Breaking Cryptocurrencies

The subtle art of detection, identification, and patching of vulnerabilities in decentralized and digital currency

“Breaking cryptocurrencies” is the most current resource for learning about blockchain attack vectors. After reading this book, the reader will understand how blockchains work and the minimal requirements to break them. Understanding the techniques needed to analyze, monitor, and protect blockchain-based projects will equip readers with the tools they need to ensure the highest security protocols.

The book is composed of three main parts: Analysis, Attacking, and Prevention. The main goal of the first part is to provide the reader with tools to identify vulnerabilities, followed by attacks and how to execute them. Finally, the book concludes with how to eliminate vulnerabilities and prevent attacks.

It strives to become the best resource to learn about cryptocurrency and the blockchain system’s vulnerabilities, possible attacks, analysis, and defense methods.

The book targets development and security professionals who want to ensure that their blockchain-based cryptocurrency systems are as resilient as possible.

Over nine chapters, the book will teach professionals how to execute all security stages of any particular system. Starting from surveillance, to detailed descriptions and examples of network, economic, and cryptographic attacks, security flaws, and social engineering tactics, all the way to how to set up an efficient defense perimeter.

The book will be highly technical in some chapters while remaining simple enough in the rest that even non-technical security-concerned readers will be able to benefit from the contents.

Draft of the Outline

Chapter 1: A brief introduction to Cryptocurrency and Information Security

  • The problem of trust
  • Distributed and decentralized Network
  • What is a cryptocurrency?
    • Historical highlights
  • Requirements of a cryptocurrency
  • How a blockchain works
    • The problem of consensus
    • Proof of Work
    • Proof of Stake
  • Elements of Information Security
    • CIA triad applied to blockchain
      • Confidentiality
      • Integrity
      • Availability
    • Software flaws, 0 day, and exploits
    • Chain of an attack
      • Initial Access
      • Execution
      • Persistence
      • Privilege Escalation
      • Defense Evasion
      • Credential Access
      • Monitoring
      • Lateral Movement
      • Extraction
  • Theory and philosophical world of the Blockchain system
    • Trilemma for Blockchain world
      • Zooko Triangle
      • CAP Theorema
      • Metcalfe law
    • Fallacies of distributed comp

First Part: Reconnaissance

Chapter 2: Getting Information

Pululat herba satis, quae nil habet utilitatis – “The useless grass always grows too much”

  • Understanding technical papers not business papers
  • Trusting code
  • Identifying good projects and avoiding the bad ones
  • Digging into design of protocol

Chapter 3: Data Mining and Analyzing

  • Obtaining Blockchain Data
    • Via RPC
    • Via a custom protocol
  • Obtaining Price and Market data
  • Analyzing cryptocurrency flow

Chapter 4: Network-based Attacks

Pomum compunctum cito corrumpit sibi iunctum – “A bruised fruit quickly spoils the fruit next to it”

  • The delicate balance of Decentralization
  • Denial of Service and Distributed Denial of Service
  • Timejacking Attack
  • Routing Attack
  • Sybil Attack
  • 51% Attack
  • Eclipse Attack: isolating clients
  • MiTM Attack
  • DNS-based Attacks
  • Tricking the merchant: 0-based transactions

Chapter 5: Crypto-based Attacks

  • Essential elements of Cryptography
    • Symmetric and Asimmetric
    • Hashing versus Mere Encoding
    • Panoramic view of actual algorithm
    • Elliptic curves and functions
  • “Don’t roll your own crypto”
  • Algorithm problems
    • Insecure Algorithm
      • Choosing the wrong algorithm
      • Implementation mistakes
      • Inthrinsec
  • Key Management Problems
    • Weak Keys
    • Keys not encrypted or hardcoded
    • Random Number Generator Problems
      • Randomness on a digital system

Chapter 6: Software Flaws

  • Design Weakness
  • Abusing inputs
    • The problem of the missed validations
    • Injections
      • Query Injection
      • Code Execution Injection
    • Overflowing and Underflowing
      • Buffer overflows
      • Unchecked Error Condition
  • Security Misconfiguration
    • Documentation weakness
    • Hardcoded secrets
  • Memory Leaking
  • The challenge: Fast vs well-understandable code

Chapter 7: Taking advantage of the human mind

Everything in war is based on deception.

  • Getting information about you
    • Getting information about a person
  • Phases of a social engineering attack
    • Psychology behind it
  • Social Engineering Techniques
    • Phishing
    • Spoofing
    • Whaling attack
    • Pretexting
    • Whaling attack
    • Quid Pro Quo
    • Piggybacking
  • Discrediting your project

Chapter 8: Break the markets

  • Principles of Economy applied to Cryptocurrency
    • Exchanges
    • Banks
  • Manipulating Exchange Prices
    • Pump and dumps
    • Shilling
    • Whale trading
    • Wash trading
  • Break the chain between you and your assets: mixers

Chapter 9: Breaking Applications based on Blockchain

  • Smart contracts (?)

… any idea? …

Chapter 9: Security

Praestat cautela quam medela – Preventing it is better than cure it

  • The flow for securing blockchain
  • Discussed Controversial Security Techniques
    • Security by obscurity
  • Security by default
  • A note about Open Source
  • Securing your software
  • Securing your assets
    • Password managers
    • Multifactor Authenticator
  • Further resources
  • The end?

Project status

The preview at the moment is in Italian. This choice was taken to speed the writing development since Italian is the native language of the author. Want to help me? Send me an e-mail