Membership is FREE!   Professional Designations for Business & Technology Professionals

Cybersecurity

Over 200 Documented Blockchain Attacks, Vulnerabilities and Weaknesses

3 Mins read

By Kurt Seifried, Chief Blockchain Officer at Cloud Security Alliance

Blockchain attacks are very hot right now for one simple reason: it’s where the money is.

If you attack and compromise a database you need to take that data and then sell it to monetize your attack. If you compromise a web server you need to install some malware to harvest credit card details, and then monetize that data by selling it. But if you steal crypto currency? That’s literally money in the attackers wallet now.

The good news: law enforcement is getting better at tracing these transactions and following the money, the bad news: the blockchain industry is not very mature when it comes to identifying vulnerabilities and weaknesses.

Attacks rely on a vulnerability being present so that they can exploit it. These vulnerabilities are implemented in software (web services, smart contracts, the underlying blockchain system, etc.) and can be any number of weaknesses such as logic bugs, reentrancy issues, integer overflows and so on.

There is no comprehensive list of Blockchain weaknesses

And there is no comprehensive public list of weaknesses. There are a number of projects trying to do this, the US Government Department of Homeland Security actually sponsors one such effort, the Common Weakness Enumeration database (https://cwe.mitre.org/) database and there is a Solidity focuses Smart Contract Weakness Classification and Test Cases available from the SWC Registry (https://swcregistry.io/).

Why is a public list of such weaknesses important?

Simple. How do you find and fix weaknesses in software if you don’t have a name to call them, let alone the ability to properly describe the weakness and possible mitigations or solutions to them? Also like most things in life given the choice between using a public database or building your own data set most security scanning tools use the CWE database as their baselines for security flaws that they try to detect and offer guidance on remediating.

This means that Blockchain and smart contract security scanning tools will (probably) detect common and known issues like integer overflows and memory leaks. But they may not detect Blockchain and smart contract specific vulnerabilities as well since there is no good, comprehensive, public database to use as a source.

CSA’s has documented over 200 Blockchain weaknesses

The CloudSecurityAlliance is of course working on this issue, we currently have a rough list of almost 200 weaknesses that apply to Blockchain and smart contracts, and about half of which are not in any other public database of weaknesses. You can view the full list of weaknesses here →

The goal is to make this list of weaknesses more detailed and comprehensive, and encourage other public databases (such as CWE or SWC Registry) to include then so that ultimately automated tools will include support for them, making it easier for developers and end users to find, understand and fix vulnerabilities because attackers find and exploit them. If you are interested in joining this project please reach out to us, specifically the Attack Vectors/terms glossary sub Working Group, for more information please see https://csaurl.org/DLT-Security-Framework_sub_groups

Preview of Blockchain Weaknesses

Name of weakness Description
API Exposure If an API is improperly exposed an attacker can attack it
Block Mining Race Attack A variation on the Finney attack
Block Mining Timejack Attack By isolating a node the time signal can be manipulated getting the victim out of synchronization
Block Reordering Attack Certain cryptographic operations (such as using CBC or ECB incorrectly) allow blocks to be re-ordered and the results will still decrypt properly
Blockchain Network Lacks Hash Capacity The Blockchain/DLT network lacks hashing capacity, an attacker can rent sufficient hashing power to execute a 51% Attack
Blockchain Peer flooding Attack By creating a large number of fake peers in a network (peer to peer or otherwise) an attacker can cause real nodes to slow down or become non responsive as they attempt to connect to the newly announced peers.
Blockchain Peer flooding Attack Slowloris variant By creating a large number of slow peers (real systems that respond very slowly to network requests) in a network an attacker can cause real nodes to slow down or become non responsive as they attempt to connect to the newly announced peers. Unlike fake peers that do not exist these slowloris peers are real but communicate slowly enough to hold sockets and resources open for minutes or hours.
Blockchain reorganization attack Also referred to as an alternative history attack
Consensus 34% Attack 34% Attack against BFT network, a specific instance of Consensus Majority Attack
Consensus 51% Attack 51% Attack against DLT network, a specific instance of Consensus Majority Attack
Consensus Attack Attacks against the consensus protocol and system in use can take many forms and are not limited to gaining control of the consensus mechanism but can also be used to slow down consensus for example
Consensus Delay Attack Consensus Delay Attacks can allow malicious miners to gain time in order to execute other attacks

READ THE FULL ARTICLE………………

Related posts
CybersecurityLeadership

Making your customer experience seamless in an uncertain world

2 Mins read
The past six months have brought with them a great deal of change. Many businesses saw major disruptions as they managed the…
BlockchainCybersecurity

Bitcoin: $1bn seized from Silk Road account by US government

1 Mins read
More than $1bn (£772m) in Bitcoin linked to the notorious Silk Road website has been seized by the US Department of Justice…
Cybersecurity

The CISO’s Dilemma: Balancing Security, Productivity With a Housebound Workforce

3 Mins read
How are CISOs managing the tug-of-war between IT security and worker productivity in this new, remote-first era? Before the pandemic, remote work was already…
Join BIZTEK

Yes, I have read and live by this Code of Ethics - https://biztek.org/code-of-ethics/. We are BIZTEK, located in Mississauga, Ontario. Business Certification is an important part of doing business in Canada. Join us to set new standards and professionalism to the technology sector. We will email you regarding issues that affect business and technology professionals in Canada. Contact us at info@biztek.org or call us at 647 499 2744. You can unsubscribe at any time.

 

Leave a Reply

Your email address will not be published. Required fields are marked *