The matter is still under investigation by police, but social media reports estimate that anywhere from $3 million to $16 million worth of cryptocurrency was stolen during the attack. The exchange itself has been out of action since the “security breach” after initially being put into maintenance mode when the rogue transactions were initially discovered.
Cryptopia had a reported 1.4 million users, and a cult following amongst traders of small-cap altcoins, however, unusually the rest of the cryptocurrency market wasn’t negatively affected by the news. Bitcoin’s price, for example, stayed within the same $200 trading range before and after the breach was announced.
Previous exchange hacks have seen prices plunge across the board – in 2018, even mere rumours of a breach at Binance were cited by some industry observers as the reason behind downward price moves. The lack of a reaction to the Cryptopia news could be put down to the relatively small user-base of the exchange, or simply because prices are so low that ‘bad news’ is not necessarily enough of a catalyst for major sell-offs right now.
However, there is a third, more worrying possibility; that the wider cryptocurrency community has become so desensitised to major security breaches that it is sleepwalking into potential disaster.
Over $1 billion in cryptocurrency stolen in 2018
2018 was an annus horribilis for cryptocurrency security, with all manner of the ‘wrong kind’ of records being broken.
An anti money-laundering Report by Ciphertrace stated that $927 million had been stolen from cryptocurrency exchanges in the first three quarters of 2018 alone. The full tally for 2018 is believed to be well over $1billion.
A large part of that $1bn stolen would have been attributed to the Coincheck hack in January 2018, which saw a record $530m in NEM tokens taken from the Tokyo-based exchange’s wallets. A value, which broke the record for reported losses previously set by Mt. Gox in 2014 ($460m at the time).
Some of the other largest single losses were reported by South Korean exchange Bithumb ($30m), ‘decentralised’ exchange Bancor ($23.5 million) and a 51% attack on the Bitcoin Gold blockchain that netted crooks around $18 million.
Overall, the amount stolen from exchanges in 2018 equates to around $3m every single day.
Even blockchains themselves have been exploited in on an increasingly regular basis in recent times, with Ethereum Classic recently joining the list of cryptocurrencies that have been 51% attacked. The January assault on one of cryptocurrency’s most high profile coins saw 219,500 ETC stolen before exchanges and mining pools stepped in to stifle the attack.
Hacks threaten cryptocurrency adoption, and existence.
Mass adoption of cryptocurrency simply will not happen, if people aren’t confident the infrastructure is in place to keep their funds secure.
In a 2018 survey conducted by US law firm Foley, 71% of respondents felt that hacks and security breaches posed a strong or very strong “risk to the viability and growth of the cryptocurrency industry”.
In another study conducted by Clovr, 27% of survey respondents said they “worry about the cryptocurrency service getting hacked” when sending crypto to family abroad. Or, more alarmingly, suggested that was reason enough to stop them doing so at all.
A lack of adoption caused by prevailing distrust in the security of the technology is arguably the single greatest threat to the existence of cryptocurrency going forward.
Simply put, it’s unlikely that large-scale mainstream investment will pour into crypto markets before, security-wise at least, the industry gets its house in order.
How do cryptocurrency exchanges get hacked?
Firstly, centralised exchanges are an easy target. Hackers know exchanges can hold billions of dollars at any one time and can dedicate themselves to finding vulnerabilities using state-of-the-art attack methods. Conversely, exchanges may not always allocate resources to build equally sophisticated defences.
Exchanges also have a double vulnerability in that hackers can steal funds directly, by breaking into exchange wallets, or indirectly through stealing user data which they can then use to impersonate account holders.
21CRYPTOS spoke to Developer and Sysadmin Mattias Geniar to get the lowdown on just some of the ways hackers are able to exploit vulnerabilities in an exchange’s security and make off with millions of dollars;
“Every hack so far has been due to an exploit of the exchange’s web application somehow. All exchanges offer withdrawals through user accounts, but the validation processes that check whether or not users are authorised to withdraw funds aren’t always 100% safe”. He said.
