Blockchain Vulnerability

Gal Mordechai

Blockchain is an exciting and innovative area, and unlike other nascent technologies, blockchain comes with substantive progress in its brief history, with greater exposure to wider audiences. However, there are also bad actors who are attracted to the ecosystem who try and identify potential Vulnerabilities and exploit these in a way that will allow them to generate a financial gain.

As a result, in 2020, crypto-asset holders experienced losses estimated at the amount of $10B USD due to malicious activities, constituting ~0.34% of all transactions made in the crypto ecosphere. The majority of the causes of losses were due to several types of malicious activities including scams, stolen funds, coding exploitation, and more.  

In this blog post, I will try to define the three most common and significant potential types of risk any crypto-asset holder should be aware of prior to entering this thrilling technology space. To focus the discussion on concrete examples I will refer to smart contract-based platforms and utilize a portrayal of DeFi's ecosystem’s stack created by the St. Louis Fed. The creative nature of bad actors brings them to try and identify vulnerabilities in each one of these layers and therefore I will try to refer to the key layer that is vulnerable for each type of risk.

Technological risk

As a technical asset, crypto assets are built on the blockchain platform. As such, the main types of risk are technological. Past events show that crypto-assets can fail or unintentionally operate erroneously due to software failures such as the asset’s balances, logic, transactions execution, and consensus mechanisms. Such failures can derive from a number of reasons.

First, token holders should be aware of Smart Contract risk. This kind of risk is related to the code of the crypto asset that usually occurs in the Settlement, Asset, or Protocol layers. Unwanted deficiencies in the code can result in behavior different than was initially intended by the creators of the smart contract. Furthermore, such flaws allow attackers to identify additional vulnerabilities that can and will inevitably become exploited. Due to the technical nature and the fact that blockchain technology is still in its infancy, testing frameworks and coding practices related to the space are still relatively new and thus crypto assets are highly susceptible to coding imperfections.  

Moreover, as blockchain use cases and crypto assets are evolving into more complex, novel models the potential for code flaws and scenarios that weren't taken into account increase as those requirements need to be translated into the code. On top of this, the open-source nature of the technology makes the code available to token holders and developers to find ways to make it more robust but in the same way also to attackers to find exploitable flaws.  

Another risk from the technological category is that of the transaction risk of the assets that exist within the Settlement layer of the network. All crypto assets are built on consensus-based platforms, and transaction risks are related to issues with the settlement level of the network the crypto asset has been built upon. Issues with attacks on the base network of a crypto asset will affect the tokens value, usability, and applications that are built on top of the network it utilizes.  

Miners also play a key role in the settlement layer of the crypto assets. Therefore, they can act maliciously as well creating an additional risk sub-type, called Miner risk. Miners' manipulation may be related to the ordering and execution of the network's transactions. By doing so, miners can prefer certain transactions instead of other higher fee transactions. This preference within certain contexts can have significant implications that may result in a form of market manipulation that can have key implications for the assets.  

Lastly, as more applications are built on smart contacts, the role of oracles and their integrity becomes more important for many of the token-based applications and platforms. This creates a new sub-type of risk called Oracle risk which usually exists in the protocol and application layers. Oracle-based systems can be heavily attacked through the manipulation of the values provided by Oracles to the on-chain contracts. Some of these oracles are centrally sourced and therefore can be seen as a key vulnerability, especially if these inputs are important for the logic of the smart contract.  

Operational risk

A core benefit of decentralized platforms is the lack of a single point of failure. However, the flipside of this is that in cases where there are known issues, the ability to respond and update the network with a quick fix may take significant time and involve several stakeholders in the network. This issue only intensifies regarding regular network upgrades and code maintenance efforts which may leave networks vulnerable to attacks for longer. Within this context, which usually occurs in the settlement and protocol layers of the stack, a popular phenomenon in the space is network forks that on the one hand provides a democratic solution for conceptual disputes and disagreements and can allow for different opinions to coexist- however, on the other hand, can be confusing for token holders. This is sometimes even driven by malicious actors) and can be devastating to tokens' financial value which is defined by its supply and demand in the market.  

Although blockchain networks are pseudonymous by nature, a key indicator for the future success of a token network or an application is its Governance, which occurs in the settlement and protocol layers of the stack. Initially this is represented by the founding team of the network. Beyond the quality of the code created by the team and the initial “rules” and processes of the network, this team usually has significant power over the ongoing network operations and processes. As a result, these individuals may have disproportionate power upon the network (for example control over the token supply in the network through a Multisig process that can have tremendous impact on the token value and attractiveness).  

