Cryptocurrencies are getting more and more popular nowadays. Price increases of more than fifty percent in a day, something that does not happen on other markets, is nothing uncommon in the world of virtual currencies. Bitcoin, the most popular cryptocurrency, has multiplied its value about 15 times throughout 2017, whereas other currencies, Ethereum for example, reached 10’000% increase in the last year. It seems like buying some cryptocoins is a perfect way to invest spare funds. However, buying and holding cryptocurrencies creates its own security risks, which this blog article will discuss at a high level. As this is not an economic blog, the consequences of the burst of the speculative bubble will not be considered.
We split the threats into four categories:
- Cryptocurrency exchange threats
- Wallet security
- Smart Contract flaws
- Cryptocurrency implementation vulnerabilities
Cryptocurrency exchange threats
Threats of investing in cryptocurrencies emerge at the very beginning when you purchase your first coins. A popular way of acquiring cryptocoins involves transferring fiat (non-cryptocurrency money, like swiss francs or dollars) to a cryptoexchange trading platform in exchange for some amount of a cryptocurrency. Even if you trust that the cryptoexchange will give you what you bought, the platform may simply get hacked. This has happened several times so far and most likely will happen again. The first remarkable hack of a cryptoexchange took place in 2014 when Mt. Gox, at that time the largest exchange, lost $460 million and collapsed into bankruptcy. The root reason of problems in Mt. Gox was negligent management. Since 2014 many other cryptoexchanges and crypto-related platforms experienced security problems. In December 2017, NiceHash became a victim of a sophisticated social engineering attack and lost $64 million in Bitcoin.
After you managed to get your coins, you may want to withdraw them from hackable online platforms and keep them on your own. But what does it mean to keep a cryptocoin?
Cryptocoins are not itself stored in small files by their owners. Instead, having a cryptocurrency means having the private key corresponding to an address (the public key) that has some amount of the cryptocurrency assigned to it. The assignment of cryptocoins to addresses is cryptographically secured. If someone wants to transfer coins from an address he has to prove that he knows the corresponding private key, thus only the owner of coins is able to spend them. Storing the private key(s) in clear text, be it in a file or printed on a piece of paper, will allow anyone who has access to it to spend your money. Therefore, it is recommended to encrypt the private key with a strong passphrase. This is usually done with a so-called software-wallet. Alternatively, you can use a hardware-wallet, which will generate a private key by itself, which can never leave the device. By doing this, an attacker has to be in physical possession of the hardware-wallet, and also has to know its password (2-factor authentication). However, it needs to be taken care of not losing the keys, as this would be equivalent to losing the cryptocoins. This has happened to one of Bitcoin investors in the UK. In 2013 he threw a hard drive containing 7’500 bitcoins into the trash, the coins were worth about $9 million at that time, that is currently around $100 million, still lying somewhere in a landfill site.
Smart Contract Flaws
The idea of having private keys behind every cryptocurrency address is somehow basic and boring. Why not put a computer program behind an address? This is exactly what Ethereum does. Additionally, to standard privately-owned addresses, it introduces a possibility to create short programs called smart contracts that can keep and dispose coins on its own, according to the logic written in its code. Giving money to a computer program is the ultimate manifestation of trust in the technology. Smart contracts may be used for many different purposes, one of which is locking down coins until a predefined event occurs. For example, one can create a smart contract that will release the funds only after a predefined time period, or after a specified number of authorized users agreed to make a transaction. The latter use case is commonly known as a multi-sig wallet (as it requires “signatures” from multiple parties to release the stored money). Requiring many parties to use their independent private keys to authorize each money transfer seems to increase the security. However, the underlying smart contract may have a bug and the contract, which is in full charge of all its coins, may behave in an unexpected way. In July 2017 a bug in a popular Parity multi-sig wallet allowed an attacker to steal $30 million. This bug was removed but another one exploited in November locked down about $300 million. These coins are forever inaccessible.
Cryptocurrency implementation vulnerabilities
Bugs can also exist in the cryptocurrency itself, be it its design, architecture or implementation. For example, Zcoin aimed to introduce more anonymity in its coins. Whereas all transactions in Bitcoin are publicly visible and all coin transfers are traceable, Zcoin supports a special transaction that can hide some amount of coins. Then, using another transaction, the hidden coins can appear on another address. Thanks to sophisticated cryptographical mechanisms, the links between the hiding and unhiding transactions are invisible. But, because of a small typo in the code (literally a single character too much), it was possible to unhide the same hidden coin multiple times. This resulted in the possibility of creating arbitrary amount of money out of thin air. Until the bug was noticed by the developers in February 2017, attackers created zcoins worth $500’000. Although no one lost money directly, a currency that allows its users to create coins out of nothing may have troubles maintaining its value. Zcoin was not the only currency with a bug. Even Bitcoin had one at early stages of its existence, namely a numeric overflow that allowed a user to create a gigantic number of bitcoins. Fortunately, the Bitcoin’s bug has been promptly fixed and all maliciously created coins permanently removed.
Cryptocurrencies give its users many new possibilities, but users have to take the entire responsibility for their funds and the security of its maintenance and transactions. This is in contrary to traditional banking, including e-banking, where every transfer has to be confirmed a couple of times, and in case you did a mistake, you can hope for a refund. In virtual currencies your mistakes are irreversible, thus special care is advised. If the computer which you use to perform transactions, access exchanges or generate private keys is compromised, so is your money.
Following the subsequent points should help in your cryptocurrency investments:
- Use several exchanges in order to diversify the risk
- Store your private keys securely and make sure you have a backup
- Only use smart contracts that have been diligently audited
- Be aware of the risk of implementation errors in newer cryptocurrencies
- Make sure your computer is secured and not infected, and be careful of phishing attacks.