Blockchain-Concept Credit: Sashkin/Shutterstock.com

 

Blockchain technology is often touted for its great security in preserving transaction records. However, blockchain isn't impenetrable. After all, a line of incorrect coding or a small computer network backing the blockchain could lead to unwanted transactions, meaning companies must assess and be aware of any risks in their blockchain-based software, experts said.

“With anything involving software, anything involving anything online, it's always an IT security risk,” said Phillips Nizer partner and former New York state Department of Financial Services deputy superintendent Patrick Burke. ”So while the blockchain itself is generally pretty impregnably accept for the '51% attacks', the software written around the blockchain is as susceptible as any other software.”

Indeed, news reports have documented a number of hacks of blockchain-backed cryptocurrencies and smart contracts. In January, for instance, hackers breached an adult entertainment company and stole $38,000 worth of cryptocurrency after it exploited an error in its smart contract.

Also in January, attackers rewrote cryptocurrency Ethereum Classic's transaction history and took $1.1 million, according to MIT Technology Review. The attacker was able to pull off the heist by gaining control of more than half of the network's computing power—which is called a 51% attack. To retrieve the currency, developers sought to change the software's rules used to decide if a transaction is valid or not. Most agreed, and Ethereum was created and the original cryptocurrency was renamed Ethereum Classic.

“Attacks similar to Ethereum Classic's are more likely to occur for proof of work blockchains where there is a limited amount of dedicated computing power,” noted Duke University finance professor Campbell Harvey. “For some of these smaller cryptos, you can rent enough cloud computing to disrupt the current transactions.”

“This is an issue for proof of work blockchains that don't have a lot of computing power powering them,” Harvey said. “What we are talking about is an attack of the most recent transactions, we are not talking about someone changing a transaction from last year. … [It's] still enormously difficult to go back and change a transaction from a year ago.”

Also a great deal of computers are needed to stage a 51% attack of a large proof of work blockchain, an expense that may deter some from targeting larger blockchains.

As more blockchains are attacked, blockchain-specific security services are emerging. For example, Japan-based NRI Secure Technologies started a blockchain security monitoring service that also diagnoses and analyses smart contracts.

Still, as some organizations are slowly adopting blockchains, they may fall victim to faulty coding in their blockchain or the software connected to it. But Phillips Nizer's Burke noted that most organizations are using permissioned blockchain where the nodes and miners are within a company's firewall and only the people working for them can be a miner. There are “fewer nodes you would have to control to gain control of it, but you can hopefully keep a closer eye on those people and they are people you trust,” Burke said.

However, he added that companies using blockchain must still ensure their transactions are safe, and regulators should also assess blockchains to figure out how vulnerable they are.

“At DFS, we would look at [a blockchain's] vulnerability to 51% attacks,” Burke said. ”You have to look at the number of miners it would take, what is the criteria for controlling [it], is it proof of work, proof of stake [and ]how small of a group can pull off a 51% attack.”