9 min read

Is the Blockchain Really Secure?

If it's “unhackable,” what happened then with Axie Infinity’s Ronin?

The Ronin hack cast doubts on blockchain security.

TL;DR

Blockchain technology remains as our most secure technology for data integrity. “Hacking” a blockchain like Bitcoin or Ethereum requires an unbelievably massive amount of computing power and resources which is simply beyond the capacity of any individual, or even of entire governments.

This is because of its ingenious design that ensures that once information (in the form of a block) is added, it cannot be changed without affecting other blocks in the chain and without the consensus of at least 51% of all the computers (nodes) in the network that are tasked with validating blocks. As more and more people use the network and add more blocks and nodes to the chain, the system only becomes more and more secure.


Can a blockchain really be hacked?

Axie Infinity players took a massive blow after hackers made off with $625 million worth of ether (ETH) and USDC in one of the biggest crypto heists to date, after exploiting a backdoor weakness through the Ronin bridge, March 30.

The news prompted Philippine Digital Asset Exchange (PDAX) to temporarily suspend trading, deposits and withdrawals of Axie Infinity Shards (AXS) and Smooth Love Potion (SLP) but which has since resumed as of April 4.

Thankfully, investigators are confident that laundering such an astronomical sum is extremely difficult, if not impossible, and that it would only be a matter of time before those responsible are caught. But the news certainly has rekindled doubts on whether blockchain technology is really as super-secure as advertised, with crypto doubters having an “I-told-you-so” field day everywhere on social media.

Can a blockchain really be hacked? The short answer—yes, in theory. But practically impossible on big networks such as Bitcoin (BTC) or Ethereum. Ronin however, a smaller sidechain separate from the main Ethereum network, had a simplified architecture which was taken advantage of to validate illegitimate transactions.

However you put it, hacking a blockchain is a breakthrough feat that would require incredible access to resources and computing power way beyond the capability even of government agencies. Blockchains are by far, still our most sophisticated networks when it comes to data security, and criminals are many times far better off trying to hack into a central bank mainframe than have any hope of cracking a blockchain code.

Here are some basic reasons why hacking a blockchain just isn’t the way to go if you’re up to no good.

Blockchains by far, are still our most sophisticated technology when it comes to data integrity.

Data on the blockchain cannot be tampered with

Whatever you put on the blockchain, stays on the blockchain. On Bitcoin for example, blocks are the records of who has bitcoin (or which wallets rather) and how much of it. And once it’s been written down—the data becomes immutable.

Every time bitcoin is transferred to another wallet, the information is “written” onto a block by “miners” (or nodes) who essentially get paid for lending their computing power to the network in a process called proof-of-work (PoW). Think of every block as a “page” in a ledger book. Once a page is full, it is then added to the chain of blocks which make up the blockchain.

But a blockchain isn’t like a physical book wherein you could tear off a page, or a Word document whose contents you could easily edit. In a blockchain, each new block is cryptographically linked to the one before it. What this means is, if you were a hacker and wanted to alter the information in one block, it would have the effect of undoing all the blocks that were added after it, making a break in the chain and invalidating the changes you made right there and then.  

So as more and more blocks get added, the chain essentially becomes more and more secure. The longer a blockchain has been around, the more blocks a hacker has to work on in order to tamper with the whole ledger.

As of writing, Bitcoin’s chain is already more than 730,000 blocks long, with a new one added every 10 minutes (Ethereum is at 14 million with a new one every 20 seconds). So if you would like to hack an entry somewhere in the middle, you not only have to hack that particular block, but you would also have to hack the thousands of other blocks that came after it—all this while simultaneously hacking the current block being processed to make sure that it joins neatly with the rest of the tampered blocks.

But what if you just wanted to hack the current block? That sounds easier, except it’s not.

You need to hack more than half of the entire network

Another thing hackers have to consider is that every node has a whole copy of the blockchain ledger, and all of the nodes are constantly talking to one another making sure that everyone’s copy is exactly the same. So for a block to be added to the chain, it has to be verified through a consensus algorithm that requires at least 51% of all the nodes (a majority vote) to agree that your block is correct.

So to add your illicit version of the block to divert funds to your own wallet, you can't just tamper with one copy of the ledger on one computer. You would have to somehow get control of thousands of miners in the network to overrule the correct information.

The computing power required to take over a network like Bitcoin or Ethereum is so enormous that the electricity consumption alone would outweigh any potential profit.

In Bitcoin, the total number of active miners around the world has topped more than 100,000 in recent years. And though 51% attacks have been successfully carried out on blockchains with a small user base, the computing power required to take over a network like Bitcoin or Ethereum is so enormous that the electricity consumption alone would outweigh any potential profit.

Meanwhile, in proof-of-stake (PoS) blockchains such as Cardano, hacking the network can prove even more expensive. Control over a single node would require “staking” a certain amount of tokens, proportional to the node’s share of computing power to the network. Therefore, taking over the blockchain means a person would have to stake 51% of all tokens in circulation, which is not at all easy to come by.  

To put that into perspective, you need to at least have enough net worth to land within Forbes' top ten list of richest people (within the tens of billions of dollars) to even have a remote chance of acquiring that many tokens to buy off a major blockchain. Which leads to an obvious question—if you’re already that rich, why even bother?

