
More security holes are appearing in cryptocurrency and smart contract platforms - rmason
https://www.technologyreview.com/s/612974/once-hailed-as-unhackable-blockchains-are-now-getting-hacked/
======
StavrosK
This article isn't very good. Half of it is about 51% attacks, which is the
one attack blockchains were always transparent about, and the other half talks
about how some smart contracts are buggy. Cool.

~~~
exelius
The blockchain developers were always transparent about 51% attacks, but it
turned out to be far more plausible in a scaled network than was expected. The
viability of 51% attacks are a result of the business deals surrounding the
ecosystem, not any technical deficiency in the code.

Personally, I think the entire concept of cryptocurrency is flawed because it
punts on the governance problem. Ditto for smart contracts. People / companies
like to have the ability to dispute the outcome of a transaction, and you
really can’t do that without vesting authority in a governing body to overrule
the technology. But then, if you have a central authority that has the power
to modify transactions, do you really need blockchain?

~~~
hombre_fatal
On the other hand, the vast majority of transactions in my life don't need
government-muscled dispute protection. To me it makes more sense to opt-in to
that in the occasions you deliberately want it.

Our financial system is its own brand of crapshoot. As we speak, I've just
issued my 6th chargeback (6th month) to Amazon more an AWS account that
someone hacked and changed all my details except for my payment info. I think
about this every time I see someone nit-picking some imperfection in
cryptocurrencies.

I just want a choice.

~~~
exelius
On the other hand, if someone hacks your crypto wallet and cleans you out,
there’s no administrative remedy or deposit insurance.

~~~
mrb
Security technologies can only get better over time. I would argue that with
hardware wallets, recovery seed backups well-protected & well-stored, M-of-N
signatures, etc, you can get to a level of security that's already far far
better than cash, and good enough for 99.99% of use cases.

~~~
exelius
All of those require me to have air-tight opsec all of the time. One screw-up
and you can be totally cleaned out with no remedy other than the courts (which
can take years!)

In the real world, I lose my _actual_ wallet every 5 years or so. Worst case,
I lose $40 cash and have to spend a couple hours reporting credit cards
stolen.

The best feature of a bank is that you can outsource all that opsec to them in
exchange for a trust relationship with the bank. The latter is far easier to
manage day-to-day.

------
josephagoss
Anyone interested in a security first cryptocurrency you should check out
Tezos.

Tezos uses proof of stake with a bond requirement that should solve the
nothing at stake problem. The two big issues with proof of work is that it
uses massive amounts of energy and unless you're the top coin or among the top
5 the chances someone will easily 51% attack your network is high.

Also Tezos uses a formal programming language for its smart contracts that
should help reduce certain types of bugs.

It's an interesting project and as a disclaimer I own some.

The project had many growing pains but is on its feet now and I think that
their first on chain governance vote went through recently, meaning the
codebase can be updated in a decentralized manner.

~~~
temp0876456
To clarify a few things:

1\. The first vote passed successfully into stage 2 meaning a protocol upgrade
has been selected and is being voted on for inclusion.

2\. Smart contracts are written in Michelson, a stack based language that can
be formally verified. Other user friendly languages have been built on top of
it.

3\. The software of Tezos is written in OCaml which can also be formally
verified.

4\. There have been several security audits and, as far as I know, no issues
were found.

5\. Tezos has never been hacked.

6\. It uses a unique flavor of PoS called Liquid PoS. It is designed to be as
decentralized as possible meaning the barriers for becoming a baker (equiv. to
a Bitcoin miner) are very low.

7\. #6 is also designed to make _voting_ as decentralized as possible.

------
apo
The subtitle is misleading:

> Once hailed as unhackable, blockchains are now getting hacked

This might be fine if the article didn't talk at such length about majority
hash rate attacks. It implies that this kind of attack is something new, which
it most certainly is not.

You can think of a soft fork (one path to upgrading the network) as a
coordinated majority hash rate attack. A cartel decides that they will censor
blocks that don't conform to a restricted version of the protocol. Whether you
call it an attack depends maybe on intent, but the mechanism is identical.

The Bitcoin white paper explains very clearly the main security assumption: an
attacker does not control a majority of the hash power. It's been part of the
security model from the beginning.

Most of the other attacks have been launched against Ethereum. Its scripting
system is quite a bit more complex than Bitcion's, so its attack surface is
larger.

------
mettamage
Hello HN! :D

I’m going to ask a controversial question. If it is too controversial, just
downvote and I will keep it in mind. Feel free to reply with a throwaway with
your IP spoofed and all that jazz.

Who of you have decided to hack cryptocurrencies in order to make some money?
How was the journey like? How do you feel about it morally?

As for me, I obviously haven’t done it, otherwise I would ask this on a
throwaway. I thought about doing it. But I don’t want to steal and a minor
point is that I would find it boring.

Why am I asking this: a candid response would make for an interesting read.
There was once an AMA on Reddit about a malware writer. It was fascinating!

------
paulgb
Has anyone analyzed the effect that the next Bitcoin halving will have on the
cost of a 51% attack?

It seems to me that on one hand, there will be less incentive to mine and so
the global hash rate will drop. At the same time a bunch of miners would
become unprofitable and therefore there would be an oversupply of mining
capacity (assuming there is an efficient way to rent it.)

It seems like a perfect-storm event to me, but in my very casual interest I
have not seen any attempts to analyze the effect of this on the 51% attack
risk.

~~~
chrisco255
Usually halvenings cause a subsequent boost to the price per Bitcoin.

~~~
im3w1l
That's historical accident and wont(can't) continue to hold.

~~~
chrisco255
No that's simply supply / demand economics. Miners dump their mined Bitcoin on
the market immediately after mining. When a halvening occurs, that means less
BTC are dumped on the market daily. Assuming demand remains the same, prices
will increase.

~~~
aeternus
True, however many people are likely expecting this to happen and there are
now many more methods to perform arbitrage on Bitcoin

That could soften this, it is more likely to be priced-in well before the
actual event.

------
rmason
If you're not a subscriber:

[https://outline.com/v3AKbj](https://outline.com/v3AKbj)

