Apparently, Ethereum is not out of the woods yet. After a catastrophic crash, and equally disastrous recovery via hard fork this summer , Ethereum seems to be under determined assault by unknown hackers. The attack appears to be motivated by the controversial re-writing of history to undo the DAO heist.
Internet DDOS attacks are hardly novel or newsworthy these days, pretty much anyone can do it to pretty much anyone. But this case has several important lessons for Cryptocurrency, Blockchain and “Smart Contract” enthusiasts.
First of all, this crypto-blockchain software is just as vulnerable as any other to common attacks, and, indeed, is far more vulnerable than conventional “centralized” services because it operates in so many machines under so many different authorities. The entire idea of blockchains is to disperse responsibility widely, and this means that there are a plethora of targets.
Furthermore, the attacks have generally slowed the network, degraded performance of mining operations, and generally driven nodes of the network.
This impacts everyone, even if they are running software that is not infected or buggy. It also threatens the existence of the system, because latency and too few nodes can be as bad as loss of service.
Second, I note that the only reason the network is still operating is that a “centralized” group of programmers has responded to the attacks and patched the code. “Decentralized” software engineering tends to be slow and ineffective in the face of system critical attacks.
Third, some of the attacks, like the infamous DAO melt down, use the very “smart contracts” that are the core feature of the system. The general rule of thumb for computer security is “if it can be programmed, it can be hacked”. “Smart contracts” are an ideal way to insert spam into the network, and the attackers are using this capability.
I note that many enthusiasts believe that these attacks are deterred or even infeasible because of transaction fees. Just as postage fees have never stopped junk mail, the Ethereum “Steam” charges don’t seem to be deterring these attacks. For one thing, microfees are, well, microscopic. The estimated $3,000 that has been expended paying for these attacks is small potatoes to a serious operator.
In general, I’m sure that any system with low enough fees for mass adoption, has low enough “postage” that spammers are not going to be deterred.
In summary, these troubles are neither surprising, nor likely to abate. They also reveal some of the faulty reasoning underlying both cryptocurrency and “smart contract” technologies.
Can something like this happen for other systems, such as Bitcoin? Absolutely. It will be more expensive to attack, but the payoffs could be much higher for some actors.
Could this happen to zero-knowledge coins? Of course. If anything, stronger anonymity can only help spammers and crackers.
Could this happen for “private blockchains”? Not in the same way, because the network can and will cooperate to block out spam and to patch bugs.
Will formal verification solve this problem? Of course not, though it may reduce the vulnerabilities from “a plethora” to merely a millliplethora of bugs.