Transactions are visible to everyone

Even if you were so deviously clever to pull off a hack, it’s not really smooth sailing off into the sunset afterwards.

Every transaction on a blockchain is visible in real time, which makes tracing the movement of funds quite easy. Trying to make off with such a big haul is literally like trying to steal an elephant from a zoo in broad daylight.

To liquidate the stolen assets, you would need the services of a centralized exchange or a bank, both of which have stringent KYC (know-your-customer) protocols in place. You could try laundering it first through a “mixer” app to break the link between two wallet addresses, but the sheer volume of money would simply stick out like a sore thumb, making it easy for any sleuth to reconstruct the link anyway.

In fact, a successful hack might not be worth the trouble according to hackers themselves. Take the example of the Poly Network hack in August of last year, wherein after exploiting a flaw in the network’s smart contracts and successfully making off with $600 million, the hackers simply opted to return the funds a few days later.

The Bitfinex hack of 2016 is also a case in point, though here it was the exchange itself that was hacked (not a blockchain) to funnel 119,754 BTC (worth $3.6 billion today) into a single wallet. The wallet lay dormant for a while, but as soon as funds started moving, authorities were simply able to pick up where they left off, leading to the arrest of a New York couple just last February.

Police officials even said they never had a more convenient time in tracking an electronic trail due to the transparency of the blockchain ledger.

So what happened with Ronin?

Transactions on Ethereum are super secure because like in Bitcoin, it takes up the whole network’s army of nodes to validate blocks. But because of this feature, transaction fees (or more commonly termed as ‘gas fees’) have become extremely high due to network congestion, making it quite expensive for play-to-earn gamers such as those of Axie Infinity.

To work around this problem, the Ronin sidechain was developed and bridged to Ethereum to speed up transactions. How Ronin does this is by using only nine trusted validator nodes instead of having to use all of Ethereum’s nodes at its disposal. This also makes it a lot cheaper for players who want to pocket more of their winnings instead of spending it on gas.

However, a critical backdoor flaw allowed hackers enough access to control five out of the nine validator nodes (well over a 51% majority) and take over the sidechain.

But as with Ronin and all the other examples mentioned, “hacking a blockchain” often means something else—hacking an exchange or website for instance, or taking advantage of flaws in smart contracts or sidechains that were added later to the main blockchain. But as far as hacking the code of an already established network itself, the odds are stacked exponentially against the hackers.  

More often “hackers” simply resort to hoodwinking wallet holders to give them access voluntarily in a method called “phishing” (but which is technically not a hack since it involves fooling people, not the code). This technique ranges from scammers asking directly for users’ private keys, to fooling them to install third-party programs that are able to scan your computer for passwords.

Is keeping your money in banks safer?  

From a technical standpoint, banks are more prone to cyberattacks since they use centralized management systems that make their database easier to target for hackers as opposed to a blockchain that has its data spread out over the entire network.

Banks also rely on people to oversee transactions. Though this may provide a measure of comfort for some, it has to be pointed out that compared to an algorithm, humans are far more likely to make mistakes—and they routinely do. On a blockchain, people are able to carry out transactions in a trustless manner, with the least amount of human interaction.

And true, banks do employ cybersecurity personnel to deter hackers. But still, this pales in comparison to a blockchain’s code which is kept transparent and open to the public. What better cybersecurity can you ask for than a global army of miners and developers who are constantly keeping an eye on the algorithm—out of their common vested interest in the network and the community?

Blockchain “hacks” make it to the news because they are extremely difficult and rare. Whereas bank hacks happen more frequently that their news no longer falls out of the ordinary. There’s a reason why banks are required by law to reimburse their clients when such attacks happen—it’s because they do happen.

What can you do?

To safeguard your assets, there are a few simple reminders you should keep in mind at all times but which could make all the difference between a loaded wallet and an empty one.

  • No one will ever ask for your private keys to your wallets, so never share them with anyone. The only reason to know private keys is to own the wallet. No one—not any exchange, website, application, game, bank, or even wallet service provider will ever ask for your private keys for any reason.
  • If you don’t trade or play games regularly, the best place to keep your assets is in a “cold” wallet or hard wallet, which is simply a separate physical wallet (like a USB drive) that you only connect to the internet when you need to.
  • Never click suspicious links or open suspicious emails, often those with bad grammar, odd URLs, or promises that sound too good to be true such as “doubling your crypto instantly”.
  • Use separate emails for opening accounts on crypto exchanges and blockchain games. In the unlikely case an account gets compromised, you would have at least contained the damage from spreading to your other accounts.

Outlook

Understanding how the technology works is the first step in keeping unwarranted fears from keeping you up at night wondering if your assets will be there in the morning. Cryptocurrencies by themselves are already volatile enough, so there’s no need to add to the fear, uncertainty and doubt (FUD) as long as you exercise caution.

If nothing else, Bitcoin and Ethereum have so far stood the test of time—a massive proof of concept for blockchain technology, with a combined market value of $1.3 trillion just to quantify how much trust people have already placed in it. Make that $3 trillion if we include all the other blockchains in an ever growing list that makes up the entire cryptocurrency market.

A blockchain only just gets better and more secure as more and more people use it; all in all, the future still looks like we're headed there.