There is a common misconception, that Blockchain technology automatically guarantees high security because of its cryptography and inalterability. Despite these definite strengths of the technology, the Blockchain ecosystem is not necessarily a safe haven. Even small security gaps can have a big influence.
What gaps or risks could apply, can be showcased by two fatal incidents, where hackers exploited weaknesses in the code of the particular organizations with the help of the underlying Blockchain Smart Contract technology.
In june 2016 the venture capital fund organization “Decentralized Autonomous Organisation (short “DAO”) has been deprived of approximately $ 50 Mio. in form of Ether during a business operation. DAO is a decentralized virtual organization, where members decide via votes, which company receives suitable risk capital - represented by a Smart Contract based on the Ethereum Blockchain. At the end of the voting the gathered Ether will be transferred to the elected wallet. An additional feature, the “split DAO” function, was the downfall of the organization. This function allowed to split the transfer of Ether onto multiple wallets, so called “child DAO”. It was possible via a Smart Contract, which worked technically flawless, but enabled participants to request multiple splits simultaneously, despite not yet balanced ledgers. The attackers were able to request a split up to 200 times and almost completely empty the DAO wallet. The weakness was in the DAO Smart Contract, the Ethereum Blockchain worked faultless and even to the attackers advantage.
To prevent this hack a simple review and testing before publishing the Smart Contract would most likely have been sufficient.
In August 2016 the cryptocurrency exchange Bitfinex in Hong-Kong has been compromised. 120,000 Bitcoins have been stolen from user wallets. To increase security, Bitfinex introduced a so called “Multi-Signature Key Management System”, where private keys of users were stored by Bitfinex itself and third party provider BitGo. The exact cause of the attack has never been confirmed, but the hackers were able to access all three necessary keys to perform a transaction on the accounts. Again the security gap was in the organizations concept and not the Blockchain technology itself.
Both examples show that the underlying Blockchain technology worked reliably and safe, but the applications built upon showed a lack of security and missing risk assessment, which enabled the hacks.