Posted on

Inflation Bug Still a Danger to More Than Half of All Bitcoin Full Nodes

Eight months after the discovery of the inflation bug, more than half of the full nodes on the bitcoin network are still running client versions susceptible to the vulnerability.

Figures published by bitcoin core developer Luke Dashjr show that more than half of the full nodes in the bitcoin network are still running client software vulnerable to the inflation bug discovered in September 2018.

This revelation poses some danger to the network, as software vulnerabilities are a clear and present danger to the fidelity of bitcoin (BTC). Now that the top-ranked cryptocurrency is in the midst of a positive price run, it is perhaps important that steps are taken to eradicate the inflation bug problem for good.

Most bitcoin full nodes still vulnerable to the inflation bug

As reported by Cointelegraph on May 8, research by Dashjr shows that more than 50% of full nodes on the bitcoin network are still running software versions of the bitcoin client that are susceptible to the inflation bug.

However, from that time, the figure has fallen slightly from about 60% to 54%. This means that, in the last few days, some full nodes have upgraded to a more recent client software update.

Back in September 2018, developers first discovered the inflation bug — which, in theory, could allow miners to inflate the total bitcoin supply beyond the 21 million BTC by spending multiple unspent transaction outputs (UTXOs) in the same transaction.

Given the nature of the bug, the developers kept it a secret, quietly releasing a new version of the client. An excerpt from the September 2018 common vulnerabilities and exposures (CVE) report released by Bitcoincore.org reads:

“In order to encourage rapid upgrades, the decision was made to immediately patch and disclose the less serious Denial of Service vulnerability, concurrently with reaching out to miners, businesses, and other affected systems while delaying publication of the full issue to give times for systems to upgrade. On September 20th a post in a public forum reported the full impact and although it was quickly retracted the claim was further circulated.”

One key takeaway from Dashjr’s analysis is the total number of full nodes on the bitcoin network. Most bitcoin literature sources put the number of full-node numbers at somewhere approaching 10,000.

However, Dashjr opines that this number is closer to 100,000 and that the reason for this discrepancy lies in the fact that many sources only account for nodes actively listening on the network.

Called listening nodes, these full nodes have open port connections that can be probed. However, not all full-nodes are listening nodes; some, hidden behind firewalls or configured to not actively listen for new connections, don’t have easily discoverable open port connections.

The severity of the inflation bug

To understand the severity of the inflation bug, it is important to know the mechanism by which the problem could be exploited. This process would involve a summary explaining of the double-spend attack, the inflation bug itself and the problems that could arise if left unchecked.

Bitcoin’s early success lends itself greatly to Satoshi Nakamoto’s — the creator of bitcoin — brilliant solution to the double-spending problem that had prevented the successful deployment and implementation of prior virtual currency systems.

By creating an immutable ledger with nodes validating transactions, it became almost theoretically impossible to spend the same UTXO in two different transactions.

The severity of the inflation bug

However, what happens when, instead of spending the UTXO in two different transactions, a malicious actor tries to use one transaction to spend UTXO multiple times? Because of the way bitcoin is engineered to work, this action would mean creating new coins virtually out of thin air, thus inflating the total supply — ergo, the inflation bug.

Several successive updates to the bitcoin software have tried to improve the blockchain’s immunity to the first type of double-spend attack. However, by the Core 0.14.x version of the bitcoin software client, developers began to notice there was a possibility of a distributed denial of service (DDoS) vulnerability in the software client.

The bug allowed a malicious attacker to crash nodes running the 0.14.x software version by attempting to spend the same UTXO twice. In this iteration of the bug, the objective would have been to crash as many nodes as possible and not necessarily inflate the total bitcoin supply.

In trying to fix the problem, the next released update, 0.15.0, included features that inadvertently allowed a malicious attacker to double spend the same UTXO in one transaction. Instead of causing a system crash, this new bug caused older software clients to recognize such double-spend transactions as valid.

Upon discovery, developers again released a new version of software before announcing it to the wider cryptocurrency community. However, several months after the issue ought to have been solved, it appears that more than half the full nodes on the network are still running client implementations vulnerable to the bug.

Cointelegraph spoke with Dashjr about the implication of the inflation bug, to which the bitcoin developer replied:

“The inflation bug is in practice a network-wide risk. It would allow a 51% miner attack to cause inflation (something such attacks can’t normally do). The inflationary chain would only be accepted by vulnerable nodes and light wallets.”

