Ethereum's Biggest Hacking Problem Is Human Greed
The "world computer" has a people problem.
Image: Flickr/Thomas Galvez
Ethereum has a hacking problem. Millions of dollars have been lost in various heists over the past year. But the issue isn't always vulnerable code—often, it's people.
Ethereum, a cryptocurrency and app platform, was invented in 2013 and at the time of writing has a market cap of $32 billion USD. In the last year especially, people have been dumping tons of money into experimental code that didn't exist just five years ago, and are hoping that the system's "smart contracts" will keep their investment safe. This hasn't worked out in several instances where poorly coded contracts allowed hackers to make off with people's money. Last year's DAO hack saw an attacker take more than $50 million, and a recent hack affecting multisignature wallets created with ethereum client Parity lost $32 million.
But equally huge problems for ethereum, hacking-wise, are human greed and folly rather than buggy code. An unsettling pattern has repeated itself several times in the past year: A hacker takes over the online accounts or website of a company raising funds from the ethereum community, or simply poses as a representative of said company, and tricks overly eager investors into sending them money instead.
This often happens during Initial Coin Offerings, or ICOs, wherein an ethereum app raises funds by selling "tokens" that interact with their app and which appreciate in value. The ICO market is red-hot, and people line up, digitally speaking, to send money to these companies as soon as the token sale launches. Often, ICOs are announced with little more than a string of text on a website that tells people where to send their cryptocurrency. Some ICOs have raised tens of millions of dollars in mere minutes.
Basically, ICOs are a perfect nexus of human greed, a flurry of money changing hands in a short time frame, and a weak security vector: a website. How could a hacker resist exploiting them? (For what it's worth, the US Securities and Exchange Commission seems to be eyeing more regulations for some types of ICO tokens.)
The most recent example of this phenomenon happened on Monday morning. Around 8 AM EST, Enigma, a project on ethereum currently engaged in an ICO pre-sale, breathlessly announced that their website, mailing lists, and Slack account had been compromised. But it was too late—people had already sent nearly 1,000 ether to an account controlled by the hackers. That amounts to nearly $500,000 USD. TechCrunch reported that Enigma CEO Guy Zyskind's email account was compromised in a previous data breach and that two-factor authentication was not enabled.
"We are working on implementing additional security measures for our community and our team at this time and will have more information to share soon about next steps," the Enigma team wrote in a later update in their Telegram channel.
A similar event occurred a month ago, in mid-July. At that time, a company called CoinDash was about to launch its ICO. But at the time of launch, a hacker compromised the company's website and replaced the company's contract address with one they controlled. In about five minutes, the hacker managed to snag $7 million worth of cryptocurrency from people lined up to invest in the CoinDash ICO.
This is all, frankly, totally bonkers and completely unnecessary
In another example of how greed and lack of caution have allowed scammers to fleece eager ethereum investors, a rash of phishing attacks in early July saw people give more than $600,000 of their money away. In that case, scammers reportedly spammed people in ethereum Slack channels with links ostensibly to invest in various legitimate ICOs, but which really linked people to a fake page controlled by the attacker. While some potential victims were likely smart enough to see through the ruse, others, eager to cash in on the ICO craze, simply gave their money to the hackers.
This is all, frankly, totally bonkers and completely unnecessary. The easiest way to avoid these sorts of disastrous hacks is a little bit of caution on the part of investors (of course, the people running ICOs need to have their internet security game locked down as well). The problem is that the ICO market discourages caution.
Initial Coin Offerings are hyped up for days or weeks in advance, usually with a countdown to the moment when the address where people can send their money is revealed. This hype is often totally out of proportion with the products on display—many ICOs launch without a product ready to go, making them seem more like Kickstarters on steroids than viable investments. Thus, investing in tokens is often a gamble by speculators who want to get in on the ground floor, because the value of tokens can go up when an ICO nears its end.
This model is exactly what hackers can exploit to make off with hundreds of thousands of dollars, or even millions, without any chance of people getting their money back—cryptocurrency transactions are irreversible. Other industries, like online ticket selling, have similar-ish problems with people trying to game a sale the second it goes live, and the companies involved have entire teams dedicated to digital security to prevent this from happening.
While ethereum's code holds a ton of promise for some truly out-there applications, from redefining attention economies to administering city-wide sanitation, the whole endeavour risks burning itself out on hacks that could be easily avoided.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.