Professional Documents
Culture Documents
Blockchain Security
Peter Kacherginsky, Blockchain Security Engineer @Coinbase
Peter Kacherginsky
Blockchain Security Engineer @Coinbase - BlockSec
- Blockchain Threat Intelligence newsletter
- Capture the Coin CTF @Defcon
- Break blockchains and smart contracts
- Secure and monitor blockchain systems
-
Malware Reverse Engineer @FireEye - FLARE Team
- FLARE VM, FakeNet-NG, Malware Training
- Lot’s of APT malware reversing
@_iphelix
AGENDA
AGENDA
Introduction
BlockSec
What is this field and what makes it
unique from other disciplines.
BlockSec Ecosystem
Explore main components of the
blockchain security ecosystem
AGENDA
User Security
Discuss trends in user fraud,
cryptocurrency malware, continuous
evolution of spam attacks.
AGENDA
User Security
Discuss trends in user fraud,
cryptocurrency malware, continuous
evolution of spam attacks.
Blockchain Security
A new security field with the mission of securing and defending the
cryptocurrency ecosystem.
Cryptocurrency Ecosystem
Users
Cryptocurrency Ecosystem
Users
Assets
Cryptocurrency Ecosystem
Users
Assets
Smart
Nodes
Contracts
Wallets
Cryptocurrency Ecosystem
Users
Exchanges
Assets
Smart
Nodes
Contracts
Wallets
Cryptocurrency Ecosystem
Users
Cold/Hot
Storage
Exchanges
Assets
Smart
Nodes
Contracts
Wallets
Cryptocurrency Ecosystem
Users
Cold/Hot
Malware Storage
Exchanges
Assets
Smart
Nodes
Contracts
Wallets
Cryptocurrency Ecosystem
Fraud
Users
Cold/Hot
Malware Storage
Exchanges
Assets
Smart
Nodes
Contracts
Wallets
Cryptocurrency Ecosystem
Fraud
Users
Cold/Hot
Malware Storage
Exchanges
Network
Attacks Assets
Smart
Nodes
Contracts
Wallets
Cryptocurrency Ecosystem
Phishing
Fraud Attacks
Users
Cold/Hot
Malware Storage
Exchanges
Network
Attacks Assets
Smart
Nodes
Contracts
Wallets
Cryptocurrency Ecosystem
Phishing
Fraud Attacks
Users
Cold/Hot
Malware Storage
Exchanges
Network
Attacks Assets
Bad Actors
Smart
Nodes
Contracts
Wallets
Exchange Security
Incidents
PII Theft
BLOCKFI COINCHECK
Lost customer PII. Lost PII for 200 Lost 6.929 BTC, Exchange lost 336 BTC.
Employee SIM ported to customers. Domain 23.210 ETH, and Employee personal
access internal portal. registrar hacked. others. Lulzsec took laptop hacked.
credit.
Exchange Security Insights
● Incident causes could have been easily avoided (e.g. BlockFi SIM swapping, Cashaa
unmanaged personal laptop used for work).
Exchange Security Insights
● Incident causes could have been easily avoided (e.g. BlockFi SIM swapping, Cashaa
unmanaged personal laptop used for work).
● Attackers are getting creative and going after more than just a hotwallet.
○ PII on Sunday, SIM swap on Monday.
Asset Security: Protocol
Blockchain Network Incidents
● PoW coins with easily rentable GPU hashpower will continue getting 51% attacked.
Network Security Insights
● PoW coins with easily rentable GPU hashpower will continue getting 51% attacked.
● Bitcoin Gold working with miners to secretly deploy a checkpoints is a new pattern.
Blockchain Network Incidents
SteemIt Ethereum
Blockchain Network Incidents
SteemIt
Ethereum
Mempool manipulation
to cause congestion to
win 1000 zero-bid
MakerDAO auctions.
.
Network Security Insights
● Node flaws are still rare. Only 4 flaws discovered (1 intentional). Are there enough eyes?
.
Node and Wallet Security Insights
● Node flaws are still rare. Only 4 flaws discovered (1 intentional). Are there enough eyes?
● RavenCoin stealth commit and Trinity supply chain threats will likely happen again.
