A Quarter of All Smart Contracts Have “Critical Vulnerabilities”

John Medley

Research by Las Vegas-based blockchain security firm Hosho reveals that more than one in four smart contracts have “critical vulnerabilities”, and three in five contain at least one security flaw.

The cybersecurity company, which has joined forces with AmaZix to bring smart contract auditing to the crypto space, discovered the widespread security flaws by analysing the smart contracts of projects that have collectively raised over $1 billion in funding.

Kenneth Berthelsen, AmaZix CMO, said:

Keeping communities safe is a longstanding priority of AmaZix. Education and awareness is part of that, but so is proactive diligence in the technical aspects of partner projects. In the absence of industry standards, we see smart contract auditing and penetration testing to be essential components of good security in blockchain systems. In our view, there is no better qualified people to do this than Hosho engineers.

Smart contracts are designed to permit trusted transactions and agreements to be carried out between anonymous parties without the need for a central authority, legal system, or external enforcement mechanism. However, the rapid growth of this new technology is being hamstrung by a distinct lack of standards by which to measure security.

Hosho co-founder and CEO Yo Sub Kwon said:

It is Hosho’s goal to push the blockchain industry towards maturation by improving the overall s ecurity awareness and guidance. Partnering with AmaZix is a natural fit because their philosophy aligns with our own, striving towards the long-term development of a strong and secure ecosystem.

This news follows the partnership announcement between AmaZix and AI-augmented cyber intelligence firm BrandShield, to fight crypto-related fraud and scams for some 470,000 users across more than 130 community channels that AmaZix manages.

It’s time for Smart Contracts to Smarten Up

The high-profile exploits of smart contracts on blockchain networks, typically on Ethereum, have shown that smart contracts are extremely vulnerable to hacking attempts.

The most famous example is that of the DAO hack in 2016, which took advantage of a loophole in the DAO coding to drain over 3.6 million ETH – equivalent to $70 million at the time. The DAO hack – and subsequent fork of Ethereum and Ethereum Classic to rectify the problem – has gone down in crypto folklore.

However it’s clear that the Ethereum fork was a one-off and is unlikely to be repeated. Only recently in April, the Ethereum community voted down a proposal that would restore over 500,000 ETH accidentally frozen in 2017 through an error in the Parity Multi-Sig wallet code.

Smart Contract exploits are notorious and an existential threat to crypto. Projects need to be held accountable for auditing their smart contract code before it is released into the wild.

Peter Schiff Admits to Entering PIN Instead of Password for His Blockchain Wallet

Siamak Masnavi

On Wednesday (January 22), famous gold bug Peter Schiff finally admitted that he lost access to the bitcoin held in his Blockchain Wallet because he had misunderstood how this wallet works. However, not all the blame for this incident should be pointed to Schiff.

Schiff is the CEO of Euro Pacific Capital, a full-service, registered broker/dealer specializing in foreign markets and securities, and founder and Chairman of SchiffGold, a full-service, discount precious metals dealer. He is also a man who is extremely bullish on gold, bearish on the U.S. dollar, and highly skeptical about Bitcoin.

On 4 July 2019, Schiff revealed that he owned some Bitcoin (BTC), Ether (ETH), and Bitcoin Cash (BCH), and said that he was going to HODL his bitcoin no matter what happens to the Bitcoin price.

Then, last Sunday (January 19), Schiff took to Twitter to express his anger with Bitcoin after allegedly losing access to the crypto wallet that holds his bitcoin:

Although Schiff said at the time that the wallet app he was using -- which we know know was the iOS version of Blockchain Wallet (made by Blockchain.com) -- had "somehow" become "corrupted" and that is why his password -- which he was sure of remembering correctly -- was being rejected, most people in CryptoTwitter seemed to believe that this was just a case of a "boomer" who has simply forgotten his wallet's password:

Eric Voorhees, Founder and CEO of ShapeShift, whom Schiff claims was the person who set up Schiff's wallet in the first place, says that it is Schiff who is to blame (and not Bitcoin) for forgetting his password and not making a note of his wallet's recovery phrase:

However, last night (January 22), three days after first reporting the loss of access to his entire Bitcoin holdings (which had mostly been gifted to him by members of the crypto community on Twitter), Schiff admitted that this situation was not due to a corrupt wallet but the fact that he had been confused about the concepts of PIN and password for his Blockchain Wallet; what made things worse was that he did not know/have neither the password nor the 12-word backup/recovery phrase: 

Having spent some time playing with the Blockchain Wallet, here is one possible explanation for what really happened. 

When you create a new Blockchain Wallet, you are asked to specify an email address (which acts as your username), a password (which is needed in case you ever logout or are logged out of your wallet), and a 4-digit PIN (which the wallet apps asks for -- if you have not setup biometric authentication -- whenever it is restarted, in order to "decrypt" your wallet). 

It is essential to note that the Blockchain Wallet does not force the user to record a 12-word or 24-word recovery/seed phrase at the time that the wallet is being created, i.e. this step is optional. After the wallet has been created, you need to go to the app's menu and choose "Backup Funds", at which point you are asked to write down each of the 12 words of the "backup phrase" the app assigns to your wallet.

So, if Schiff is telling the truth about never knowing the password of the backup phrase, then it looks like the person who created the wallet for him (i.e. Vooerhees) may have not told Schiff the wallet's password and not told him to make a note of the backup phrase.

Therefore, we can certainly blame Schiff for not bothering to understand how his wallet works, but it is also true that developers of crypto wallets need to do more to improve wallet usability in order to prepare for the mainstream adoption of crypto.