Category Archives: Blockchain

Bitcoin exchanges must remain vigilant to low value coins

Heard that a vulnerability found on cryptocurrency (FuturXE (FXE)). The problem is that smart contact designer make a programming logic mistake. Department of Homeland Security confirm the bug this week. (CVE-2018–12025) – https://nvd.nist.gov/vuln/detail/CVE-2018-12025

The vulnerabilities and cyber attack looks never stop so far. Do you still remember virtual currency exchange Coincheck lost $400 million in NEM cryptocurrency in Jan 2018?

The hack only involved NEM, because the security breach was caused by the lack of strong security measures of Coincheck with regards to their implementation of NEM, lacking the use of mutlisignature support or a cold wallet.

It looks that criminal group will be intereted of low market value cryptocurrency. For instance, CVE-2018-10468 hacker exploits useless token combine with vulnerability steal the token. Coincheck lost $400 million in NEM but the market price of each coin is in lower value.

FutureXE market price equal to zero buy still avaiable to buy on the market. I think this type of coins will be lure criminal group interest. The fact is that this type of coins willl be exploits for money laundering. Since the coin has vulnerability occured, criminal group can hiring hacker to steal the coin and waiting for bitcoin exchanges reimburse the fund to achieve the money laundering objective.

— End —

Hyperledger Iroha v1.0 beta-2 version to remediate CVE-2018-3756 (May 2018)

The earlier generation of blockchain technology empower encryption power let the world know his capability. As times goes by people found the design weakness of blockchain technology is the performance of synchoization of the peer nodes. Such design weakness cause double spending vulnerability. The next generation of technology so called HYPERLEDGER. It enhance the design weakness of blockchain. As a result cryptocurrency especially Ethereum relies on Hyperledger Fabric in demand. A blockchain project developed by several Japanese firms including by startup Soramitsu and IT giant Hitachu has been accepted into the Hyperledger blockchain initiative. A fix has been released by Hyperledger IROHA project two weeks ago. Hyperledger Iroha v1.0 beta-2 version is avaliable for download. The reason is that a critical vulnerabilities discovered during the security audit.

On 2017, Cambodia central bank taps Hyperledger Iroha for blockchain settlement. Perhaps they update to beta 2 already.

Should you have interest to know the detail, please refer below:

Cambodia central bank taps Hyperledger Iroha for blockchain settlement – https://www.cryptoninjas.net/2017/04/20/cambodia-central-bank-taps-hyperledger-iroha-blockchain-settlement/

Beta 2 (download): https://github.com/hyperledger/iroha/releases/tag/v1.0.0_beta-2

See whether Bitcoin signatures do not comply with RFC 6979

Have you heard a song by Dinah Washington ? The song title is what a difference a day made? In crypto currency world, bitcoin is the big brother. However technology world still concerns Bitcore signatures is able to comply with RFC 6979 specification?

Bitcoin owner must protect the private key. The conceptal idea is that generating random number k in elliptic curve is crucial and in any transactions signature in Bitcoin, random number k is required to compute a point k*G. If this k is chosen not randomly, it instantly leaks the private key.

Do you think attached diagram can provide the resolution to you in this regard?

What A Diff’rence A Day Makes Lyrics: What a difference a day made? Twenty-four little hours. Brought the sun and the flowers.Where there used to be rain……..

Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA):

https://tools.ietf.org/html/rfc6979

Bitcoin Bunker

We watch the movie, tycoon decide to keep the money in Switzerland. Whatever special of reasons. Swiss made or location provides a secure and best environment to the world. Besides, swiss army knife a symbol of permanent and reliable tool to solider. Just heard from Bloomberg headline news that the Wealthy Are Hoarding $10 Billion of Bitcoin in Bunkers. Zapo similar as a bunker, just operate for 4 years, it has more “deposits” than 98 percent of the roughly 5,670 banks in the U.S. I am interested what is the perfect way to protect your bitcoin. See whether it is a paper wallet instead of electronic. For more details, please refer below url for reference.

The Wealthy Are Hoarding $10 Billion of Bitcoin in Bunkers

https://www.bloomberg.com/news/articles/2018-05-09/bunkers-for-the-wealthy-are-said-to-hoard-10-billion-of-bitcoin

The design weakness of Ethereum

The design weakness of Ethereum

 

The design weakness of Ethereum

 

Preface:

Any idea from you in regards to cryptocurrencies security features at this moment?  From technical point of view, blockchain technology is able to protect the data in the block. Thus hacker is hard to modify the data. It looks a prefect system. As far as we know, crypto currencies platform not secure as expected. But what is the actual problem ?

