Let’s remind ourselves that the cryptocurrency financial system is still under development and is far from ideal. Many of the DeFi pros turn into cons that scammers are always happy to use. So recently, there is more and more news like 'platform hacked in a flash-loan attack' without explanation or with technical explanations. In the article, we will try to clarify this type of attack and other ways how blockchain can be hacked.
Although the topic of flash loans is still developing, a number of large-scale attacks have already been carried out. Because flash loans have no limits on amounts and require no collateral, millions of dollars in ETH can be borrowed to make a significant profit.
To better understand the process, let's consider the very phenomenon of a flash loan, the principles of its operation, and its usage.
Flash Loan is a tool by which DeFi users can borrow a large amount of funds in digital assets without collateral for a period of time. A loan without collateral means that members do not have to provide proof of income and other liabilities.
Such a risk-free loan works somewhat like this: the lender lends you as much money as you like, but only for one particular transaction. By the end of this transaction, you must return to the lender as much as you have borrowed.
If you are unable to do so, the transaction will be automatically canceled! In other words, a loan is atomic: if you cannot repay it, everything goes back, as if there was no loan.
The most common method of using flash loans for profit is arbitration. This is a process that uses the difference in asset prices in two different markets.
Another method of making a profit is a "wash trade". This type of trading involves making purchases and selling an asset to increase trading volume. In traditional markets, such a procedure is prohibited.
Flash Loan attacks can be successful if an attacker can manipulate the market to a certain extent. These attacks are carried out by arbitrating pumps and dumps and/or manipulating oracles. They are cheap to execute since attackers do not take on monetary obligations.
Typically, these attacks are complex, multi-step processes executed by highly experienced DeFi users. In many cases, they involve depleting liquidity pools that ordinary users have invested in, causing many people to incur significant losses.
Next, let's look at several more common attacks on the blockchain.
The most commonly known threat to the blockchain network. The name of the attack is an analogy with a controlling stake in the business sphere. The problem lies in the Proof-of-Work protocol, which is used by projects such as Bitcoin, Litecoin, Monero, and others. Its essence is that several miners with significant hashrate can get a "controlling stake" in the network, that is, they will have more than a half of all the network’s hashrate.
Such conditions allow a hacker to carry out a double-spending attack, in which he can spend a larger amount than he has in his wallet. As a result, the blockchain is seized, and all the participants' funds are transferred to the ownership of hackers. In large networks, the chance of such an attack is several times lower due to the large number of participants and expensive equipment.
The first recipient of the bitcoin transaction was Hal Finney and he was the first to talk about launching bitcoin. He was also the first to suggest the possibility of a double attack on the network. For this reason, the attack was named Finney Hack or Finney Attack in his honor.
Finney Hack is a type of double-spending attack, which can happen when a person accepts an unconfirmed transaction online. Finney explained that the miner could generate a block in which he would include a transaction from address A to another address B, where both addresses belong to him. You will then make another payment in the same currency by sending from address A to address C (which belongs to another user).
If the specified user accepts a transaction without confirmations from the network, a scammer can free the block in which his original transaction is included. This invalidates the transaction committed by the trader, allowing the attacker to double the cost.
Another type of double consumption. Inexperienced and hasty traders can give the goods, even if the transfer failed, since there was a transaction attempt. Some sellers use "express payments" without the necessary confirmation for small amounts. In the wallet of the receiving party, such a transaction will be "in processing," and the addressee will have "not confirmed."
A fraudster can convert such a transfer: send the transaction both to the seller's node and to his address on the network, broadcasting to the blockchain only the second one. The last transaction will be considered valid during the check, and the first transfer will be invalid.
To prevent such an attack, it is not recommended to accept incoming connections to the node and wait for several transfer confirmations (3 confirmations for the amount from $1000 to $10,000, 6 — from $10,000 to $ million, and for even larger transactions — up to 60 confirmations).
A special type of cyber attack, when a hacker forms an artificial area near one node to control his actions. The attacker redirects outgoing and incoming data from the target node to its own, separating the deceived user from the real network.
The isolation of the target node allows confirming illegal transactions on its behalf and cut it off from messages with neighboring nodes — the hacker does not need to hack the entire network, it is limited to a small set of nodes. To block the node, a botnet or a phantom network is used to fill the node with IP addresses for synchronization on the next connection.
The consequences of an eclipse attack are usually double-spending attacks, which have already been mentioned above, as well as a miner power failure when a hacked user spends electricity and time solving problems of artificial blocks that do not exist in the real blockchain network.
Cryptographic Vulnerability Attacks
Cybersecurity experts say as one that the most vulnerable place in any system is a person and scammers use this fact. Another consequence of the human factor is called errors in the code, having discovered which, an attacker can break the entire network.
As an example, on Ethereum, a fraudster discovered a security loophole in the source code and assumed about $50 million in the coins, which amounted to about 30% of the total coin volume at the time. Because of the incident, the community split into two groups. The first, led by the creator of Ether, was outraged by the theft, offering to make a hard fork and return the coins to the legal holders. Their opponents were convinced that the real owner of the coins was now a hacker ("The code is the law"). As a result, the community came to an agreement to create a soft fork.
Social Engineering Crypto: Phishing
These techniques rely on human vulnerabilities, not the technical prowess of a potential hacker. It is used to gain (unauthorized) access to sensitive data, cryptocurrency wallets or accounts, or to induce victims to download malware onto computers and networks to enact further damage. Such techniques include phishing, baiting, quid pro quo attacks, pretexting, and tailgating.
Phishing is one of the most popular of them. It is used to steal private keys, card numbers, bank accounts and other confidential data. The simplest version of cryptocurrency phishing is the good old spam mailings of emails allegedly sent by this or that web service. In this case, letters are sent on behalf of cryptocurrency wallet sites or exchanges.
Such fake messages look noticeably more detailed and neatly written than phishing messages on average. For example, this may be a security alert that says that recently someone tried to log into your account from such and such and such a browser — follow the link to check if everything is in order. The user himself could configure and accept the reception of such messages on the wallet website — and he will not notice anything unexpected or even more wrong.
As you can see, the crypto market is full of danger. In the article, we described only a few types of potential fraud. Creators are constantly working to improve security protocols. But while the system is not ideal, it is worth remembering the possible risks and not taking the bait.