Table of ContentsCyber-Attack Strategies in the Blockchain Era – A Framework for Categorizing the Emerging Threats to the Crypto EconomyMarket attacksPump-and-dumpExit scamRug-pullInvestment scamFront runningEconomic attacksPhishingSpear phishingExtortionRansomwareChurningCelebrity-based scamsConsensus attacksFinney attackRace attackVector7651% majority attackNothing-at-stakeWeak subjectivityLiveness denialCensorshipPrecomputation attackSelfish miningBribery attacksLong-range PoS attacksSimplePosterior CorruptionStake BleedingNetwork-level attacksRouting attacksSybil attacksDDoS (Distributed Denial of Service)Eclipse attacksTransaction MalleabilityTimejackingWallet attacksSeizure of Private Keys (Hot Wallets)Cold wallet hacksFake WalletsSIM-SwapSecurity phrase handlingDictionary attacksVulnerable signaturesSmart contract attacksReentranceFlash loan exploitTransaction Order DependenceTimestamp DependenceBlockhash usageArithmetic ExploitShort Address AttackDelegateCallDefault visibilities Cyber-Attack Strategies in the Blockchain Era – A Framework for Categorizing the Emerging Threats to the Crypto Economy Market attacks Rely on the mass-manipulation of investors through asymmetric information Pump-and-dump Parties conspire to artificially inflate (pump) the price of an asset using various manipulation tactics (spoofing, wash selling, layering), in advance of selling (dumping) their stake. The reverse technique can be used to acquire an asset below fair value in a short-selling strategy. Exit scam A project such as an ICO or DAO raises substantial capital from investors, before unexpectedly terminating all operations. Rather than returning the capital to investors, the founders disappear with all the funds. Rug-pull A common DeFi exit scam, whereby creators of a token pair it with a legitimate coin (BTC,...Read More

Security Threats to Blockchain Networks – The utopian view of the blockchain as an unhackable alternative to the status quo is a pipedream. Many traditional cyberattacks are effective in a blockchain-based setting, and even cryptographically-secured processes are prone to errors and exploits. Understanding the potential attack vectors is a prerequisite to building a stable blockchain-based alternative to today’s centralized networks. Introduction to Blockchain Security Threats The capacity for blockchain to alter the modern-day economy and society is immense. This potential goes well beyond the creation of cryptocurrencies and trustless payment systems. While still early in their evolution, blockchain networks have been shown to enable new means of exchanging value (tokenization), making agreements (smart contracts), and constructing corporate entities (DAOs). This is just the beginning of what is likely to be an epoch-defining trajectory. As the underlying technology of ‘Web3’ (the next iteration of the internet), much rides upon the blockchain’s ability to overcome the obstacles in its path. Not least of which is are the security threats of malicious actors – hackers, criminals, and government agencies – to divert its power to their own ends. In this article, we examine the potential blockchain security threats from as wide a variety...Read More

Smart Contract Risk and How to Mitigate It: A Deep-dive The strengths of smart contracts are also the source of its weaknesses, and will always present opportunities for hackers to exploit. So far, the pace of innovation in counter-measures is struggling to keep pace with innovation in the methods of attack. It’s reasonable to assume that as the Web3 environment stabilizes, an equilibrium will be achieved. However, the threat cannot be eliminated, and vigilance will always be a necessity. Introduction In her seminal book on Web3 fundamentals, The Token Economy, Shermin Voshmgir defines a smart contract as ‘a self-enforcing agreement, formalized as software.’ She also offers the more intuitive example of a snack vending machine, which executes an agreement if and only if a condition is fulfilled (coin deposited → snack delivered). Smart contracts are the building blocks of dApps (decentralized applications) and DAOs (on-chain self-governing corporate structures). They can therefore be seen as one of the “primitives” for creating a viable on-chain economy for financiers, musicians, and one day – presumably – the consumer public at large. The advantages of smart contracts versus traditional enforcement mechanisms are obvious. Computer code is cheaper and faster than bureaucratic processes involving (often...Read More

Network Attacks: A Deep-dive Network attacks are a class of exploits that focus on the isolation and manipulation of individual nodes or groups of nodes. While blockchain networks are theoretically robust against such attempts, both hackers and academics have found loopholes that can be used not only to defraud and damage individuals, but also scale up to take down entire exchanges. While easily overlooked, the list of network attacks is likely to grow in the years ahead, and is worth preparing for. Introduction A blockchain network is powered by the exchange of information between nodes. These are the individual ‘worker ants’ whose collective strength makes the system function, and whose distributed nature makes the network secure. According to the logic, it is hard to corrupt a network of nodes, because you have to corrupt each one individually. To take a political analogy, a blockchain is similar to Switzerland, as opposed to a traditional centralized network, which is more like a banana republic. In order to influence the public policy of the latter, you would need to bribe a dictator and a perhaps a handful of officials. Switzerland, on the other hand, is so decentralized that a well-traveled, well-educated citizen may...Read More

Consensus Attacks: A Deep-dive Where centralized systems operate on the basis of centralized permission, blockchain protocols proceed on the basis of decentralized consensus. While this is more secure in theory, the system is not flawless. All blockchains are susceptible to consensus attacks, thanks to the ability to simulate, force, or circumvent majority consent for a nefarious aim. Solutions can be found for some of these consensus attacks, but ultimately, the only solution to the consensus problem may be scale. Introduction The democratic nature of blockchain technology relies on the fact that it is permissionless. This refers to the fact that anyone can take part in the process of sending, receiving, and confirming transactions. However, in order for transactions to take place, users still require the ‘permission’ of the decentralized network to ensure that the transactions are recorded properly and are valid. This is the Consensus process, and is foundational to the security of a blockchain, owing to the absence of a centralized entity or police force. Since, therefore, everything in a blockchain happens by consensus, consensus attacks represents the most fundamental form of attack on a blockchain network. It theoretically allows a single user or group to re-write the history...Read More

Wallet Attacks: A Deep-dive Wallets are a logical target for cyber-attacks, along with the emerging institutions that hold custody of them on users’ behalf. While secured with technically unbreakable code, hackers have found numerous ways to execute wallet attacks and gain illicit access to user wallets, whether by deception, theft, or ingenuity. In responding to this wallet attacks threat, the crypto-industry must consider whether to opt for traditional KYC-based measures or to seek crypto-native solutions to this perennial issue. If the industry fails to agree, it could lead to a two-tier system of ‘pure’ crypto institutions and players that embrace centralized and a certain necessary degree of bureaucracy. Introduction The amount of cryptocurrency lost to scams went up by a factor of 10 from 2020 to 2021. As the crypto market has boomed, so has the value contained in crypto wallets and the interest of would-be scammers in finding ways around their security. Compared with a physical wallet, the crypto wallet is a far more attractive target for thieves as it is capable of holding millions of dollars worth of tokens, and is accessible from anywhere in the world. Furthermore, if you know the public address of an individual, it...Read More