An MIT professor’s June 6 warning about some of blockchain’s vulnerabilities came too late for margin lenders on U.S. cryptocurrency exchange Poloniex, who lost nearly $14.4 million in bitcoin to a flash crash early last week.
The May 26 flash crash happened after a sudden and severe price decline in the CLAM cryptocurrency market, which lost nearly two-thirds of its value in two hours, dropping from $20.02 to $6.70 between 9 p.m. and 11 p.m. EDT. That caused many margin borrowers of CLAM to default. Poloniex said yesterday that it had controversially (and possibly illegally) spread the approximately 1,800 bitcoin (BTC) loss across all participants in its BTC lending pool.
In an article published yesterday in the Wall Street Journal, Stuart Madnick, an information technologies professor at MIT’s Sloan School of Business, said that a forthcoming study found that blockchain technology is not secure as people think. He gave several reasons for this, one of which used the example of the inability of a decentralized system to react quickly to a flash crash.
If a centralized stock market system like the NYSE “runs into a problem, such as a flash crash, one solution is to shut the market off,” said Madnick. “But, in the case of an attack discovered on a blockchain system, it is essentially impossible to turn it off.”
Decentralization is a defining and widely touted feature of blockchain system, he noted.
“With blockchain, the software operates simultaneously on many, possibly thousands, of servers around the world,” Madnick said. “If one or more servers fail, the system continues to operate. That has many obvious positive benefits. But it also means that there is no central ‘on’ or ‘off’ switch.”
In the stock market, the U.S. Securities and Exchange Commission (SEC) mandated the creation of “circuit breakers” after a May 6, 2010 flash crash that saw the S&P 500 drop 8.6% in a single day. This system automatically shuts down trading if there is a sudden, rapid market decline.
Strengths or weaknesses?
“[B]lockchain may be its own worst enemy, as many of the things that make it so great also increase its vulnerability when it comes to security,” Madnick said. “Three examples are transparency, distributed control, and anonymity.”
In reviewing 72 publicized blockchain security breaches between 2011 and 2018, Madnick noted that the study found successful cyberattacks have cost upwards of $1 billion.
In part, this is because blockchain-based system share the one uncorrectable vulnerability that affects all systems: people.
Smart contracts can automate transactions, but ultimately they are written by people, just as people also control the mathematically “unbreakable” passwords that blockchain technology is built on. Madnick gave the example of a bitcoin owner who “printed his blockchain key on his T-shirt … to see if a theft would occur.” It did, Madnick said, after someone took a picture of the shirt.
Just like distributed control in the case of a flash crash, transparency “clearly cuts both ways,” said Madnick. While a bank’s computer systems are locked away, blockchain is visible for everyone to see on many servers. While that means flaws in the software can be crowd-tested and fixed, it also means bad actors can get there first.
That happened in the infamous DAO Project hack, when a thief used a known flaw in the code to drain $50 million worth of ether (ETH) while the developers were working on fixing it.
Still, the system does work. On June 5, blockchain platform Komodo announced that it had hacked its own Agama wallet to the tune of $13.3 million after finding a flaw in the code.
“After discovering the vulnerability, our Cyber Security Team used the same exploit to … secure the funds at risk,” the company said. “We were able to sweep around 8 million KMD and 96 BTC from these vulnerable wallets, which otherwise would have been easy pickings for the attacker.”
As for potential security flaws from anonymity, Madnick didn’t have to look any farther than QuadrigaCX, which collapsed after founder Gerald Cotten died suddenly, taking the passwords to the cryptocurrency exchange’s roughly $160 million to the grave with him. (Although the exchange’s wallets appear to have been emptied earlier, so many suspect there’s more to the story.)
“The bottom line is that while the blockchain system represents advances in encryption and security, it is vulnerable in some of the same ways as other technology, as well as having new vulnerabilities unique to blockchain,” Madnick concluded. “Human actions or inactions still have significant consequences for blockchain security.”