Smart Contract Incidents
● DeFi vulnerabilities and attacks are on the rise. The year of DeFi hacks.
Smart Contract Security Insights
● DeFi vulnerabilities and attacks are on the rise. The year of DeFi hacks.
● Bug bounty and Developers are starting to catch bugs early. Often resorting to hacking
themselves. (Bancor)
Smart Contract Security Insights
● DeFi vulnerabilities and attacks are on the rise. The year of DeFi hacks.
● Bug bounty and Developers are starting to catch bugs early. Often resorting to hacking
themselves. (Bancor)
● DeFi vulnerabilities and attacks are on the rise. The year of DeFi hacks.
● Bug bounty and Developers are starting to catch bugs early. Often resorting to hacking
themselves. (Bancor)
● Cryptocurrency Malware
● Scams
● Bad Actors
Cryptomining Malware
DockerHub
Multiple backdoored
docker images
Supercomputers uploaded to
May 11, 2020 DockerHub with
Five EU Monero miners.
supercomputers
hacked using stolen
SSH credentials to
mine Monero.
Lucipher
May 29, 2020
Windows-based
Monero miner.
Ransomware
285 BTC
116.4 BTC
65 BTC
Malware Insights
Send BTC
SpaceX Scam
June 4, 2020
$200,000 worth of
crypto lost in BTC
giveaway scams on
Youtube.
Twitter Hack
July 15, 2020
Attackers hijacked 130
exchange, celebrity,
corporate accounts
compromised to
advertise BTC giveaway
scam.
MLM
Wotoken Scam
May 16, 2020
Chinese police busted
MLM scam organizers.
$1B worth of crypto
stolen from 715,000
victims.
Other Scams and Malware
Backdoored
Wallets
July 1, 2020
Trust Wallet fake in
Google Play Store.
MakerDAO Phish Harry’s epic hack to get
January 14, 2020 users’ funds back.
Website mimicking SAI
to DAI conversion.
Deep Fake
May 24, 2020
Deep-Fake video of
Justin Sun and fake
passport used in Skype
video calls to scam
investors.
Bad Actors
Lazarus
Individuals
APTs
CryptoCore
Insiders Fin/Ransomware
Groups
Scam Insights
● Asset Security
○ Low hashrate/GPU mineable PoW coins are getting 51% attacked.
○ First example of a PoS attack.
○ We are not finding nearly enough node/wallet vulnerabilities.
○ Nasty backdoors and supply chain attacks against nodes and wallets.
○ DeFi vulnerabilities and attacks are on the rise.
● User Security
○ Miners, ransomware, fake software, oh my!
○ Scammers are sticking to giveaway and MLM schemes, but getting creative.
03
Building the industry
Building the Industry
● Community
SWC Registry
CCSS
Guidelines and Tools
● Missing “OWASP Top Ten”-style guidelines, testing methodology, and tools for:
○ Stand-alone blockchains
○ Node configuration and operation
○ Hot/Cold storage
○ Key management
○ Protocol design
○ Wallet design
○ Blockchain forensics
○ User security
Guidelines and Tools
● Missing “OWASP Top Ten”-style guidelines, testing methodology, and tools for:
○ Stand-alone blockchains
○ Node configuration and operation
○ Hot/Cold storage
○ Key management Attacking and Defending
○ Protocol design Blockchain Nodes Talk
○ Wallet design
○ Blockchain forensics
○ User security
Community
Conferences
Competitions
Chain Heist
Knowledge Sharing
Media
Community Insights
● Still a very small but growing community with unique competitions, gatherings, and
chat rooms.
Community Insights
● Still a very small but growing community with unique competitions, gatherings, and
chat rooms.
● BlockSec will become a career option as a need for the specialized skill-set grows:
○ Smart Contract Security Testers
○ Blockchain Security Engineers
○ Cryptocurrency Forensic Analysts
A call to arms
● Do you enjoy learning about different chains, consensus mechanisms, and
smart contracts?
● Are you a security professional or a bug bounty hunter bored of finding yet
another XSS or SQLi vuln?
● Are you an investigator trying to make sense of what fraudsters are doing?
● Are you a developer looking for an exciting new project to help secure the
open financial system?
@_iphelix
blockthreat.net