“Bitgrail, for instance, had an exploit that allowed user A to withdraw coins from user B through simply modifying a few request parameters”.
It is also true that exchanges can sometimes be victims of their own success – and subsequent complacency.
“Over time, exchanges have become very complex web applications that far surpass the simple ‘trade, deposit & withdraw coins’ feature-set. Every feature that gets added is a piece of code that requires maintenance & can have possible security issues”. Geniar explained.
Yet, the answer surely does not lie in restricting the development of progressive exchanges. Instead Geniar recommends fighting fire with fire.
“Exchanges need a security bounty program. If you find a security vulnerability, you should be incentivized to report it instead of abusing it. The challenge with crypto is that any bounty program needs serious funding if attackers are to be persuaded to responsibly disclose a vulnerability rather than exploiting it for millions of Dollars in profit”.
There are of course ways in which exchanges can improve their own security without relying on third parties to identify threats. In fact, simple house-keeping could be the difference between $530m of tokens staying in an exchange’s wallet rather than that of a hacker.
“Cold and Hot wallets need better separation” Geniar explained. “It’s unbelievable how someone can exploit a vulnerability and somehow manage to withdraw millions worth of coins all at once. That means there’s a link between the web-exchange and their wallets. There should only ever be a small fraction of the coins available for direct withdrawal, the rest – as cumbersome as it may sound – should be approved by the company or a support personnel to avoid massive losses”.
Coincheck, for example, made the fatal mistake of storing all of their NEM tokens in a single hot wallet without using the NEM multisig contract security recommended by developers. The results, as we now know, were catastrophic.
Are hacks blockchain’s responsibility?
If exchanges can’t be trusted to be 100% hack proof, then what about blockchains themselves?
Some have the ability to lock accounts and funds remotely through smart contracts. There is also the option to deploy multisig wallets, whereby more than one person would be required to sign a transaction on to the blockchain – making it harder for bad actors to make fraudulent transactions.
However as Geniar points out, the more complex a smart contract becomes, the more chance there is that vulnerabilities will be found: “A well implemented smart contract can offer more security to the end-users. They can be designed for theft protection by creating multi-sig wallets, but that also makes them more complicated and more prone to errors and abuse. The DAO attack for example, showed that even non-complex additional smart contract features can form an attack vector for anyone scanning for vulnerable smart contracts”. The DAO attack, which resulted in Ethereum forking to restore funds stolen in the hack, also provided an interesting case study as to what would happen if blockchain communities took matters into their own hands and simply re-wrote the history books to reverse serious attacks.
While the majority of the Ethereum community voted for the hard fork that created the Ethereum we know today, the continuing existence of the original chain, in the form of Ethereum Classic almost three years later shows that re-writing history is not for everyone.
Indeed, the idea poses a valid existential argument for blockchain itself. If the greatest gift blockchain has to offer is decentralisation and protection against the self-interest of centralised systems, then allowing communities to over-write any transactions they don’t like is arguably a betrayal of that offering. How much decentralisation should be sacrificed for greater security is a debate that will rumble on for as long as decentralised systems are being successfully attacked.
Be your own bank
One point that unites almost the entire cryptocurrency community is that the safest way to protect your investment, is to keep coins in a private wallet and manage them as if you were your own bank.
Renowned crypto enthusiast Trace Mayer’s ‘Proof of Keys’ event hit the headlines in January, as investors were reminded “Not your keys; Not your bitcoin” and encouraged to withdraw coins from exchanges and into their own wallets.
The Proof of Keys event was not intended as an attack on exchanges and third parties in general, more a “readiness drill” for crypto holders should they one day have to save themselves from malpractice. Little did they know on January 3rd, that the next major exchange hack was only around the corner.
