To get an understanding of why we are where we are I guess we need to look at the technology in question. Blockchain is (in very, very simple terms) really nothing more than a append only log of transactions that is maintained by multiple systems on the internet. From these systems there are elected devices that are allowed to determine which version of the chain is the real one. There is no way to change the chain, only add to it… ok that is not 100% accurate. While there is no way to change a transaction that taken place, the owner of the chain can choose to create branch of the chain that removes all transactions after a certain specific transaction. This has happened with one exchange after the theft of a large amount of virtual currency.
Transactions on the chain are controlled by code that determines what is and what is not a legitimate transaction. Here is the first issue, program code is never perfect. There are always vulnerabilities that can be found in it. Having the only gate keeper be program code leaves the whole system vulnerable to misuse and theft. The idea that code is, in any way, perfect and can be the basis of “law” for a currency or data repository system is a bit much. Instead, the concept of “code is law” is one of the biggest flaws in blockchain.
The lack of real security features in most exchanges, wallets, and other areas of blockchains have allowed for several attacks to be successful in relieving people of their virtual assets (including network security based on Blockchain). One interesting one that uses NFTs to empty a wallet is rather simple. Because an NFT is little more than a container for a micro program, attackers have injected malware into NFTs. They send the poisoned NFT to a target’s wallet. If the NFT is interacted with in anyway, the malware executes and drains all the assets. The transaction appears to be authorized by the person owning the wallet, so it is written to the chain. This technique is often referred to as an Airdrop Scam.
There are other methods to drain away all your virtual assets including minting rouge tokens, and something that Microsoft has dubbed Ice Phishing. The difference between Ice Phishing and other methods like Airdrops is that with Ice Phishing the attackers are not looking to steal your keys but are looking to get you to authorize them to make transactions on your behalf. This type of attack relies on getting the end user to believe that the transaction is legitimate and/or that it does something other than give up control of your wallet.
If an attacker can compromise a platform (through a bug or compromise of an account or API) then the effects can be massive. One attack that used a platform-based attack was carried out on BadgerDAO. Here the attackers were able to compromise an API key. They used this API key to create a malicious worker script that targeted users on the chain. Using this they were able to transfer $121 million in virtual funds.
BadgerDAO is not even number one on the leaderboard for loss of virtual assets, that spot is held by Poly Network who lost $611 Million on August of 2021. This theft was due to a vulnerability in the platform. Poly Network was a big target because it links several chains together to allow transfers between them. The attackers also distributed their theft to the various chains that Poly had access to. Poly immediately reached out to different partners to get them to backlist/freeze the wallets where the funds were transferred to, but it did expose a huge flaw. If the attacker had been less interested in a big hit, they could have probably siphoned off money for a long time without notice. Since the chains are append only, there was no way to simply deposit the funds back in the victims’ accounts. They either needed to branch the chains or wait for the funds to be returned or reclaimed before they could give them back. In fact, the person that claimed responsibility for the attack said they did it to expose the flaw in the system and did work with Poly to return money.
High profile attacks and thefts aside, there are more and more scams that pop up around items like NFTs where groups claim to have mined a certain number of them, get funds and close shop. The people that bought into them are out the money they put in and have no real recourse to recover those funds. Unless you are one of the big players in digital currency, you are not going to get anywhere with the platforms where these scams are happening. Which brings us to anther illusion about decentralized financial systems (DeFi), that they are some how decentralized. The only things decentralized is the technology. The power, control, and money behind this is still concentrated in the same way as it is in the fiat currency world and in fact might be worse. It takes a lot of money to make money on digital currencies so unless you have money, you are low in the hierarchy. There are multi-million-dollar organizations that have invested in mining operations to ensure they generate more currency as well as groups that bought in heavy early. These groups are often major partners in exchanges, so they basically control the banks (sound familiar?). As there is little to no regulation users of these platforms have little to no recourse for what happens on these exchanges.
The lack of regulation has led to digital currency to become the currency of choice for many criminal activities. Money Laundering, the purchase of illegal items, ransomware (and other extortion schemes) all rely on the relative anonymity of the chain. Even when a wallet can be identified and frozen, it is complex (although not impossible) to tie that to a person or group. If the wallet owner is clever, they can make it even harder to track it down. This means that a lot of money is moving between chains that is tied to illegal activity without oversight.
It has gotten bad enough that many governments are now stepping in and looking to monitor and oversee these systems (so much for keeping the government out of things). If anyone thinks that the government will not want their cut once they get involved, well they are really deluded. With this final step the original intent and vision for block chain falls. It is no longer a utopian system where the concept of code is law makes for a perfect world. Instead, it is just as flawed and vulnerable to attack and compromise as the current system. The power has shifted a little as there are new control groups (although existing banking groups are buying in now), but it is still concentrated in the hands of a few wealthy and powerful groups/people.
Attackers have had success in attacking the chain and siphoning off funds. They are only going to ramp up their efforts if adoption increases. Much like the fiat currency world, the targets are the same, the user, the app, the platform (or bank). The TTPs are also almost identical even if the delivery methods might be a bit different. If you add in a new layer where adoption of blockchain/digital currencies are required, like the Metaverse might be, you are looking at an environment ripe with opportunities for exploitation by threat actors.
The idea of blockchain is not a bad one, it is a misguided one that is not rooted in reality. Blockchain in its current form lacks proper auditing, automated revocation of authority, regulation (sadly this does need to happen) and other basic security controls to protect users. It is no better or worse than existing systems and does not represent any fundamental change in finance. Perhaps it is time to take the hype out of it and really focus on adding in proper security controls so that maybe it can become a valid currency option. Until then it remains a significant risk and is more like gambling than a real currency system.