How White Hat hackers can help ‘fix’ crypto
One of the crypto asset markets’ most pressing issues is the lack of secure infrastructure. Until this issue is adequately addressed, it will remain difficult for cryptographic assets to reach the same status with investors as traditional 'established' financial securities
One of the crypto asset markets’ most pressing issues is the lack of secure infrastructure. Until this issue is adequately addressed, it will be difficult for cryptographic assets to reach the same status as established financial securities among investors.
This article will cover some recent crypto security breaches as well as some steps the sector should consider to provide a remedy to the situation.
Serious security breaches
In early January 2019, top 20 cryptocurrency project, Ethereum Classic (ETC), fell victim to a 51 percent attack. A malicious actor was able to gain access to the majority of the hashrate on the ETC network and undertake double spends through several cryptocurrency exchanges leading to estimated losses of over $1 million.
The attack was surprising because, while we have known that the risk of a 51 percent attack is real, it was thought to only be of concern to smaller altcoin networks. Ethereum Classic, in contrast, is a leading cryptocurrency with a market capitalization of almost $500 million. The successful attack therefore was a catalyst for a rethink of the fundamental security of even the largest crypto networks.
Also in January, New Zealand-headquartered cryptocurrency trading platform Cryptopia revealed that it had suffered a major security breach. The exchange did not specify the amounts lost in the event. While there has been much speculation regarding the veracity of the claims of a hack as well as allusions to an exit scam, there is still the need to consider the inadequate code infrastructure that allowed the losses to happen. Cryptopia remains shut down for maintenance at the time of writing.
Both these events have taken place in the first few weeks of this year — leaving investors and the wider crypto community scratching their collective heads as to how such major breaches can still be happening in 2019 – fully five years on from the now infamous Mt Gox hack, that got cryptocurrency theft on everybody’s radar.
Why is this happening?
These recent events bring many questions to mind. The most pressing of these is the question of failings in system architecture. It is obvious that there are insecurities in the code architecture of many crypto systems and projects as well as other adjacent systems that support the ecosystem.
Considering the sheer size of the codes that developers must work on, it is understandable that there may be errors. Additionally, much of this work is done under immense time pressure which may also contribute to the overlooking of important factors related to security.
Lastly, when developers spend a great deal of time poring over code, they are likely to miss some of the errors they make. When working on high-level tasks, we – as humans – tend to make simple mistakes. This is called the generalization effect. In simple documents, it requires a proofreader to correct our spelling mistakes. However, when writing code, these seemingly simple errors can mean the difference between failure and success, with the former bringing with major financial repercussions.
Your blockchain needs you – the role of ‘White Hat’ hackers
With these factors in mind, it seems obvious that the crypto asset sector can benefit from a sort of review system. It is plausible that some of the security loopholes that have rocked the industry lately could have been prevented with the inclusion or addition of a fresh set of eyes.
In the technology sector at large, this concept has taken shape in the form of bug bounties. It is hardly a new concept as it has been in existence since the late nineties. The concept is simple; corporations invite developers to look over their code to find any vulnerabilities. In exchange for their time and labor, if the ‘bounty hunters’ are able to find errors, they are financially rewarded. Payments are usually tiered in accordance with the threat level.
Many major companies in the technology sector have embraced this concept as an essential way of securing their technology. For instance, Google paid out almost $3 million in 2017 to bounty hunters who helped to rid its code of major vulnerabilities. If they are so effective in the larger technology sector, then it is clear that bug bounties can also be useful in the crypto sector.
Bug bounties in crypto
A number of parties in the crypto sector have borrowed a leaf from the greater technology space. Ethereum, for example, regularly holds bug bounties. The third largest blockchain network continues to stay secure due to its dedication to finding and fixing any vulnerabilities. For instance, it postponed its scheduled Constantinople update due to newly discovered bugs.
Another player in the cryptocurrency sector that hold bug bounties is Dash. White hat hackers were able to reveal serious security vulnerabilities in the version of the Copay wallet that could support Dash coins. Kraken and Coinexchange also have similar programs.
Decred also recently announced its bug bounty program. The altcoin is inviting developers with any interest as well as the relevant knowledge to sign up for the program. Calculation of rewards is based on OWASP risk rating methodology —– with payments from $300 for low impact finds – up to $25,000 for critical errors.
If we are to extrapolate the success that bounty programs have had in the greater technology sector, then it is clear that the concept should gain steam if the cryptocurrency sector is seriously looking to transcend, or at least lessen its security issues.
Considering the large amounts of money held in these networks, developers must consider all the tools available to them, and bug bounties have proven to be effective.
Subscribe to BNC’s newsletters for insights and forecasts direct to your inbox
Brave New Coin reaches 500,000+ engaged crypto enthusiasts a month through our website, podcast, newsletters, and YouTube. Get your brand in front of key decision-makers and early adopters. Don’t wait – Secure your spot and drive real impact in Q4. Find out more today!