Refer to above diagram, it explicitly show the design weakness of Ethereum design. Since both smart contract and ethereum wallet has critical vulnerabilities occurred. Since a design weakness occurred in the end point (Ethereum wallet). In additional of the smart contract has vulnerability occurred. And therefore it provides a gut feeling to people crypto currency not indeed safe.

Known Attack

Integer Overflow and Underflow

Definition of integer overflow – If a balance reaches the maximum uint value (2^256) it will circle back to zero. Since the uint variable changes state, If any user can call functions which update the uint value, it’s more vulnerable to attack.

We understand that web3.js is a collection of libraries which allow you to interact with a local or remote Ethereum node, using a HTTP or IPC connection. Java application encounter  vulnerabilities caused end user encounter cyber attack is not a news. Above informative diagram shown the integer overflow vulnerability of Ethereum case study involves java applet on the client side. As a front end application, Java application may not aware that he is the accomplice with the cryptocurrency cyber security incident.

Definition of integer underflow –  If a uint is made to be less than zero, it will cause an underflow and get set to its maximum value.  C-like underflow might affect Solidity storage. It can arbitrarily allow malicious changes to constant variables. Below is the example of uint overflow and underflow.

Remark: What is the largest value you can represent using a 256-bit unsigned integer?

The 256-bit unsigned int (uint) data type can hold integer values in the range of 0 to 11579208923731619542357098500868790785326998466564 0564039457584007913129639935

contract C {
    // (2**256 - 1) + 1 = 0
    function overflow() returns (uint256 _overflow) {
        uint256 max = 2**256 - 1;
        return max + 1;
    }

    // 0 - 1 = 2**256 - 1
    function underflow() returns (uint256 _underflow) {
        uint256 min = 0;
        return min - 1;
    }
}

A vulnerability in the Parity Wallet library contract of the standard multi-sig contract has been found.

In June 2016, users exploited a vulnerability in the DAO code to enable them to siphon off one third of The DAO’s funds to a subsidiary account. On 20 July 2016 01:20:40 PM +UTC at Block 1920000, the Ethereum community decided to hard-fork the Ethereum blockchain to restore virtually all funds to the original contract.

All dependent multi-sig wallets that were deployed after 20th July. No funds can be moved out of the multi-sig wallets afterwards. For more details, please see below:

contract Wallet {
    function () payable {
    Deposit(...)
    }
}

CVE-2018-10666

CVE-2018-10666 – The vulnerability allows attackers to acquire contract ownership because the setOwner function is declared as public. A new owner can subsequently modify variables (see below diagram for reference).

Status update on 22nd May 2018

CVE-2018-11239 – An integer overflow in the _transfer function of a smart contract implementation for Hexagon (HXG), an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets by providing a _to argument in conjunction with a large _value argument, as exploited in the wild in May 2018, aka the “burnOverflow” issue.

CVE-2018-10944 – The request_dividend function of a smart contract implementation for ROC (aka Rasputin Online Coin), an Ethereum ERC20 token, allows attackers to steal all of the contract’s Ether.

Observation:

In regards to the cyber security incident happened in past, the Ethereum system looks did not shown they are capable to protect himself.
Their functionaility may have improvement comparing with traditional bitcoin technology (see below):

Hyperledge Ethereum Bitcoin
Association Linux Foundation Ethereum Developers Bitcoin Developers
Currency N/A Ether BTC
Mining Reward N/A Yes Yes
Network Design goal – Private Design goal – Public Public only
Privacy Private Open Open
Smart Contracts Multiple-programming language C++,Rust and Go i. Bitcoin Core, is written primarily in C++
ii. Lightweight clients like MultiBit and Bitcoin Wallet written in Java

Next step : How to Protecting Yourself and Your Funds

1. One of the safest & easiest ways to store your ETH is use a hardware wallets.

2. Activate 2FA (duh) on any exchanges or online wallet you use.

3. Move your ether off exchanges, into a hardware wallet or paper wallet.

How to view your account balance, look up transaction and explore smart contracts?

Etherchain is an Explorer for the Ethereum blockchain. It allows you to view your account balance, look up transactions and explore smart contracts.

Browse all Ethereum Transactions – https://www.etherchain.org/txs

In God We Trust.

— End —

 

CVE-2018-10299 – integer overflow jeopardize Ethereum Zone

In the view of cryptocurrency supporter, Ethereum is the best. The cyber incident occured in cryptocurrency world so far shift the security focus to e-wallet (end point). Perhaps the cyrpto platform itself contains design limitation. However the end point design of crypto currency platform looks have more space for improvement.