In more complex decentralized governance structures, regardless of whether these were created at launch or through a transition from a centralized governance structure to a decentralized one, such decisions can be exploited through a centralized holding of governance tokens or by providing financial incentives for voters that occur externally to the network. It is critical to consider the power of centralized exchanges within this context as they are acting as the custodians of multiple tokens that also have voting rights associated to them and as a result may hold unproportionable power.

Lastly, blockchain platforms and the smart contracts within them are logic-driven entities that impact the state of the network. As such accidental transactions or actions that are executed accidentally due to a flawed code may have significant irreversible implications regardless of the opinions of the individual token holders or network creators. Some networks have gone to great lengths to minimize this risk with several innovative arbitration services and processes. Unfortunately, however, these mechanisms are still limited in scope and those limitations might exclude some of the edge cases that exist in these new dynamics and as a result impact negatively on token holders.  

Legal and Compliance risk

Operating in today’s crypto assets environment and using today’s investigator tools put regulators at a significant disadvantage and encourages bad actors to act in fraudulent ways and evade their legal obligations. As a result, investors can find network creators who are obfuscating their network’s activity or masking critical regulatory information from network transactions to reduce the creator’s regulatory risks in a way that impacts the network token holders' regulatory risk and as a result, has a clear impact on the network attractiveness to law-abiding investors.  

The pseudonymous nature of most crypto assets is extremely attractive for malicious actors, who are using it as a fertile ground to commit multiple types of illegal activities. Interestingly enough, although blockchain is an append-only decentralized ledger that will expose the information about their crimes to everyone and store these action records forever malicious actors are still self-selecting into using it for illegal activities. As a result, nowadays there are multiple cases of scams, embezzlements, and attempts to manipulate these markets to create unfair advantages for certain actors.

Under legal risk, we can also include Financial crime risk, a type of risk that refers to the risk of breaching any Anti-Money Laundering (AML) restrictions that are applied to any financial institution in the traditional financial world. As already mentioned above, the pseudonymous nature of these ecosystems makes it harder to identify the identity of the network token holders and as a result, makes it harder to enforce these financial regulations upon token holders despite some creative methods employed by the regulator. This reality makes it harder to block unlawful transactions and seize illegal assets as occurs frequently in the traditional financial world. This complexity is magnified further in privacy-preserving tokens and requires a higher level of creativity and tools from regulators.    

There are multiple other risk types related to the relationship between digital assets and their algorithmic nature which can impact their attractiveness to potential investors. Phenomena such as flash crashes in which an asset’s price suddenly drops due to extreme volatility in the market that cannot be mitigated through a centralized trusted player, and or smart contracts logic chains that connect with multiple digital asset components (i.e. smart contracts) can make or break assets attractiveness very quickly.  

In subsequent blog posts, I will break down each of these risk types into tangible examples and mention different attempts employed by various networks to try and mitigate these risks in a way that will make them safer and more trustworthy for token holders. Then, I will explain how we at Valid Network try to inform our community about such risks and equip them with the right tools to identify these risks and make knowledgeable decisions.  

It’s time to Deriskify Crypto!

Uncover risks & opportunities in crypto to maximize your gains.

Valid Data’s real-time and predictive insights are used by Cryptocurrency traders and exchanges, as well as investors and hedge funds, to make better investment and trading decisions, to protect the value of their digital assets, and to capitalize on market opportunities that only Valid Network’s technology can uncover.

Try Valid Data

Other Blogs

Introducing Ethereplay by Valid Network

We are excited to announce Ethereplay by Valid Network, a free community tool to support examining, analyzing, optimizing and securing of smart contract code on Ethereum.

Onboarding blockchain tech? Don’t miss these important facts

Key issues that enterprises must carefully consider and deal with when onboarding blockchain technology

What are CBDC and are Digital Currencies Safe?

Cryptocurrency and DeFi trading platforms have long signified a coming change in the way currency is handled around the world.

Integer Overflow in Ethereum

Many involved in blockchain do not have a full comprehension of the impact of software flaws and how they can enable vulnerability.

Subscribe to our newsletter and get the latest updates every day

Get crypto analysis, insights and updates right to your inbox! Sign up here so you don't miss a single newsletter.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.