Geniar also believes exchanges have a responsibility to educate customers on the storage options available to them: “Users need better education”. He said. “’Don’t keep your coins on an exchange’ is very easy to say, but not an easy process to carry out. Exchanges could better promote the withdrawal of coins, in order to place more of the liability and responsibility in the hands of the end-user rather than encouraging them to keep coins on the exchange for trading purposes. One could argue though that an exchange is better at keeping coins safe than the average user”.
An alternative view on cryptocurrency hacks
The idea that users may be just as vulnerable to losses, even when they keep coins in their own wallets, was also put forward by Binance CEO Changpeng “CZ” Zhao:
“Store coins yourself. You fight hackers yourself, and guard from losing wallet yourself. Computer breaks, USBs gets lost. Store on an exchange. Only use the most reputable, proven secure, exchanges. Or move to DEX, disrupt ourselves”. He tweeted, in the immediate aftermath of the Cryptopia attack.
While CZ’s comments were met with a flurry of criticism on social media, his suggestion is given credence by the efforts of his own exchange to protect users through a ‘SAFU fund’. After “unusual activity” from a number of API users prompted Binance to temporarily shut down trading last July, the company announced the creation of a “secure asset fund for users” (SAFU) whereby 10% of all trading fees would be retained in order to cover losses in extreme situations.
Even still, advising investors to keep funds on exchanges, reputable or otherwise, rather than managing their own security is problematic. Firstly not all exchanges have a ‘SAFU’ fund. At the time of writing, investors with funds stuck in Cryptopia, for example, still have no idea whether they will ever be able to reclaim their coins.
Secondly, users leaving funds on centralised exchanges are beholden to the fate of that exchange. Were a government entity to shut an exchange down, for example, it is unlikely a ‘SAFU’ fund would prevent users losing their assets.
Decentralised exchanges protect against cryptocurrency hacks
Those concerned by the security of centralised exchanges do have an alternative in the form of decentralised exchanges (DEXs).
Decentralized exchanges are facilitated by a third-party operator but crucially this only extends to facilitating decentralized trading directly on a blockchain (such as Ethereum or NEO) itself.
Trades are peer to peer, with the two parties trading between themselves. At no point do user funds come under the control of the exchange. Because of this, there are usually no KYC/AML requirements or log-in mechanism, so there is also no user identity to steal.
However, if people are leaving coins on exchanges because they find dealing with their own wallet and keys unwieldy, or overly complicated, then DEXs likely won’t be the answer. Most current DEXs require more than a 101 level of understanding to operate and just aren’t quite as user friendly as the likes of Binance, yet.
There is also always the possibility that an exchange could appear to be decentralised, but vulnerabilities ‘beneath the hood’ still come back to bite users.
Last July ‘decentralised exchange’ provider Bancor lost customer funds after a hacker exploited a vulnerability in a wallet that was used to upgrade smart contracts within the system. The fact that user funds could be stolen in the first place, and indeed that Bancor was able to freeze its own BNT tokens in the aftermath, is an indicator that perhaps the exchange wasn’t as decentralised as it made out.
Communication is the key in stopping crypto hackers
Blockchain technology and the whole infrastructure around cryptocurrency trading and utilisation is developing at a rapid rate. But it’s still incredibly early. There was a time, not so long ago, where using the internet meant everyone else in the house had to get off the telephone. Then of course, there was the agonising wait for a dial-up connection to kick in. All of that could take longer than it would to order an Uber from a smartphone now.
Security solutions will improve across the board. Decentralised exchanges and wallets will become more user-friendly and easier to manage. It will just take time.
Until then, winning the battle against the hackers will most likely come down to how well the cryptocurrency space as a whole is able to educate both existing users and newcomers so that they have the tools, and the knowledge to truly be their own bank.
By Carl Guaratnam, CEO of Red Quokka Crypto.
(This article is taken from the April’s 21CRYPTOS Magazine – read the full 100 page monthly magazine HERE).