Today’s post is authored by Stefan Beyer, CEO @ Cryptonics, Blockchain Consultant and Smart Contract Auditor. If you are interested in learning about blockchain technology, we recommend you to check the recently created Cryptonics Academy. Please enjoy.

A False Sense of Security

Blockchains are protected by complex mathematical protocols and by decentralization. Cryptographic primitives, such as digital signatures and hashing, are used to verify transaction authenticity and the integrity of the data stored on the blockchain. It is only through these primitives that the concept of digital ownership can be secured. Decentralization makes it incredibly hard for an attacker to gain sufficient control over a blockchain to alter transaction history or apply censorship.

This means that blockchains are quite secure at the protocol level. Although there are confirmed incidents of protocol-level breaches, such as 51% attacks, these are relatively rare and confined to smaller blockchains. Nevertheless, digital assets represented on blockchains are stolen on an alarmingly regular basis, even from large established networks.

In a recent article, we already identified smart contracts as a significant risk vector. In this article, we look at two recent high profile attacks, in order to highlight hidden dangers in the security of support systems that allow attackers to sidestep the sophisticated cryptographic defense mechanisms blockchain protocols provide. This type of attack is typically called a supply chain attack, as it focuses on less secure parts of a project’s supply chain.

[Read more…]

Today’s post is authored by Stefan Beyer, CEO @ Cryptonics, Blockchain Consultant and Smart Contract Auditor. Please enjoy.

Smart contracts are hard to get right. Their three main properties, the ability to hold value, transparency, and immutability, are essential for them to work. However, these properties also turn smart contracts into a security risk and a high-interest target for cybercriminals. Even without deliberate attacks, there are plenty of examples of funds getting stuck and companies losing money due to smart contract bugs and vulnerabilities.

Over the last two years, we have audited the smart contracts of more than 40 projects here at Cryptonics. The contracts audited include different types of asset tokenization, insurance policies, decentralized finance platforms, investment funds, and even computer games. We have observed certain trends in the types of vulnerabilities that we usually encounter, and some issues seem more common than others. In this article, we will describe the five most common issues we detect in our daily auditing activities.

[Read more…]

In the previous part of this series on blockchain security we looked at the risks associated with deploying autonomously executing smart contracts on a public blockchain. We also introduced some high-profile examples of attacks on smart contracts that have caused the loss of large sums of money and changed the way we look at business interactions on the blockchain.

In this episode we will review some known issues and vulnerabilities.

Private Key Leakage

Using unsafe private keys is really a case of user error, rather than a vulnerability. However, we mention this nevertheless, as it happens surprisingly often, and certain players have specialized in stealing funds from unsafe addresses.

What usually happens is that development addresses (such as those used by testing tools, such as Ganache/TestPRC) are used in production. These are addresses generated from publicly known private keys. Some users have even unknowingly imported these keys into wallet software, by using the original seed words used in private key generation.

Attackers are monitoring these addresses and any amount transferred to such an address on the main Ethereum network tends to disappear immediately (within 2 blocks).
[Read more…]

Recently, blockchain technology has been advocated as a game changer for many industries. Distributed ledger technology that has emerged out of Bitcoin has promising applications beyond digital currencies.

One of the most promising use cases of blockchain technology is the development of smart contracts.

Smart contracts are self-executing contracts, in which the terms are specified in code. Essentially, this means encoding legal contracts in computer code, which executes them automatically.

Whilst the concept has been around for a while, at least since Nick Szabo’s wrote up the concept in 1996, it was not until the advent of the Turing-complete Ethereum blockchain that smart contract use became common.

Contracts on the Ethereum blockchain exist at contract addresses and can be invoked by transaction calls.

Executing contracts written in code and stored on an immutable public blockchain creates certain risks and issues, which we will discuss in a general way in this post. In an upcoming second part, we will look at more specific examples of smart contract security vulnerabilities. [Read more…]