Expanding further on the dangers posed by the bug, Dashjr went on to say:

“It makes what was thought to be a full node, actually just a light wallet in that one respect. If more than a small minority use light wallets, miners get to make up the rules.”

All nodes have to do is upgrade

Whenever developers discover a bug of this nature, the solution is always to get nodes to upgrade to a newer version of software that hopefully has features that eliminate the problem. Sometimes, this process may lead to the emergence of another problem — as seen in 2018, when solving the DDoS bug caused the inflation bug to manifest.

When asked by Cointelegraph what should be done about the situation, Dashjr’s answer was simple and straight to the point:

“Everyone upgrading to a fixed full node.”

While this process is ongoing, does the bitcoin network face any credible risk stemming from the fact that half of the full nodes are vulnerable to the inflation bug? The answer to the question might lie in who really holds the true power in the network: miners or developers?

In 2018, bitcoin developer, Jimmy Song expressed the view that rogue miners trying to take advantage of the inflation bug would find it nearly impossible to succeed. For one, Song said that not every full node runs the bitcoin core, a large number prefer to deploy custom iterations of the bitcoin client.

The fact that some nodes do not run the core client already diminishes the attack because such nodes will reject the block containing the inflated UTXOs. If a significant number of miners reject the tainted block, then a chain split likely occurs.

Back in 2010, during the “value overflow incident” discovered in block 74,638, developers published a new update to the client in less than five hours, solving the problem. The block in question contained a transaction that created about 184 billion BTC for three addresses, with two addresses receiving 92.2 billion BTC and the miner responsible for solving the block getting 0.01 BTC.

The discrepancy only lasted for the next 53 blocks, and by block height 74,691, all traces of the value of overflow no longer existed on the network. Nodes that initially accepted the chain split with the tainted block soon began to revert to the chain split that didn’t contain the inflated block.

The same applies to the inflation bug: Once the split occurs, developers and others on the network would begin to notice, as Song explained in this excerpt of his blog post, which reads:

“Because of these irregularities, people on the network would soon have tracked this down, probably have alerted some developers and the core developers would have fixed it. If there was a fork, the social consensus at that point about which is the right chain would start getting discussed and the chain creating unexpected inflation would have likely lost out. If there was a stall, there likely would have been a voluntary rollback to punish the attacker.”

For Song, given the economics of the attack, it is unlikely that rogue miners would want to employ such a tactic. However, the bitcoin educator said that hackers working for countries with anti-bitcoin sentiments could exploit the bug to destroy the network.

Posted on

Tron Discloses Critical Vulnerability Which Could Have Crashed Its Blockchain

The Tron Foundation has disclosed a fixed critical vulnerability which could have rendered its blockchain unusable.

The Tron Foundation disclosed a fixed critical vulnerability which could have crashed its blockchain on vulnerability disclosure platform HackerOne on May 2.

The disclosure explains that with enough malicious requests, an attacker could have filled up all the available memory and effectively perform a Distributed Denial of Service attack on the TRX network by employing malicious code in a smart contract. The disclosure further explains the impact of such an attack:

“Using a single machine an attacker could send DDOS attack to all or 51% of the SR node and render Tron network unusable or make it unavailable.”

The cybersecurity researcher who discovered and disclosed the vulnerability was given a bounty of $1,500. The issue was first reported on January 14, but has been publicly disclosed only recently, after it was already fixed.

As Cointelegraph reported at the end of last year, white hat hackers were awarded $878,000 in bug bounties in 2018.

The largest country payer was reportedly Block.one. Major cryptocurrency exchange Coinbase was the second-largest bounty spender at $290,381 while Tron was the third-largest, reportedly paying out $76,200 in 2018.

By the beginning of February 2019, EOS.io, the company responsible for the development of fourth-largest crypto by market cap eos, had already handed over bug bounties for five critical vulnerabilities this year.

Posted on

Research: 60% of All Bitcoin Full-Nodes Are Still Vulnerable to Inflation Bug

60% of bitcoin’s full-nodes are running software still vulnerable to the inflation bug at press time.

According to bitcoin (BTC) node stats reported on the website of bitcoin core developer Luke Dashjr, 60.22% of the coin’s full-nodes are running software still vulnerable to the inflation bug at press time.

