The Risks of Injection Attacks on the Blockchain

While an adequately configured blockchain network will inherently be resistant to some kinds of threats, many other risks exist, potentially exposing data or opening a backdoor into an organization for a more disastrous cyber-attack in the future. The fact is blockchain technology is still maturing, and while enterprises continue to explore, develop, and adopt this development framework into their ecosystems. And due to the potential amplification of these risks through the decentralized network, researching and managing all the potential code vulnerabilities, security misconfigurations, and other blockchain threats could be a massive economic and personnel investment for any organization.  

Injection Attacks via the Blockchain

Injection attacks are one of the most significant risks to any network-connected system. These attacks use malicious data to attack software systems and can be launched against the client-side of an application, but also against the server-side the database, and the smart contracts. Once executed, they can substantially impact the newly minted victim, exposing any locally available information. Attacks like these are successful through various strategies, from malicious links to corrupted websites, all shared with unsuspecting users. Due to the attack vector's simplicity, an injection attack is complicated to detect by both the user and legacy security products.  

Injection attacks against blockchain systems on both public and private networks, like Ethereum and Hyperledger, have impacted hundreds of millions of dollars in transactions, wallets, and investments over the past few years. From the likes of Ethereum Short Addresses to the cross-site scripting impact on EtherDelta all the way to the delegatecall injection vulnerability that stole over $31M from a wallet, these attacks on the blockchain can devalue cryptocurrency, shut down exchanges, damage trust in the technology, and send developers into a frenzy as they attempt to implement best practices to avoid leaving their users, their data, and their investments, at risk. Below are just a few examples of injection attacks on the blockchain with their related CVE.

• TransferFrom overflow - CVE-2018-11411
• Integer Overflow - CVE-2018-11687
• Easy Trading Token (ETT) Integer Overflow - CVE-2018-13113
• transferFlaw - CVE-2018–10468
• Batch overflow - CVE-2018-10299

These injection style attacks occur when untrusted data is sent to a receiver as part of a transaction. An attacker sends malicious data with the intent to trick the receiver into executing unintended commands or accessing incorrect data.  

Unfortunately, an injection attack is not limited to a specific type of data; almost any data source can be used as an injection vector, including transaction inputs, reading from storage, and cross-system calls, including Enterprise Oracles. This attack method can impact enterprises in varying manners, including the corruption or loss of data, disclosure to unauthorized parties, and even denial of services.

While many code injection risks into the blockchain are known, the existing security toolsets and services, including 24/7 managed SO
s, are often incapable of detecting or preventing them from putting an organization’s data at risk. The most common toolsets in-place today are only able to validate that the execution of a transaction was accurate. This is a major limitation however, due to the nature of injection attacks using existing logic in the contract, the execution would still be deemed accurate with the malicious attack.  

The standard approach to mitigating many of these injection attack risks is to understand and follow traditional best practices during development, but manually keeping up with all the threat vectors has proven challenging as blockchain technology continues to grow and evolve.  

Many longstanding security solutions have begun adopting blockchain security features into their ecosystem, but they lack the necessary oversight and capability to provide the required information to detect, prevent, and remediate these risks in the blockchain. Further complicating security, many enterprises simply rely on heavily manual processes to identify and qualify blockchain application code using various repositories and databases.  This approach does not measurably reduce security risk and it slows down development and mass deployment of blockchain technology  

Ultimately, the blockchain industry has lacked the cohesive best-practices on the security tools that exist, leaving enterprises to foot the bill of manual security research. But as blockchain technology continues its evolution and adoption into enterprise workflows, so must security solutions focusing on this advancing tech. This simultaneous advancement encourages enterprises to adopt the same security mentality they apply to their regular corporate assets to this emerging technology.

Engaging with and integrating blockchain security teams into the fabric of development and security operations is the first step many organizations can take to adopting proper security knowledge and protections to combat the rising risks of injection attacks and other dangers to the blockchain. These teams and their comprehensive tools can help establish a strong security perimeter around your blockchain applications, provide detection and prevention against risks, and assist organizations in ensuring compliance with the various global markets.  

About Valid Network  

Valid Network’s blockchain security platform provides complete life cycle security for enterprise blockchains from initial development to active deployment and management. Based in Be'er Sheva, Israel, the company’s solutions enable enterprises to innovate with blockchain faster, providing complete visibility and control over their distributed applications and smart contract governance, compliance, and security posture through advanced platform capabilities.

‍

Secure the block with Valid Network.

Learn more: https://valid.network

Follow us: LinkedIn | Twitter | Blog

‍