The State of

Blockchain Security
Peter Kacherginsky, Blockchain Security Engineer @Coinbase
Peter Kacherginsky
Blockchain Security Engineer @Coinbase - BlockSec
- Blockchain Threat Intelligence newsletter
- Capture the Coin CTF @Defcon
- Break blockchains and smart contracts
- Secure and monitor blockchain systems
-
Malware Reverse Engineer @FireEye - FLARE Team
- FLARE VM, FakeNet-NG, Malware Training
- Lot’s of APT malware reversing

Penetration Tester @Federal Reserve System - NIRT

- Password Analysis and Cracking Kit (PACK)
- Breaking Finance 1.0

@_iphelix
AGENDA
 AGENDA

Introduction

BlockSec
What is this field and what makes it
unique from other disciplines.

BlockSec Ecosystem
Explore main components of the
blockchain security ecosystem
 AGENDA

Introduction The State of BlockSec

BlockSec Exchange Security

Learn about security incidents in
What is this field and what makes it 2020, gain insights
unique from other disciplines.

BlockSec Ecosystem Asset Security

Explore trends in blockchain and
Explore main components of the smart contract attacks, discuss key
blockchain security ecosystem weak points.

User Security
Discuss trends in user fraud,
cryptocurrency malware, continuous
evolution of spam attacks.
 AGENDA

Introduction The State of BlockSec Building the Industry

BlockSec Exchange Security Guidelines and Tools

Learn about security incidents in OWASP Top 10 style guidelines and
What is this field and what makes it 2020, gain insights tools to empower users, developers,
unique from other disciplines. and exchanges.

BlockSec Ecosystem Community

Asset Security
Explore trends in blockchain and Build a community around the
Explore main components of the smart contract attacks, discuss key industry to help us all grow and build
blockchain security ecosystem weak points. faster. Blocksec as a career.

User Security
Discuss trends in user fraud,
cryptocurrency malware, continuous
evolution of spam attacks.
 Blockchain Security
A new security field with the mission of securing and defending the
cryptocurrency ecosystem.
Cryptocurrency Ecosystem

Users
Cryptocurrency Ecosystem

Users

Assets
Cryptocurrency Ecosystem

Users

Assets

Smart
Nodes
Contracts

Wallets
Cryptocurrency Ecosystem

Users

Exchanges

Assets

Smart
Nodes
Contracts

Wallets
Cryptocurrency Ecosystem

Users

Cold/Hot
Storage
Exchanges

Assets

Smart
Nodes
Contracts

Wallets
 Cryptocurrency Ecosystem

Users

Cold/Hot
Malware Storage
Exchanges

Assets

Smart
Nodes
Contracts

Wallets
 Cryptocurrency Ecosystem
Fraud

Users

Cold/Hot
Malware Storage
Exchanges

Assets

Smart
Nodes
Contracts

Wallets
 Cryptocurrency Ecosystem
Fraud

Users

Cold/Hot
Malware Storage
Exchanges

Network
Attacks Assets

Smart
Nodes
Contracts

Wallets
 Cryptocurrency Ecosystem
Phishing
Fraud Attacks

Users

Cold/Hot
Malware Storage
Exchanges

Network
Attacks Assets

Smart
Nodes
Contracts

Wallets
 Cryptocurrency Ecosystem
Phishing
Fraud Attacks

Users

Cold/Hot
Malware Storage
Exchanges

Network
Attacks Assets

Bad Actors
Smart
Nodes
Contracts

Wallets
Exchange Security
 Incidents

PII Theft

BLOCKFI COINCHECK

Lost customer PII. Lost PII for 200

Employee SIM ported to customers. Domain
access internal portal. registrar hacked.
 Incidents

PII Theft Stolen Funds

BLOCKFI COINCHECK ALTSBIT CASHAA

Lost customer PII. Lost PII for 200 Lost 6.929 BTC, Exchange lost 336 BTC.
Employee SIM ported to customers. Domain 23.210 ETH, and Employee personal
access internal portal. registrar hacked. others. Lulzsec took laptop hacked.
credit.
 Exchange Security Insights

● Are exchanges getting more secure?

