Introduction

This is my own opinion and it’s based on research, my own experiences, and my talks with some experts on the subject of the blockchain. This is not advice or technical architecture, I just want to shed light on what I believe is a naive world of cryptocurrencies, NFTs, and blockchain projects. I’d like to talk about the possibilities of exploits that already exist and those that are yet to be discovered. Take all of this with a grain of salt since we are still at the early stages of mass adoption and as with any new technology, we can only speculate and make educated guesses but predictions remain our weak point.

Web 2.0 exploit vectors

While the blockchain itself might be more secure by design, what is often forgotten is that these blockchains are accessed with web 2.0 or legacy code applications. This means that the data on the blockchain can contain exploit code which can get executed at the end of the user. This can happen in the intended wallet application and the scary part is that I can send things to a wallet without needing consent persé. This is not a reality yet as far as I know but I fear the day when we will have a blockchain project with its own wallet that allows for exploits to be executed. Whether it be native desktop, web or mobile applications. As long as it’s coded by a human, there might be an exploit and the code can just get pushed into users’ wallets if not properly sanitized.

Another way this could happen is with an NFT that gets minted containing exploit code. This might all be found out fast but it might also stay hidden for long enough to infect a big portion of the userbase. Damn future, you scary.

Existing exploits

51% attacks, Crypto-jacking, Flash loan attacks, and rug pulls, … This is a list of scary potential attacks that can either hit a blockchain directly or can affect the user to involuntary send their crypto to the attacker.

Rug pulls might be known to many of you, but for those of you not so familiar with the subject, it is when a project gets set up, advertisement is done, and investments are being made (sometimes people even put their entire life savings into a project) and when it’s set and done, the creators run away with the money, never to be heard from again. This can be devastating and often leads to crypto’s and NFTs losing all their value, wiping out people’s savings in the process.

Crypto-jacking occurs when an attacker is able to hijack someone’s computer or website and installs a cryptocurrency miner on there which sends all the acquired crypto to the attacker's wallet. We have seen this before in the past with for example XSS attacks against websites that deliver a payload in JS which gets executed on everyone’s computer that visits the website.

Cryptocurrency exchange heists

Cryptocurrency exchanges are places where you can trade cryptocurrencies, often they have their own wallets where you can send crypto to start trading. When you send your cryptocurrency to their wallets, you effectively send your money to them and this means that if an attacker were to get access to their systems, they are very likely to be able to steal all the reserves of the exchange making them insolvent. Don’t get me wrong, not all cryptocurrency exchanges are ticking timebombs in this regard and it’s not always possible to do. Above all this, cryptocurrency exchanges spend massive amounts of money in order to keep themselves and their reserves secure.

The problem is these exchanges are often far bigger and more complex targets which allows for them to be more attractive for hackers to try and break into but also due to their complexity, they have more exposure to the outside world than a cold wallet with API’s, websites and mobile apps, all allowing for integration with their services and increasing the attack surface a malicious actor.

Sudden loss of value

My next point that is hard to protect against is a sudden loss of all value or most value of cryptocurrencies, you might be wondering how this is a threat exactly and in my opinion it comes from the fact that the banking industry is highly regulated with potential bailouts. When a cryptocurrency project goes bust, you are pretty much SOL. The problem also comes from the fact that even the best coins with the most solid fundamentals can be victim to this.

Let’s not forget the sudden crash with the terra/luna ecosystem which wiped out many people’s savings accounts. This stablecoin seemed to have great fundamentals but turned out to not be as bullet proof as we first thought.

Majority vote abuse

In certain DeFi projects, changes to the code get “voted” in by majority vote. Another product offered by DeFi, being “Flash loans” can sometimes spell doom for blockchain projects like this. Attackers will take out a big temporary loan, they will vote beneficial code changes in for themselves due to now having a majority voting right with a huge loan they used to buy the crypto with. They then transfer the liquidity pool to themselves for example and pay back the loan. This can’t even really be considered an exploit in my opinions since it simply uses features of the system.

51% attacks

Cryptocurrencies are sometimes mined, this mining uses computer power and an attack that has been theorised is a 51% attack. This kind of an attack would see the malicious actor gaining over 50% of the total mining power, and depending on the mining power of the attacker, this can have severe consequences such as the attacker being able to block and reverse transactions by bypassing the security measures of the blockchain it is aimed at.

Is it me or does anyone else feel the urge to buy a crapton of graphics cards?