Common Blockchain Security Flaws
Cybersecurity Trends
Blockchain has ushered in a new era of transparency, cryptography, and decentralization. However, there is still a long way to go to overcome glaring security challenges.
In a previous post, we've reviewed the top five blockchain security breaches of 2022, which have collectively caused over a billion dollars worth of damage. And while cybersecurity gaps are clearly not unique to blockchain (governments, tech giants, and public infrastructure all remain incredibly vulnerable), the new technology does present a fresh set of challenges for security professionals.
In this article, we'll discuss some of the most common security flaws that Silent Breach routinely discovers in smart contracts and review some helpful steps developers can take to stay secure.
1. Frontrunning
Frontrunning occurs when malicious actors detect unconfirmed (or pending) blockchain transactions and then 'hijack' the trade by simply paying a higher fee. Since transactions are always visible in the memory pool before miners include them in the upcoming block, hackers have ample opportunity to review any unconfirmed activity and cherry-pick the transactions they'd like to 'frontrun'. Frontrunning is easy to automate and has become a very common issue among DeFi applications. Since frontrunning can currently only be mitigated by redesigning or refactoring the way that transactions are processed, it's critical to be familiar with common frontrunning techniques while initially developing your platform.
2. Logic Flaws
Logical flaws within NFT smart contracts have led to widespread unintentional losses when users misunderstood the terms and conditions of their purchase. A properly audited smart contract will protect users from external threats as well as prevent most non-malicious exploitations. Since smart contracts execute automatically once the preset conditions are met, it's particularly important to account for all logical possibilities, and ensure that users are aware of and in agreement with all relevant contract terms and conditions.
3. Integer Errors
It's common for financial applications to represent value using whole integers. In order to account for partial values (like a quarter of a dollar), they'll resort to using strings of decimal places (e.g. 0.25 dollars). Currently, many tokens can support up to 18 decimal places. One problem that this presents is integer overflow, which occurs when a maximum value is reached and the system then starts counting all the way from the beginning. Similarly, if the minimum value is exceeded (say, when subtracting 4 from 3), then this can result in a very large number. Fortunately, integer overflow is a well known issue and is widely prevented using secure math libraries. A more prevalent (and therefore more concerning) issue occurs when faulty calculation logic is employed. For example, when solving for 25% of 10, many applications will simply divide by 100 and then multiply by 25. However, if the division takes place first, the resultant number may be rounded down to 0 resulting in a complete loss of value.
4. Block Gas Limits
To ensure that blocks don't grow too large, blockchains such as Ethereum enforce strict gas limits. What this means is that if a transaction consumes too much 'gas' it will simply not be executed, thereby preventing any issues down the line. Since many projects conduct unit testing in a development environment where datasets are far smaller than the production environment, they often bump into gas limits once they've gone live. To avoid this, make sure that your testing environment is sufficiently realistic and, if necessary, limit gas usage by redesigning the way that data is stored and accessed.
5. Missing Parameters
This last category includes basic parameter checks and authorizations that are often overlooked. For example, the catastrophic Cashio breach was due to an oversight in which the currency of deposits wasn't correctly being verified, allowing hackers to deposit unlimited junk currency in exchange for ETH. Other common examples include missing access controls and user authentication. To prevent these, a checklist of all parameters, preconditions, and operations that need to be met should be carefully designed and maintained.
Recommendations:
Smart Contract Audit
Smart contract flaws have been responsible for billions of dollars of losses. If a more rigorous approach is not taken, the causalities will only continue to mount. Nation-state actors like the Lazarus group have proven themselves to be skilled operators in the DeFi environment and target everyone from startups to enterprise blockchain projects.
A properly audited smart contract will protect users from external threats as well as prevent most non-malicious exploitations. In addition, a smart contract audit may allow the code to work more efficiently thereby allowing a project to demonstrate higher performance at a lower cost.
Penetration Testing
Instead of waiting for a malicious actor to identify security gaps, blockchain organizations should hire a white hat security team to pen test their project prior to launch. This will proactively identify weak spots in the software by testing your systems against a simulated cyberattack in a safe and controlled environment.
Bug Bounty
Similar to Penetration Testing, bug bounty programs have been widely accepted as an effective and cost-efficient way to quickly track down security flaws in deployed software. Decentralized technology developers understand more than anyone else the power that comes with community. Leveraging their network to constantly and aggressively pursue security excellence will go a long way to safeguard their users and ensure long term success.
Similar Reads:
Top Five Blockchain Breaches of 2022
Does Crypto Need a Cybersecurity Refresh?
How the Dark Web Can Protect Your Company
About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.