If you install the MetaMask browser plugin, you can manage your accounts in your browser. The keys are stored only on your browser, so you are the only one who has access to your account and the private key. But when the web browser encounter vulnerability. It may jeopardize your private key. So security urge the crypto currency owner make use of hardware token instead of software.

We understand that web3.js is a collection of libraries which allow you to interact with a local or remote Ethereum node, using a HTTP or IPC connection. Java application encounter  vulnerabilities caused end user encounter cyber attack is not a news. Above informative diagram shown the integer overflow vulnerability of Ethereum case study involves java applet on the client side. As a front end application, Java application may not aware that he is the accomplice with the cryptocurrency cyber security incident.

Return to reality. Below headline news shown the vulnerabilities occurred in Ethereum (see below for reference). I am wishing that above details can provides hints to you for reference.  Let’s us awaken the design weakness of Ethereum cypto currency platform.

Critical EOS Smart Contract Vulnerability Discovered By Auditing Firm

https://bitcoinexchangeguide.com/critical-eos-smart-contract-vulnerability-discovered-by-auditing-firm/

 

Ethereum – CVE-2018-10468

As far as I remember, the goal of bitcoin technology aim to replace the traditional payment. In additional, the slogan of bitcoin is that it can provides a more secure way to send the money and it is hard to counterfeit.  We heard cyber security incidents happened in bitcoin industry frequently last year.  Ethereum , a most relieable and popular crypto currency in the bitcoin industy.  A vulnerability found in Ethereum that it give a way to hacker do the re-engineering. Hacker is able to transform the transfer function ( transferFrom()). Detail shown as below:

The transferFrom function of a smart contract implementation for Useless Ethereum Token (UET), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer all victims’ balances into their account) because certain computations involving _value are incorrect, as exploited in the wild starting in December 2017, aka the “transferFlaw” issue.

For more details, please refer below url for reference.

https://peckshield.com/2018/04/28/transferFlaw/

Hackers jailbreak MyEtherWallet Infrastructure (Apr 2018)

ISPs tend to restrict what an end customer can advertise. However, any ISP do not filter customer advertisements.
A possible factor let’s hacker compromise the customer router thus advertise errant information into the global routing table.

An attackers stolen at least $13,000 in Ethereum within two hours.

Security expert speculate that it is a DNS attack. But many attack method can be used. For example: BGP hijacking. The scenario displayed on above diagram.

Headline news shown as below:

https://www.theverge.com/2018/4/24/17275982/myetherwallet-hack-bgp-dns-hijacking-stolen-ethereum

 

 

 

 

 

 

Verge Is Forced to Fork After Suffering a 51% Attack

Blockchain technology contains advanced security features fundamentally. However the heist occurs in such secure platform are in frequent. The questions of a retrospective and why was hacked? It proof that the problem not given by blockchain technology design flaw. Most likely the root causes are given by end point (client side), operation management (show the privilesge credential in the system event log). Rumors happened yesterday, verge user feared the attacker might use his dominant network position to siphon funds from their accounts. Verge technical team announce that it is a hash attack and it only some blocks were affected during a 3 hour period, not 13 hours. But what do you think? Do you think there is a zero day happens in e-wallet? Headline News can be found in following url.

https://news.bitcoin.com/verge-is-forced-to-fork-after-suffering-a-51-attack/

Hyperledger technology without compromise

It has different fraud found in banking industry in past. The most annoying import and export bills department is the letter of Credit application.  A regulation gap in between cross-border countries. There are fraudulent cases found in banking industry in past. The most annoying topic is the import and export bills department is the letter of Credit application. A regulation gap in between cross-border countries. If is easy to let banking staff not aware fall in trap created by crook. As a result it encountered financial lost.

Whereby the International Chamber of Commerce agree to compliance the Uniform Customs & Practice for Documentary Credits (UCP 600) rule. As times go by many people ask whether the UCP 600 will be revised?

The technologies market practice so far. I heard that Letter of Credit has been replaced by hyperledger. I have seen Microsoft Azure Cloud services is going to target hyperledger, Ethereum types hyperledger platform market. Should you have interest of this technology transformation. Please refer below diagram for reference. By the way, hyperledger services now available on Azure Cloud. For more details, please refer below url for reference.

https://azure.microsoft.com/en-us/blog/announcing-support-for-additional-blockchain-protocols-on-azure/