○ Decrease in the number of incidents since last year 2019 (4 vs. 11 in 2019)
○ Decrease in the monetary damage ($4M vs. $175M in 2019)
○ Most incidents reported within 24 hours.
 Exchange Security Insights

● Are exchanges getting more secure?

○ Decrease in the number of incidents since last year 2019 (4 vs. 11 in 2019)
○ Decrease in the monetary damage ($4M vs. $175M in 2019)
○ Most incidents reported within 24 hours.

● Incident causes could have been easily avoided (e.g. BlockFi SIM swapping, Cashaa
unmanaged personal laptop used for work).
 Exchange Security Insights

● Are exchanges getting more secure?

○ Decrease in the number of incidents since last year 2019 (4 vs. 11 in 2019)
○ Decrease in the monetary damage ($4M vs. $175M in 2019)
○ Most incidents reported within 24 hours.

● Incident causes could have been easily avoided (e.g. BlockFi SIM swapping, Cashaa
unmanaged personal laptop used for work).

● Attackers are getting creative and going after more than just a hotwallet.
○ PII on Sunday, SIM swap on Monday.
Asset Security: Protocol
 Blockchain Network Incidents

Bitcoin Gold Bitcoin Gold

January 23-24, 2020 July 10, 2020
.Two 51% attacks with Attempted 51% attack
29 block reorg. 7167 with a massive 1300
BTG double spent. block reorg. Notified by
NiceHash miner. Issued
secret node with a
checkpoint.
.
 Blockchain Network Incidents

Bitcoin Gold Bitcoin Gold Ethereum Classic

January 23-24, 2020 July 10, 2020 August 1, 2020
.Two 51% attacks with Attempted 51% attack 51% attack resulting in
29 block reorg. 7167 with a massive 1300 a massive 3500 block
BTG double spent. block reorg. Notified by reorg. Attacker spent
NiceHash miner. Issued $200k on NiceHash to
secret node with a double spend an
checkpoint. exchange.
.
 Network Security Insights

● PoW coins with easily rentable GPU hashpower will continue getting 51% attacked.
 Network Security Insights

● PoW coins with easily rentable GPU hashpower will continue getting 51% attacked.

● Bitcoin Gold working with miners to secretly deploy a checkpoints is a new pattern.
Blockchain Network Incidents

SteemIt Ethereum
Blockchain Network Incidents

SteemIt

Tron and a number of

exchanges colluded to
vote in a controlling set
of validators. First of a
kind DPoS attack.
Blockchain Network Incidents

Ethereum

Mempool manipulation
to cause congestion to
win 1000 zero-bid
MakerDAO auctions.
.
 Network Security Insights

● SteemIt attack opens up a new era of PoS and governance attacks.

 Network Security Insights

● SteemIt attack opens up a new era of PoS and governance attacks.

● Attackers are getting more creative (e.g. mempool manipulation)

Asset Security: Software
 Node Vulnerabilities

SOLANA Tendermint FileCoin

March 9, 2020 May 31, 2020 June 7, 2020
Solana testnet node Tendermint DoS Inflation bug
failed to validate vulnerability when discovered and
transaction parsing invalid exploited on testnet.
signatures. 500M SOL blocks. Results in a 9B FIL minted.
were stolen. network halt. .
.
 Wallet Vulnerabilities

Monero Wallet Lightning Network Argent Wallet

March 3, 2020 June 17, 2020 June 19, 2020
Monero wallet was Vulnerability disclosed Wallet takeover
incorrectly parsing which could lead to vulnerability was
specially crafted channel partner losing patched after
coinbase transactions. BTC. responsibly disclosed
May result in invalid . by OpenZeppelin.
deposits displayed
.
 Backdoors

Trinity Wallet RavenCoin

February 12, 2020 July 4, 2020
Wallet backdoored Inflation bug
through a 3rd party emergency patch.
dependency to steal Bug was maliciously
funds. introduced. 300M
RVN minted and sold
on exchanges.
 Node and Wallet Security Insights

● Node flaws are still rare. Only 4 flaws discovered (1 intentional). Are there enough eyes?

