Story image

The challenges of securing the Ethereum blockchain

21 Jun 2018

During the past 18 months, blockchains and cryptocurrencies have emerged from technical obscurity to capture the attention of investors around the world. Some view them as a real alternative to existing currencies while others consider the trend nothing more than an electronic Ponzi scheme.

While Bitcoin has captured the lion’s share of attention, another cryptocurrency and its associated blockchain is also gaining a strong following. The Ether cryptocurrency, based on the Ethereum blockchain, is the world’s second largest and has a total value of more than $US24 billion.

Ether differs from Bitcoin because it comprises simple transactions and users have wallets that contain a certain balance. Bitcoin wallets, on the other hand, contain an accumulation of inputs and outputs that, in turn, add up to a monetary balance.

The Ethereum blockchain is also different from the one underpinning Bitcoin. It is built on the Ethereum Virtual Machine (EVM) which executes code in each node on the Ethereum network. All results are compared to ensure accuracy before they are added as blocks. The code used in this process is known as a smart contract.

Smart contracts are what sets Ethereum apart from rival platforms. They can be used to store data, logs or even entire applications. Many organisations are working on finding ways to use the technology to support legal transactions such as property purchases and proof of ownership systems.

The cybersecurity challenge

As Ethereum has gained popularity among technologists and investors, it has also captured increasing attention from cybercriminals. They have been busy finding ways to exploit the platform for financial gain.

During the past two years, cybercriminals have found code flaws, uncovered web application vulnerabilities, and used social engineering to steal more than $US100 million in Ether cryptocurrency.

One of the first hack attacks against Ethereum happened back in 2016. It involved an Ethereum-based venture capital fund, called the Decentralised Autonomous Organisation (DAO), that had been created to provide funding for new blockchain-based technology projects. Hackers found a flaw in the code used by DAO that allowed them to fraudulently withdraw Ether from the project. Using this flaw, they managed to steal currency that was, at that time, worth $US70 million.

Another target for criminals has been Ethereum-based Initial Coin Offerings (ICOs). These are used by blockchain start-ups to raise funds for new development projects. People buy tokens with Ether in the hope that the value of the tokens will increase once the project is a success. In 2017, $3.7 billion was raised on the Ethereum network through ICOs.

In July 2017, a business called InsureX was about to conduct an ICO to raise funds. Just before launch, hackers compromised the company’s twitter account and posted an Ether wallet address claiming that it was a pre-ICO sale. This tricked some investors into sending more than $US400,000 to the fake account.

Just a few days later, a hacker was able to modify a wallet address on the website of a business called CoinDash which was also having an ICO. The amended address allowed the hacker to harvest investor funds worth $US13.7 million.

Working to secure Ethereum

In the wake of these incidents, attention has been focused on finding ways to reduce cyberattacks on Ethereum and make it more secure for users.

The Ethereum Foundation, the organisation charged with managing the evolution of the platform, has issued a range of bug bounties to encourage people to report any vulnerabilities that they discover. Bounty payments are scaled depending on the severity of the bug uncovered and are paid in either Ether or Bitcoin. Many organisations planning an ICO are taking a similar path by posting their code online ahead of a launch and asking people to check for weaknesses.

If hackers do succeed in stealing a large amount of Ether, the community also has the option of undertaking what’s known as a ‘hard fork’. In essence, this means a new copy of the Ethereum blockchain is created that does not contain the illegal transactions and users are encouraged to use it rather than the initial blockchain.

While a hard fork works, it can be very difficult to achieve as it requires a majority of people to agree to the creation of a new blockchain. Some argue that it also goes against the immutable nature of blockchains which is one of the features that makes them so attractive in the first place.

The bottom line is that it’s vital for developers to check the code within Ethereum smart contracts before releasing them to the world. Thorough testing early will help to prevent significant problems further down the track.

Ethereum clearly has a lot of value and seems set to continue to increase in both its usage rates and the value of the Ether currency it supports. By being aware of security challenges and finding ways to overcome them, developers can ensure the platform is robust and successful in coming years.

Article by WatchGuard Technologies A/NZ regional director Mark Sinclair.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.