Authors: Steven Robertson, Tessa Rowland
One of blockchain’s most alluring features is its inherent security due to the cryptographic, distributed ledger technology through which blockchains are formed. While a blockchain is resistant to cyber-attacks, it is not impervious to corruption and hacking, and has been successfully attacked despite its cryptographic advantage. With the market cap of Bitcoin at $150 billion at the time of writing, hackers are motivated to discover and try to exploit any weakness in platforms supporting cryptocurrencies.
Below, we discuss three of the more notorious breaches that resulted in cryptocurrency theft.
The DAO (2016)
The DAO (Decentralized Autonomous Organization) was an autonomous venture capital fund that existed as a smart contract on Ethereum. It was set up to invest in other cryptocurrency-related businesses and was crowdfunded in May 2016, through a token sale that raised the equivalent of US$120 million in digital currency.
Unlike a traditional fund in which a relatively small group of investment managers would typically select investments, investors in The DAO held weighted votes depending on how much cryptocurrency (specifically, ether) they contributed. In June 2016, an attacker successfully exploited a vulnerability in The DAO’s smart contract code that allowed a recursive call, meaning the attacker was able to repeatedly siphon from the DAO what eventually amounted to 3.6 million ether, equivalent at the time to US$60 million, as the accounts being hacked couldn’t properly rebalance following the initial withdrawal. Fortunately, substantially all of the siphoned ether was recovered through the implementation of a hard fork in the Ethereum blockchain, but the incident proved to be the undoing of the DAO, as its tokens had been de-listed from cryptocurrency exchanges by the end of 2016.
The attack on the DAO shows that smart contracts are only as strong and effective as the code upon which they are based.
Mt. Gox (2014)
Mt. Gox was a Tokyo-based Bitcoin exchange company launched in 2010 that eventually became the world’s leading bitcoin exchange. It filed for bankruptcy in 2014 as a result of the disappearance of 750,000 bitcoins it was holding on behalf of customers and 100,000 of its own bitcoins – at the time worth about US$473 million. Many at the time thought that this might spell the end of Bitcoin’s popularity.
The disappearance of the coins from the Mt. Gox exchange was blamed on a software bug and internal mismanagement, but the specific reasons for the disappearance have never been made public. According to the company, transaction malleability within the Bitcoin code was largely to blame. In a statement released on February 7, 2017 before all withdrawals were halted, the company said, “[a] bug in the Bitcoin software makes it possible for someone to use the Bitcoin network to alter transaction details to make it seem like a sending of Bitcoins to a Bitcoin wallet did not occur when in fact it did occur. Since transaction appears as if it has not proceeded correctly, the Bitcoins may be resent. Mt. Gox is working with the Bitcoin core development team and others to mitigate the situation.”
While there are conflicting reports on how big a role “transaction malleability” played in the Mt. Gox hacking scandal, the theft culminated in Mt. Gox going completely offline on February 24, 2014. At last report, customers were still waiting to recoup their missing bitcoins.
In January of this year, hackers stole upward of US$530 million of the XEM token from Coincheck, a Japanese exchange and wallet service, affecting 260,000 customers. This is the single largest cryptocurrency theft to date.
Coincheck had historically adopted different security measures for different cryptocurrencies, sometimes linked to the relative value of the currencies, with more popular or valuable tokens and coins subject to stricter security. Because of XEM’s low value, Coincheck maintained lower security protocols for XEM. This made XEM more accessible to hackers than a cryptocurrency such as Bitcoin, which was afforded stricter security. First, there was a lack of multi-signature authentication for XEM transactions. Second, Coincheck stored XEM in a hot wallet as opposed to a cold wallet, which meant that a customer’s XEM assets were connected to external networks and not stored offline, leaving them more vulnerable to hacking.
A hot wallet connected to the internet is similar to an individual walking down the street carrying wads of paper money as opposed to having the funds deposited in a bank or stored in a safety deposit box. Cold wallets are USB drives or other external hard drives that house wallets, and the physical media are usually stored securely in a vault or safety deposit box.
In 2017, the Japan Financial Services Authority started regulating and licensing cryptocurrency exchanges in Japan. Since Coincheck was founded in 2014, it had not yet sought out a licence for regulation. This devastating security breach has led Coincheck’s president to confirm the exchange will be registering with the Financial Services Agency and will be revising its security practices.
These incidents demonstrate that, despite the supposed immutability and security of the blockchain, an investment in cryptocurrency is not only subject to volatility risks, but also to the risk of theft by ingenious and enterprising criminals.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.