.
 Node and Wallet Security Insights

● Node flaws are still rare. Only 4 flaws discovered (1 intentional). Are there enough eyes?

● RavenCoin stealth commit and Trinity supply chain threats will likely happen again.
 Smart Contract Incidents

bZx EtherRoll tBTC Hegic Bancor

Feb 15, 2020 April 25, 2020 May 19, 2020 May 21, 2020 June 18, 2020

DeFi Saver Atomic Loans Balancer VETH Opyn

June 19, 2020 June 21, 2020 June 28, 2020 June 30, 2020 August 4, 2020
 Smart Contract Incidents
bZx
Feb 15, 2020
Margin trading bug
exploited resulting in
~1M$ worth of ETH
theft. Flash loans used
to amplify the attack.
Balancer Bancor
June 28, 2020 June 18, 2020
$500k worth of tokens Developers attacked
drained from their own coin to secure
multi-token pools. Bug funds. Arbitrage bots
with deflationary tokens claimed some bounty
exploited using flash for themselves.
loans. Dismissed a bug
bounty report.
 Smart Contract Security Insights

● DeFi vulnerabilities and attacks are on the rise. The year of DeFi hacks.
 Smart Contract Security Insights

● DeFi vulnerabilities and attacks are on the rise. The year of DeFi hacks.

● Bug bounty and Developers are starting to catch bugs early. Often resorting to hacking
themselves. (Bancor)
 Smart Contract Security Insights

● DeFi vulnerabilities and attacks are on the rise. The year of DeFi hacks.

● Bug bounty and Developers are starting to catch bugs early. Often resorting to hacking
themselves. (Bancor)

● Complex code will have bugs (bZx)

 Smart Contract Security Insights

● DeFi vulnerabilities and attacks are on the rise. The year of DeFi hacks.

● Bug bounty and Developers are starting to catch bugs early. Often resorting to hacking
themselves. (Bancor)

● Complex code will have bugs (bZx)

● Complex interactions between DeFi components introduce new bugs (Balancer).

User Security
 User Security

● Cryptocurrency Malware

● Scams

● Bad Actors
 Cryptomining Malware

DockerHub

Multiple backdoored
docker images
Supercomputers uploaded to
May 11, 2020 DockerHub with
Five EU Monero miners.
supercomputers
hacked using stolen
SSH credentials to
mine Monero.

Lucipher
May 29, 2020
Windows-based
Monero miner.
 Ransomware

285 BTC

116.4 BTC

65 BTC
 Malware Insights

● Monero miners will hack anything that can mine. Toasters?

● Ransomware appears to be on a decline but definitely here to stay.

 Crypto Giveaway

Send BTC

SpaceX Scam
June 4, 2020
$200,000 worth of
crypto lost in BTC
giveaway scams on
Youtube.
Twitter Hack
July 15, 2020
Attackers hijacked 130
exchange, celebrity,
corporate accounts
compromised to
advertise BTC giveaway
scam.
MLM

Wotoken Scam
May 16, 2020
Chinese police busted
MLM scam organizers.
$1B worth of crypto
stolen from 715,000
victims.
 Other Scams and Malware

Backdoored
Wallets
July 1, 2020
Trust Wallet fake in
Google Play Store.
MakerDAO Phish Harry’s epic hack to get
January 14, 2020 users’ funds back.
Website mimicking SAI
to DAI conversion.

