Blockchain Security: Received idea or established fact?

If the concept of attack surface is known in the fields of Information Technology (IT) and Operational Technology (OT), the notion of attack surface in the field of blockchain remains a still vague concept for a majority of professionals.

One of the most well-known vulnerabilities is the commonly known 51% attack. The 51% attack is a theoretical threat in the field of blockchain which concerns systems using the so-called proof of work mechanism, such as Bitcoin and other blockchains. This attack occurs when an individual or group acquires more than 50% of the computing power of the blockchain network. With this majority, the attacker can manipulate the transaction register and thus validate or invalidate it. Blockchain security relies on decentralization. By controlling more than half of the computing power, the attacker centralizes control and can make unilateral decisions regarding transactions.

Although this attack has become less common on public blockchains due to their large computing power and the advent of new consensus algorithms like "Proof of Stake "which now dominate the market, this is not the case. private or permissioned blockchains, for which the transaction validation algorithm is more easily vulnerable to localized intrusions. As Benjamin Thomas points out:

In a private blockchain, only the company or servers authorized by a company can contribute to the security of the network decentralization. By definition, these are much easier targets for cyberattackers since there are only a few stations to compromise to recover the majority of the network's computing power.

Note that blockchains are also vulnerable to denial of service (DDoS) attacks. As the blockchain is hosted on a set of decentralized servers, if some or all of the servers are saturated, the overall capacity of the blockchain will be affected, leading to delays or even unavailability. Furthermore, if a participant in the network, whether public or private, wishes to spam transactions to the point of causing their unavailability, they can theoretically achieve this.

Like any program, smart contracts are likely to present classic vulnerabilities linked to the programming stage. A common flaw is reentrancy, a defect caused by poor checking or inappropriate placement of conditions in the code.

In practice, this type of vulnerability manifests itself when a smart contract allows a user to perform a function, such as transferring funds, before confirming whether this action is authorized. If the verification is performed after the function is executed, an attacker can abuse this flaw to repeat the action multiple times, thereby fraudulently exfiltrating funds or resources.

The best illustration of this modus operandi is the Fei Protocol incident in April 2022 which allowed its author to divert nearly 80 million dollars in tokens by exploiting a reentrancy vulnerability.

Another common scenario is smart contract compromises involving an absence or poor management of access controls. "In a program, there are different functions, some designed to be performed exclusively by an administrator. However, sometimes developers fail to implement the necessary restriction, thereby allowing these functions to be used by an unauthorized person.", explains Benjamin Thomas.

Finally and as with any development, the programming languages used in blockchain development can be a significant source of vulnerabilities. This was the case with the Curve Finance application, which suffered from a flaw in the Vyper programming language, allowing cybercriminals to embezzle nearly 73 million dollars. This phenomenon largely explained by the recent nature of these languages which are more conducive to the appearance of zero-day flaws.

Decentralized applications use the same web interface development frameworks (React, Angular, Vue.js) as traditional applications, as Benjamin Thomas points out:

Beyond the back-end infrastructure, the interface is also a point of vulnerability. For example, a cybercriminal can divert website traffic from a decentralized application to redirect it to its own application.

This is notably what happened to the Balancer application, a victim of a DNS hijacking which led to the theft of $238,000 in crypto-currency assets.

Likewise, traditional phishing techniques, such as sending fraudulent emails to obtain user credentials, remain a serious threat. Users could be tricked into entering their information on counterfeit websites or interfaces, leading to the loss of their digital assets.

Regarding data sources, the “Oracle Problem” refers to a vulnerability in smart contracts. Smart contracts, by nature, can only interact with other elements within the blockchain. To retrieve information, they must rely on “oracles”, intermediaries who serve as a bridge between the blockchain and the outside world. In this scenario, the danger arises when these oracles are compromised, providing false or manipulated data to smart contracts.

DeFi protocols lost approximately $403.2 million following 41 oracle manipulation attacks, according to Chainalysis. These attacks can directly target oracles by compromising them so that they send erroneous data or exploiting weaknesses in their design, such as a lack of reliability or updating of data. Once this incorrect information is entered into the blockchain, it remains there permanently, potentially affecting all operations that rely on this data. A situation that calls into question the reliability and security of blockchain applications.

Orange Cyberdefense offers a complete range of services to support blockchain projects, emphasizing security from the design phase, this is called " security by design". This step involves close collaboration with clients from the start of their blockchain projects to integrate security milestones into the project development. In addition to design support, Orange Cyberdefense offers auditing services for smart contracts, Blockchain protocols, and private key management to ensure compliance with security requirements and best practices. An expertise that also covers support for compliance with regulations, such as PSAN.

Orange Cyberdefense can also intervene in forensic analysis and on-chain analysis. The first is to examine the traces of an attack, determining the path taken by the attacker and the vulnerabilities exploited. Through in-depth analysis, Orange Cyberdefense experts can precisely identify the tactics, techniques, and procedures used by the attacker.

As for on-chain analysis, Orange Cyberdefense uses a vast database containing information from numerous digital asset portfolios associated with cybercriminals or potential attackers. A resource that allows experts to trace and track transactions, helping victimized businesses, including their competitors, locate stolen funds in collaboration with authorities.

As a qualified partner, Orange Cyberdefense is one of the only companies that has certifications for supporting blockchain projects with a PASSI qualification (information systems security audit provider) for PSAN compliance. Orange Cyberdefense also has PDIS (security incident detection service provider) and PRIS (security incident response service provider) qualifications.