Despite all the hypes of security and accountability of blockchain technology, hacking incidents, stolen, abuse of the contract does happen and here's my studies.
- When: August 2010
- Target: Bitcoin system
- Lost: nothing? One hacker created a single block involving transaction of 184b bitcoins
- Consequence: software patched
- How: exploit a bug
- When: June 2011 (1st) March 2014 (2nd)
- Target: Mt Gox exchange
- Lost: $473m bitcoin stolen by hacker, $27.4m missing from bank accounts, coin sent to invalid addresses with no keys (burnt)
- Consequence:
- bankruptcy and CEO Mark Karpelès in jail
- charges: embezzlement of funds, manipulating the balance of his personal MtGox account
- chief suspected hacker supposedly identified and arrested in Greece for money laundering
- How:
- mis-management, neglect, inexperience
- "tech geek turned CEO", irresponsible (not in office when site down and two invited experts working to help), obsessed in distractions (while serious things happening), etc.
- poor practice - no version control, only introduced test environment recently, messy code
- years-long hacking
- September 2011: hot wallet private keys stolen
- More over, Mt. Gox system was confused (due to key theft) into incorrect crediting multiple user accounts
- Lessens
- person factor: hubris, evasion of serious problem
- safe guard private key!!!!! (needs to study)
- 3rd party review and audit, etc., learn from financial industry
- standalone auditing transactions etc.
- while blockchain technology may be secure and reliable per se, surrounding systems and human are not (private key management, exchange with "real gold", etc.)
- use cold wallet storage to keep funds safe
- cold wallets are not connected to internet (inconvenient but safe)
- hardware wallet (needs plug in and private key never leaves that hardware?)
- References:
- http://blog.wizsec.jp/2017/07/breaking-open-mtgox-1.html
- https://www.wired.com/2014/03/bitcoin-exchange/
- When: January 2015
- How: system administrator fall victim of a phishing scam, wallet hacked
Ethereum DAO blockchain rewrite
- When: June 2016
- Target: DAO, leaderless organization rely on open-source smart contract
- How:
- Sounds like smart contract implementation's design flaw "casually pointed out a terrible, terrible attack on wallet contracts" that could arise from the way some developers were implementing smart contracts written with Ethereum's Solidity language
- Consequence: possible Ethereum network hard fork?
- When: Dec 2017
- Target: mining marketplace NiceHash
- Lost: 4700 bitcoin ($63.92M)
- Consequence: client asked to change password
- How:
- "a highly professional attack with sophisticated social engineering"
- When: Dec 2017
- Target: South Korean "bitcoin exchange"
- Lost: 1/5 customers holdings, or $35M in digital currencies
- Consequence: file for bankrupcy
- How:
Coinbase Individual Customer Robbery
- Coinbase has "bank like" security.... its own account never hacked
- Individual customers do get burgalarized
- "Sean Everett": phone number switched... gmail broached (two-step)... account breached
- Details:
- Traditional wallet: user manage their own private keys
- they are to blame if hacked
- "equivalent of stuffing cash under the mattress"
- Coinbase:
- store keys on customer's behalf (big responsibility)
- other attacks and unexpected incidents
- "flash crash" - Ethereum fall 10c for a brief stretch, courtesy reimbursement to traders
- Denial of service attack, customers threaten to sue after initial refuse to handle Bitcoin Cash
- Credit card reversals, fraud transactions
- Preemptive limiting accounts using analytics - frustrated customers & backlog of help-desk requests
- Lesson:
- “One of [Bitcoin’s] reasons for existence is that it’s censorship-resistant,” And therefore the fraud protections traditional bank depositors rely on are mostly unavailable. “Any kind of charge-back and reversibility would be the antithesis of what Bitcoin was created to achieve”