According to the reported data, the software running on 60,101 bitcoin full-nodes is vulnerable to the CVE-2018-17144 bug. As Cointelegraph reported at the end of September last year, the bug allows malicious miners to artificially inflate bitcoin’s supply via a simple type of double input.

According to a Cointelegraph analysis, at the time — likely because of the possible catastrophic consequences of the presence of the bug — the developers decided to keep it a secret and only revealed that the bug made the network vulnerable to Distributed Denial of Service attacks. The developers disclosed the full danger of the vulnerability at a later time, after it had been already fixed.

The stats on Dashjr’s website also claim that there are 99,638 bitcoin full-nodes currently running at press time, a number about ten times higher than reported by most bitcoin analytics platforms. For instance, BitNodes claims that there are now 9,515 bitcoin full nodes, while CoinDance reports that there are only 9,391 nodes running at press time.

Technology news outlet The Next Web cited Dashjr as previously explaining that this discrepancy is actually due to the fact that most such platforms only include listening full-nodes. Still, according to the report, whether a node is “listening” or not is a mostly-irrelevant technical detail.

A consequence of a node “listening” is that it is more visible and easier to find, according to The Next Web. Dashjr reportedly explained that “economic nodes — those handling transactions — can be both listening and not,” and concluded:

“Frankly, looking at just listening nodes isn’t a very useful metric — non-listening nodes are just as relevant.”

Dashjr’s chart of bitcoin nodes is based on four weeks of data and is updated hourly.

At the beginning of February, EOS.io, the company responsible for the development of fourth-largest crypto by market cap eos, had already handed over bug bounties for five critical vulnerabilities this year.

Posted on

Immutability in Doubt: Do We Need to Protect Blockchain Data?

On June 12, the state of Michigan introduced a bill imposing criminal penalties for manipulating data on blockchains in order to commit fraud. This is the first attempt in the world to legally protect data stored on distributed ledger technology (DLT) — for entering false information into the blocks or changing the blocks themselves, up to 14 years of imprisonment can be faced.

The deliberate introduction of false data does not raise questions — here the signs of unlawful actions become visible to all the members of the network and do not call for any comment. But with the change in the blocks, things are more complicated because specific examples of such manipulation are not stipulated by the law, and the action itself has, until recently, been considered impossible.

As it turned out, this is feasible, as evidenced by regular and successful attacks on large blockchains, including those recently made on Bitcoin Gold and Verge. Therefore, the new law in Michigan seems to be aimed, rather, at protecting the network from so-called “51 percent attacks”, which have become a serious problem for the entire crypto community in 2018.

Blockchain data immutability

The word “immutable” is heard frequently when people speak about blockchain. The consistency of the blockсhain structure implies the inability to make adjustments to the data after they are recorded in a distributed database. This is achieved due to the main property of blockchain — decentralization, when the individual parts of the network responsible for the authenticity of transactions are autonomous and not connected to a common server.

In this database, a list of ordered records — called blocks — is continuously stored and refilled. Blocks are repeatedly copied, and their verification is provided by the number of devices on which the information is stored — the nodes. At the moment, the reliability of each block in the Bitcoin blockchain is confirmed by over 9,000 nodes, with the number of blocks in the network now surpassing 500,000.

Bitnodes

Image source: Bitnodes

To protect data in blockchain, the author of the record creates an access key. If changes are made to the block, the previous key becomes invalid, and it becomes visible to all network participants who, by a simple majority of votes, may prevent any further unauthorized actions. Thus, it makes it impossible to proceed with changes to the information stored in the blocks, and this is one of essential qualities of blockchain as a technology.

The data in the blocks can be very diverse. The creation of the cryptocurrency is just one example. Data integrity is a unique property of technology that can be used to protect any transactions, registries and documents, as well as ensure a fair interaction between network members.

Now, as the notion of the immutability of blockchain data has been formalized more or less clearly, the question still remains: If it’s impossible to make a change in the blocks, why do we need the Michigan state law?

“51 person attack” —  blockchain’s main foe

Returning to the idea of “a majority rule,” if an attacker or a group of intruders are able to get 51 percent of a network’s mining hash rate in their hands, they can pretty much do as they please with the world of data within — from altering blocks to manipulating transactions. After all, the majority of votes are on their side.