Deep Fake
May 24, 2020
Deep-Fake video of
Justin Sun and fake
passport used in Skype
video calls to scam
investors.
 Bad Actors

Lazarus
Individuals

APTs

CryptoCore

Insiders Fin/Ransomware
Groups
 Scam Insights

● Users are taking things into their own hands:

○ Woz suing Youtube
○ Terpin suing AT&T
○ Harry Denley’s reverse hack
 Scam Insights

● Users are taking things into their own hands:

○ Woz suing Youtube
○ Terpin suing AT&T
○ Harry Denley’s reverse hack

● MLM schemes are incredibly profitable ($1B Wotoken, $4B PlusToken).

 Scam Insights

● Users are taking things into their own hands:

○ Woz suing Youtube
○ Terpin suing AT&T
○ Harry Denley’s reverse hack

● MLM schemes are incredibly profitable ($1B Wotoken, $4B PlusToken).

● Exchanges pro-actively blocking bad addresses.

 Scam Insights

● Users are taking things into their own hands:

○ Woz suing Youtube
○ Terpin suing AT&T
○ Harry Denley’s reverse hack

● MLM schemes are incredibly profitable ($1B Wotoken, $4B PlusToken).

● Exchanges pro-actively blocking bad addresses.

● Scammers are getting creative (Web3 phishing sites).

The State of Blockchain Security
 The State of Blockchain Security
● Exchange Security
○ The number of hacks and financial damage decreasing.
○ Existing incidents could have been easily prevented.
○ Attackers are going after more than just coins.

● Asset Security
○ Low hashrate/GPU mineable PoW coins are getting 51% attacked.
○ First example of a PoS attack.
○ We are not finding nearly enough node/wallet vulnerabilities.
○ Nasty backdoors and supply chain attacks against nodes and wallets.
○ DeFi vulnerabilities and attacks are on the rise.

● User Security
○ Miners, ransomware, fake software, oh my!
○ Scammers are sticking to giveaway and MLM schemes, but getting creative.
 03
Building the industry
 Building the Industry

● Guidelines and Tools

● Community

● How you can contribute

Guidelines and Tools
 Guidelines and Tools

SCSVS DASP TOP 10

SWC Registry
CCSS
 Guidelines and Tools

● Smart Contract security testing has great tooling, methodology

 Guidelines and Tools

● Smart Contract security testing has great tooling, methodology

● Missing “OWASP Top Ten”-style guidelines, testing methodology, and tools for:
○ Stand-alone blockchains
○ Node configuration and operation
○ Hot/Cold storage
○ Key management
○ Protocol design
○ Wallet design
○ Blockchain forensics
○ User security
 Guidelines and Tools

● Smart Contract security testing has great tooling, methodology

● Missing “OWASP Top Ten”-style guidelines, testing methodology, and tools for:
○ Stand-alone blockchains
○ Node configuration and operation
○ Hot/Cold storage
○ Key management Attacking and Defending
○ Protocol design Blockchain Nodes Talk
○ Wallet design
○ Blockchain forensics
○ User security
Community
Conferences
Competitions

Chain Heist
Knowledge Sharing
Media
 Community Insights

● Still a very small but growing community with unique competitions, gatherings, and
chat rooms.
 Community Insights

● Still a very small but growing community with unique competitions, gatherings, and
chat rooms.

● BlockSec will become a career option as a need for the specialized skill-set grows:
○ Smart Contract Security Testers
○ Blockchain Security Engineers
○ Cryptocurrency Forensic Analysts
A call to arms
● Do you enjoy learning about different chains, consensus mechanisms, and
smart contracts?

● Are you a security professional or a bug bounty hunter bored of finding yet
another XSS or SQLi vuln?

● Are you an investigator trying to make sense of what fraudsters are doing?

● Are you a developer looking for an exciting new project to help secure the
open financial system?

Good! Join BlockSec

Thank you!
Does anyone have any questions?

@_iphelix

blockthreat.net