Decentralized Applications (Dapps)...can be HACKED?
⌛ Reading time: 9 minutes
Human story show us that there is nothig absolute and everything is absolutely...relative. That´s a fact. With the appearance of Bitcoin first and the first blockchain network in history of mankind the mind of developers all over the Internet changed. Many applications were built on top of blockchain services primarily with one idea in mind: SECURITY.
Has been said that blockchain can´t be hacked. This assertion have had supporters and detrators through the entire blockchain´s history. Many people have expressed that effectively applications built on top of blockchain services can be hacked, one way or another, while other people stated the opposite. The basic statement made by those who claim that Dapps can´t be hacked at all rely on the security aspects of different blockchains out there while those that claim the opposite express that each blockchain is not entirely secure at all and that attacks based on social engineering aspects can happen independently of the security level of a given Dapp....So what is the truth behind the initial statement?
Twitter wouldn’t be hacked if it were backed by Blockchain Technology
Let´s start from what we learned from recent hacking history
**:)** In recent days social microblogging site Twitter suffered one of the strangest, comical and at the same time incredible hacking process. 130 accounts were targeted: Joe Biden, Jeff Bezos, Apple's official account, Bill Gates, Warren Buffett, Kanye West, Kim Kardashian, Uber, Wiz Khalifa, Floyd Mayweather ...and the list goes on and on.
Fig 1. *Twitter hacked account messages look like this one from Mr. Obama (https://www.businessinsider.com)*
The hackers targeted high-profile accounts that had the potential to spread the scam hackers were doing as far as possible. Hackers offered to double the amount of money you sent to a given Bitcoin address. To solve this problem Twitter took the unprecedented step of blocking all verified accounts from tweeting temporarily, as it worked to secure its services. Those accounts were released after their respective owners satisfactorily identify themselves and take back control again.
As werid as it can sounds this successfully hacking attempt had nothing to do with internal security structure Twitter have for their platform: it was an example of Social Engineering Hacking technique where hackers successfully targeted some Twitter employees with access to internal systems and tools then they take control of those tools and proceed with hacking those verified accounts to spread the scam.
This is a clear example where we can see that not always all hacking attemps are done by technical knowledge at 100%...they can be done by targeting real people at least to begin the attack which i consider the most important part of the whole process.
Some news sites like https://cointelegraph.com/ stated that Twitter wouldn’t be hacked if it were backed by blockchain technology...in my opinion this is not completely true as Social Engineering Hacking techniques, as an example, can be applied no matter what technology empowers yor application or product. It have nothing to do with tech side of things and everything to do with the social side of app management.
For many people the answer to the problem of applications being hacked lies into changing the way some applications are built ditching the centralized paradigm by another one: Decentralization.
Can decentralization help app developers to secure their apps against hackers?
First of all we need to briefly define what Decentralized Apps(Dapps) are. According to Wikipedia ”...a decentralized application is a computer application that runs on a distributed computing system.” – simply as that. But going further and expanding this concept, we can think that Dapps are, effectively, applications runing on a P2P network of computers instead of a single computer so their very existence is not tied to a single point on the Internet, and are outside the purview and control of a single authority so they are somehow....secure...
Fig 2. *Decentralized Apps(Daaps) are simply applications running in a distributed way all over the Internet.(https://ricardollarves.com.ve)*
Dapps have many advantages over traditional closed centralized apps but one of those advantages that supporters always wield in their favor is: security against everything. They stated that building apps over a public ledger, not tied to a specific point with governance and control in hands of many instead of a few can effectively secure those apps against many security threats. And this could maybe true but not 100% true as we will see next.
Digital signature, transaction validation and decentralization are key factors different blockchains have to offer to developers as means to dissuade hackers. As digital signatures protect users, decentralization and transaction validation secures blockchain itself. However if you build an app over some blockchain system and that blockchain system can be effectively hacked then you will have a decentralized app than can be hacked as well.
The same way if you build your house with some fragile material, your house will be prone to being affected in a general way by the fragility of the construction material: a single broken brick could take down a whole wall...The same happens with Dapps and blockchains, being Dapps the house and blockchain systems the bricks. So we can see the history of blockchain hackings as a possible future scenario for threats to Dapps security.
We can see the process of hacking a Dapp from two points of view: Technological and Social.
