Over the past few years, there have been a handful of high profile cryptocurrency hacks that deeply shook the cryptocurrency world. The intention of this article is not to scare anyone away from cryptocurrencies but instead to educate readers on why these attacks happened. Understanding past vulnerabilities enable the blockchain and crypto community to grow stronger and more resilient to cyber-attack attempts.
MT.GOX & Bitcoin
The first example is one of the most well-known attacks in history. In 2013, Japan-based MT.Gox was the biggest bitcoin exchange in the world, handling 70% of the world’s Bitcoin exchanges. Problems existed prior to the attack such as a minor hack in 2011.
[QUOTE]There were some red flags prior to the attack (Source: Blockgeeks):
~ There was no use of Version Control Software (VCS), which would keep track of all changes made in the code base and allow rolling back to any previous versions if needed.
~ There was no testing policy, meaning that untested code was deployed to transfer crypto assets worth millions.[/QUOTE]
This brings us to the $473 million US dollar hack. On February 7, 2014, the company stopped all Bitcoin withdrawals to check why there were transaction delays. They realized they had been subjected to a Transaction Malleability Attack (MTA), which means that someone was able to tamper with the transaction data before it was dedicated to the blockchain and even if the changes were noticed after the fact, nothing could be done after it has been detected, as the blockchain is immutable. The attacker was able to overwrite transactions to make them appear as unconfirmed when in reality they were. In doing so, they were able to overwrite US$473 million worth of Bitcoin without the system noticing.
The timing of the attack was unfortunate as Bitcoin was just starting to gain mainstream exposure and people feared that the attack could set back faith in the system by at least 4–5 years, and so the price fell drastically but quickly recovered. MT.Gox declared bankruptcy shortly after.
DAO & Ethereum
The second case relates to DAO and the subsequent Ethereum blockchain fork. DAO was a complex smart contract that was going to revolutionize Ethereum forever. It was going to be a decentralized Venture Capital Fund, that would fund the creation of Dapps made on Ethereum. If one wanted to have a say in how Dapps would get funded, then they had to buy DAO tokens for a certain amount of Ether. After Dapps got a stamp of approval from its curators, they were voted on by the token holders; if the proposal got 20% approval, then they received the funds to start developing.
Within 28 days of its formation, DAO accumulated over $150 million dollars worth of Ether, and at that point, it held 14% of all Ethereum issued. If someone wanted to leave the DAO, they would have to exchange their DAO tokens for Ether, and Ether would then be locked for 28 days before they could withdraw it to their personal wallets.
On June 17th, 2016, someone exploited this DAO exit loophole and siphoned away ⅓ of the DAO’s funds US$50mln.
When someone requested to exit the DAO, the contract went through two steps:
1. The contract would exchange the user’s DAO tokens for Ether, and,
2. They would register the transaction on the ledger updating the token balances.
The hacker made a recursive function request so the contract would take the DAO tokens from the attacker, and give them the Ether requested. Instead of moving on to step 2, the recursive function reset the code, meaning that even more Ether would be paid out to the attacker for the same tokens that had already been paid for.
It was eventually decided that a hard fork was the best solution reverting the chain to before the hack meaning that people had their funds returned and the code was fixed. However, many people disagreed with using this method to solve the problem so they stayed on the original Ethereum chain. This is what spun the creation of Ethereum (the chain that forked away from the attack) and Ethereum Classic (the chain on which the DAO hack happened).
The third case refers to the second biggest attack on the Bitcoin network. It was suffered by Hong Kong based cryptocurrency exchange platform Bitfinex in 2016 (lost 120,000BTC, worth $72Million USD at the time).
Bitfinex wanted to provide better security, and so partnered with BitGo to provide users with multi-signature wallets. Multisignature wallets require a certain number of the keys linked to the wallet to sign off on any transactions, so instead of one single transaction sign off there would be at least 2 checks. Unfortunately, this is what opened the door to the hackers.
When the hackers attacked the Bitfinex servers, they had both the Bitfinex controlled and the BitGo controlled keys signed off on all legal bitcoin withdrawals. So the theory is that these multi-sig wallets were not multi-signature at all. There was one point of failure and that was with Bitfinex’s servers.
So just like with the previous hacks, Bitcoin’s price was negatively impacted (fell nearly 20% to its lowest $480 at the time), before it managed to recover reaching new all-time highs a year later (2017). In response to the attack, Bitfinex issued a BFX token as an IOU to its users. As of April 2017, they bought back all of the tokens and hence settled the debt to their users.
Closing Thoughts These infamous cryptocurrency attacks were not only large in scale but also had a great impact on the community, such as with the creation of Ethereum & Ethereum Classic. However, none of these attacks had anything to do with the underlying blockchain technology, as the blockchain of both Bitcoin and Ethereum have remained unhackable. Instead, these attacks reveal that the cryptocurrency community can bounce back from any such obstacles and grow stronger.