• Reported on September 5, 2012, Bitfloor, the fourth
largest exchange dealing in US dollars, announced that
hackers had hacked Bitfloor’s server to access to an
unencrypted backup of the wallet keys and transfer
away 24,000 BTC [64].
• On April 3, 2013, hackers hacked Instawallet, and stole
35,000 BTC and caused Instawallet to suspend
operation indefinitely [65].
• On August 11 2013,
the Bitcoin Foundation
announced that hackers exploited a generation bug of
an old pseudo random number to enable them to solve
the private key and steal balances from users' wallets
[66].
• On both October 23 and October 26, 2013, Australian
Bitcoin bank was hacked, and all 4,100 BTC held by
the wallet service stored in the US sever were stolen by
hackers [67].
• Due to the multi-signature vulnerability in the Parity
Wallet, a hacker stole 30M from at least three
Ethereum accounts by compromised their addresses on
July 19, 2017 [68]. Unfortunately, the deployed new
version of Parity Wallet library contract had an
undiscovered bug of not proper initialization at that
time and caused that another accident was triggered on
November 6, 2017 and the funds in affected multi-sig
wallets were frozen [69].
4) Attacks and Bugs with Smart Contract
One real instance of attacks on smart contract is that when
a specific smart contract DAO (Decentralized
Autonomous
Organization) built on Ethereum for the crowd-based venture
capital fund, a hacker exploited its code weakness and stole
more than $50 million worth of cryptocurrency reported on
June 17, 2016 [70]. A hacker made use of sloppy smart
contract coding to drain the funds in the smart contract [71].
On June 19, 2016, Vitalik Buterin listed categories of bugs
with Etheruem contracts including variable/function naming
mix-ups, public data that should not have been public,
reentrancy (A calling B calling A), sends failing due to 2300
gas limit, arrays/loops
and gas limits, and subtle game-
theoretic weaknesses [72].
In January 2017, there was Ether.Camp’s Hacker Gold
HKG which a bug was discovered with the contract code that
read “=+” instead of “+=” [73]. In October 2017, there was
$500K hack challenge from SmartBillions and two hackers
hacked and took away 400 ETH (US$120,000) before the
hackathon was stopped by SmartBillions [74].
In January
2018, a hacker discovered a bug of integer overflow with
smart contract using in Proof of Weak Hands (PoWH) coin
and stole 888 ETH [75]. In October 2018, an attacker launched
a reentrancy attack targeted at smart contracts of Spankchain
and drained 165.38 ETH [76].
5) Network Attacks
In August 2014, a research team in Dell SecureWorks
Counter Threat Unit discovered that a BGP hijacker redirected
the connections of cryptocurrency miners to a hijacker-
controlled mining pool and obtained the miners' profit of
estimated $83,000 within four plus months [77]. In September
2016, DDoS (Distributed DoS)
attack was discovered to
attack the Ethereum network such that an EXTCODESIZE
opcode was called about 50,000 times per block by the attack
transactions and hence greatly slowed down the network [78].
6) Endpoint Attacks
Malware is one of endpoint attacks. According to report,
malware infected more than one million computers which
were used by attackers to mine the 26+ million
cryptocurrencies’ token [79]. Cryptojacking is another
endpoint attack, which cryptocurrency
is mined in the web
browser of user while visiting a web. The attackers hacked and
injected cryptomining scripts to Pirate Bay [80], CBS’s
Showtime [81] in 2017 and the Indian government web pages
[82] in 2018 and gained the visitors’ mining award by using
the visitors’ computers for mining. Attackers also injected
cryptojacking code to third-party software (e.g., Google Tag
Manager [83] and WordPress [84] in 2017, and Drupal [85] in
2018), and advertisements (e.g., YouTube ads [86] in 2018).
Cryptojacking was also through 200,000 MikroTik routers
infected by malware [87] in 2018, and corrupted Starbucks
café’s WiFi [88] at Buenos Aires in 2017 to let the infected
computers to mine the cryptocurrencies.
7) Attacks with IOTA
In January 2019, a hacker launched a phishing attack to
collect the users’ privacy keys for six months and then stole
the users’ mIOTA worth $3.94 million [89]. At the same time,
there was a DDoS attack on the IOTA network such that the
IOTA developers were too busy to discover the hacker’s theft
activity [89]. In February 2020,
to stop an attacker from
stealing funds, the IOTA Foundation had to turn off the
coordinator node for more than 12 days which was responsible
for confirming all transactions. The hackers broke IOTA own
designed hash-function and could forge transactions [90].
Expanding from Hydra [91] and KEVM [92], we
summarize attacks, attack years, categories based on Table
VII, exploit values and root causes in Table VII. The total
amount of exploit values at current BTC and ETH prices is
more than $40 billion. Thus, the hackers have been and will
continue being incentive to hack
the Blockchain systems to
gain the huge benefit.
VI. S
ECURITY
M
EASURES FOR
B
LOCKCHAIN
A. Security Analysis