Technological way is the most covered side of hacking techniques. Has been said that blockchains systems can be hacked technologically speaking in several ways:
- by using 51% attack, when one or more hackers gain control over half of the mining process;
- exploiting bugs in the blockchain protocol code, because blockchain uses modern cryptography, which is founded on complex mathematics and programming and those complex programs can have bugs, and hackers can exploit them;
- exploiting bugs in smart contracts, by exploiting bugs in programs running on a blockchain network, rather than hacking the network itself;
- launching Sybil attacks, which involves one malicious user owning a large number of nodes so this user can then swamp the network with fake transactions, or prevent validation of good transactions;
- and finally and less likely by staging “Direct Denial of Service” (DDoS) attacks, which involves sending an exceptionally large volume of traffic to a server...in case of a blockchain network, this amounts to sending too many spam transactions over the entire network.
And we have several examples that testify to the veracity of this statement. Back in 2018, hackers targeted a few relatively new cryptocurrency networks with a lower number of nodes. Verge, Monacoin, and Bitcoin Gold had fallen victim to these 51% attacks, as reported by MIT in its Technology Review. They stole an estimated $20 million in total. Later that year, hackers stole around $100,000 using a series of 51% attacks on a currency called Vertcoin. And finally the hit against Ethereum Classic, which netted more than $1 million, was the first against a top-20 currency.
In 2016 happened the widely known Ethereum “Decentralized Autonomous Organization” (DAO) hack, which as a result, broke the Ethereum blockchain in two: the actual Ethereum blockchain and older blockchain now known as Ethereum Classic. Back in those days of 2016 while the Ethereum network protocol program was fine, the smart contract running on the DAO network had a bug. One could keep requesting money from the DAO account, while the system didn’t record that the money is already withdrawn. Hackers used this bug and made off with $60 million worth of Ether....just a couple of examples illustrating the possibilities of hacking a given blockchain.
Some hacking techniques can be applied outside the relative security of blockchains like that one happened to EtherDelta back in 2017 (a decentralized exchange – DEX) where some hackers used a DNS exploit redirecting users to a fake EtherDelta domain faking a new website, an EtherDelta clon, they were able to stole at least 308 ETH and several hundreds of other tokens that were worth hundreds of thousands of dollars. This is a clear example of a Dapp being hacked using a technique that has nothing to do even with those hacking techniques applied exclusively to blockchains systems as it was a classic hacking attack over a Dapp which believed it was unhackable because of its level of decentralization.
Fig 3. EtherDelta DEX was hacked using a classic technique, redirecting and faking.
Social aspects of Dapp hacking techniques are the lesser know aspects among all. Those techniques are not tied to Dapps, in fact they can be applied no matter the concept used to build your app: it can be centralized or not, no matter what this approach can work well on both. Twitter hack happened because someone was able to target some company employees and then they were able to get their hands on the administration tools....it was, as stated, before an example of Social Engineering Hacking and this approach was used before...over a DEX again. Back in 2018 when Waves officially ended the year-and-a-half-long beta period and launched the full DEX, hackers exploited the Waves DEX platform’s security flaws to hijack both the company’s main site and the exchange site to phish for users’ personal wallet information. Hackers breached the websites by submitting fake identification credentials to Waves support, claiming to be the Waves CEO and requested a password reset.
Dapps usually have a human component you cannot avoid. If your platform has technical support, that's good, but being more organized this way brings central control into scene and humans...can be hacked as well, so your Dapp can be prone to be hacked the same way happened to Twitter days ago. Most Daaps out there have a CEO, another human component which it is necessary somehow, however it brings again the problem of human control over Decentralized Apps: a decentralized platform with a CEO is like a democracy having a king.
As you can see, hacking the basement of Dapps, or the entry point or the team behind a given Dapp no matter what gives as a result a sucessful break into a decentralized app, no matter how decentralized and secure it is, human factor is the key to get access and break those apps...just what happens with regular centralized apps.
Final thougths...by now
So as you can see dear reader nor centralized app neither decentralized ones are free from hacking techniques. The problem lies into several aspects from the tech side to social side of all things on the Internet where you cannot build and run without humans to be in clear control of what´s happening. No matter what percentage of human control you can remove from your app still will be necessary some human presence to keep things working as expected.
From a human mistake in a source code to a kind support team granting your users a great experience with your app...all things can be hacked using the right tools and the right knowledge...Dapps are not the exception, they´re are more secure that centralized apps, that´s a fact, however they cannot grant you 100% security levels against wicked and intelligent minds who make a living by disturbing other people's lives.
If you are an enthusiast of historical photograph and amazing discoveries do not forget to follow me at https://coil.com/u/deyner1984 because i will be releasing soon new and impressive contents about it!!!
...and if you valuate our work and want to support good and amazing content exclusively for you, do not forget to get a Coil subscription...it is a small fee to get great content for you and learn a lot!!!