ethereum smart contracts before releasing them to the world. Thorough testing early will help to prevent significant problems further down the track.

Ethereum clearly has a lot of value and seems set to continue to increase in both its usage rates and the value of the Ether currency it supports. By being aware of security challenges and finding ways to overcome them, developers can ensure the platform is robust and successful in coming years.