Been a while in the series innit?
In the last issue, we discussed consensus algorithms and how they secure the Blockchain. In this issue, we will go over the possible attacks in the Blockchain ecosystem and how they can be mitigated. Let's get started, shall we?
First off, it should be noted that a good number of web3/Blockchain attacks that have happened in recent times are not due to the Blockchain itself, but rather the protocols (applications) built on top of the Blockchain.
Just like every system built with technology, the Blockchain could be open to attacks from hackers, a famous one being the infamous DAO (Decentralized Autonomous Organization) hack that happened on the Ethereum network around 2016 due to a bug in the DAO protocol's code; over $10 million dollar worth of Ethereum was stolen in this attack.
The aforementioned attack is regarded as a Reentrancy attack. An attack where a malicious smart contract makes a call to an external contract (e.g. to withdraw funds for a user), the funds are withdrawn and before the external contract updates its balances, the malicious contract makes another call to withdraw the user's balance (that has not been updated from the previous withdrawal), this goes on until the external contract is drained by the malicious contract. This attack can be prevented by following the CEI (Checks-Effects-Interactions) pattern or by using reentrancy guards.
Another attack is the 51% attack, this attack is feasible in Blockchain networks with a few nodes. In this attack, malicious actor has a majority of the nodes (>=51%) on the Blockchain, therefore he is technically in control, he can reverse transactions, perform double spending and can even fork a new chain since the Blockchain follows the majority rule. However, this is not feasible in networks with a huge number of nodes like Ethereum and Bitcoin due to the financial and computational overhead costs to carry out this attack. The 51% attack is a specific type of Sybil attack - an attack where a person creates multiple fake identities to gain control of the network.
Another classic Blockchain attack is the Replay attack, where a previous transaction is maliciously resent to the network, this can lead to issues like double spending. However, this has been mitigated by adding a nonce (a number that can be used only once) to transactions, trying to resend a transaction with the same nonce is not possible as the Blockchain nodes will see that the number has been used in a prior transaction. A Chain ID has also been added to prevent replay attacks across different chains.
Lastly, in the scope of this article, there are inflation and front running attacks, these attacks are common in DeFi protocols. It involves a user jumping ahead of a pending transaction (for example, a token swap) and executing their own trade/swap at a more favourable price which would affect the pending transaction and cause it to be executed at a higher price, meaning both users execute the same transaction but one pays more. This can be prevented by using slippage tolerance, this would cause the transaction to revert/fail if the trade would be unfavourable.
In conclusion, while the Blockchain is somewhat very secure and tamper-proof, users should take caution when interacting with Blockchain protocols. DO NOT share your private keys/secret recovery phrases and only sign transactions you trust.
Till the next issue, stay frosty.
Top comments (1)
This is a great read
Clear, practical, and straight to the point. I especially like how you emphasize that most exploits come from protocol design, not the blockchain itself. The DAO and reentrancy explanation is crisp, and the mitigations are actually useful.
Security education like this is underrated. Keep the series going