By Kurt Seifried, Chief Blockchain Officer at Cloud Security Alliance
Blockchain attacks are very hot right now for one simple reason: it’s where the money is.
If you attack and compromise a database you need to take that data and then sell it to monetize your attack. If you compromise a web server you need to install some malware to harvest credit card details, and then monetize that data by selling it. But if you steal crypto currency? That’s literally money in the attackers wallet now.
The good news: law enforcement is getting better at tracing these transactions and following the money, the bad news: the blockchain industry is not very mature when it comes to identifying vulnerabilities and weaknesses.
Attacks rely on a vulnerability being present so that they can exploit it. These vulnerabilities are implemented in software (web services, smart contracts, the underlying blockchain system, etc.) and can be any number of weaknesses such as logic bugs, reentrancy issues, integer overflows and so on.
There is no comprehensive list of Blockchain weaknesses
And there is no comprehensive public list of weaknesses. There are a number of projects trying to do this, the US Government Department of Homeland Security actually sponsors one such effort, the Common Weakness Enumeration database (https://cwe.mitre.org/) database and there is a Solidity focuses Smart Contract Weakness Classification and Test Cases available from the SWC Registry (https://swcregistry.io/).
Why is a public list of such weaknesses important?
Simple. How do you find and fix weaknesses in software if you don’t have a name to call them, let alone the ability to properly describe the weakness and possible mitigations or solutions to them? Also like most things in life given the choice between using a public database or building your own data set most security scanning tools use the CWE database as their baselines for security flaws that they try to detect and offer guidance on remediating.
This means that Blockchain and smart contract security scanning tools will (probably) detect common and known issues like integer overflows and memory leaks. But they may not detect Blockchain and smart contract specific vulnerabilities as well since there is no good, comprehensive, public database to use as a source.
CSA’s has documented over 200 Blockchain weaknesses
The CloudSecurityAlliance is of course working on this issue, we currently have a rough list of almost 200 weaknesses that apply to Blockchain and smart contracts, and about half of which are not in any other public database of weaknesses. You can view the full list of weaknesses here →
The goal is to make this list of weaknesses more detailed and comprehensive, and encourage other public databases (such as CWE or SWC Registry) to include then so that ultimately automated tools will include support for them, making it easier for developers and end users to find, understand and fix vulnerabilities because attackers find and exploit them. If you are interested in joining this project please reach out to us, specifically the Attack Vectors/terms glossary sub Working Group, for more information please see https://csaurl.org/DLT-Security-Framework_sub_groups
Preview of Blockchain Weaknesses
|Name of weakness||Description|
|API Exposure||If an API is improperly exposed an attacker can attack it|
|Block Mining Race Attack||A variation on the Finney attack|
|Block Mining Timejack Attack||By isolating a node the time signal can be manipulated getting the victim out of synchronization|
|Block Reordering Attack||Certain cryptographic operations (such as using CBC or ECB incorrectly) allow blocks to be re-ordered and the results will still decrypt properly|
|Blockchain Network Lacks Hash Capacity||The Blockchain/DLT network lacks hashing capacity, an attacker can rent sufficient hashing power to execute a 51% Attack|
|Blockchain Peer flooding Attack||By creating a large number of fake peers in a network (peer to peer or otherwise) an attacker can cause real nodes to slow down or become non responsive as they attempt to connect to the newly announced peers.|
|Blockchain Peer flooding Attack Slowloris variant||By creating a large number of slow peers (real systems that respond very slowly to network requests) in a network an attacker can cause real nodes to slow down or become non responsive as they attempt to connect to the newly announced peers. Unlike fake peers that do not exist these slowloris peers are real but communicate slowly enough to hold sockets and resources open for minutes or hours.|
|Blockchain reorganization attack||Also referred to as an alternative history attack|
|Consensus 34% Attack||34% Attack against BFT network, a specific instance of Consensus Majority Attack|
|Consensus 51% Attack||51% Attack against DLT network, a specific instance of Consensus Majority Attack|
|Consensus Attack||Attacks against the consensus protocol and system in use can take many forms and are not limited to gaining control of the consensus mechanism but can also be used to slow down consensus for example|
|Consensus Delay Attack||Consensus Delay Attacks can allow malicious miners to gain time in order to execute other attacks|