Theoretically, such a threat could exist. From a practical point of view, its probability tends toward zero, since the cost of computing power necessary to compromise blockchains is enormous — from $336 to $490,000 per one-hour attack, analytical service 51Crypto states. Taking into consideration that a large amount of money is necessary to possess the network hash rate, it is more rational to deploy a new system and give rewards to other miners for maintaining it, rather than to use resources for hacking the existing blockchain.  

51Crypto

Image source: 51Crypto

If we are talking about cryptocurrencies, the “51 percent attack” — which becomes immediately visible to all participants of the system — would lead to a sharp drop in the exchange rate of the currency. By making changes to the blocks, an attacker, who has spent large amounts of money to acquire the necessary computing power, will get what he wants — digital money. But his real profit will be minimal, since the rate will fall, and the attack itself will be quickly suppressed. This is the way the system protects itself.

Experts of the cryptocurrency industry often come up with various metaphors to illustrate the self-defense of blockchain technology. For example, the CEO and chairman of DLT Labs, Loudon Owen, characterizes the likelihood of breaking a blockchain in the following way:

“Pigs can’t fly. This is an absolute truth that we all know and agree on. But, given a phenomenally strong wind, pigs can fly. Nothing digital — including blockchain — is entirely immutable. But blockchain is a massive, distributed digital ledger which is as good as it gets for electronic storage.”

The financial researcher of the website Consumersafety.org, Cal Cook, reassured that:

“The chance of this happening, however, is very unlikely, because there would be no economic incentive to do so. A malicious user who overpowers a public blockchain network would, in doing so, devalue the currency. So even if they ‘stole’ some coins, they would very likely end up with less money in terms of fiat dollars than they had before.”

But as practice shows, experts who are guided by logic and expediency sometimes make mistakes.

Blockchain is attacked around the world

The more cryptocurrencies created on third-party blockchains and the more hard forks of the original networks appear, the easier it is for hackers to concentrate 51 percent of the network’s total hash rate in their hands.

Leading Bitcoin developers, such as Peter Todd and Ethan MacBrough, repeatedly warned that cloning large blockchains can lead to “51 percent attacks.”

But the cryptocurrency community seemed to be too fascinated by the prospects of the blockchain technology to hear those warnings.

As a result, only in May-June of this year, six blockchain-based projects became the victims of a “51 percent attack.” Attacks were made on Bitcoin Gold (changes in blocks led to $18.6 million loss), Verge (attacks have been made twice and affected $1.76 million and $800,000, respectively), Monacoin ($90,000 stolen), and Electroneum — which claims that no money has been stolen.

So far, the last victim is considered to be ZenCash, which suffered an attack worth  $20,000 in hash rate, even with 11,823 full nodes — such a number of nodes exceeded that of the Bitcoin network and had been previously considered “resilient”. On June 3, the hackers managed to alter 38 transactions — totalling $550,000. At the same time, according to 51 Crypto, the organization of a one-hour attack on ZenCash network might cost only $5,417. The hackers did not have to obtain any giant amount of computing power, they just rented miners for four hours.

ZEN

Image source: 51Crypto

Five days before the attack on ZenCash, Husam Abboud — a cryptocurrency analyst at the University of FECAP in Brazil — published the analytics on the cost of “51 percent attacks” on Ethereum and Ethereum Classic and mathematically calculated the vulnerability of the hard forks of all major blockchains. Besides that, he determined the pools and miners who may pose a threat to Ethereum-based networks.

HusamABBOUD

Image source: Medium @HusamABBOUD

As it turned out, the price of the attack is minimal in comparison with the damage that it is capable of doing. And this is not about the profit of the attacker, but about the damage to the ecosystem.

Apparently, so far it is only about attacks on cryptocurrencies, where there is still a lot of chances for instant, illegal enrichment. When attacking blockchains, which belong to a state — or other services not connected with the cryptocurrency — the attacker will not get any profit at all, and his actions will be pure hooliganism, vandalism, fraud or blackmail. Or it could be the next generation of terrorism — one which doesn’t require weapons.

All this makes Michigan’s initiative — introduced by the state legislature on June 12 in order to protect any records on blockchain against altering, forging, or counterfeiting — look very timely.

Blockchain is no exception

The potential of blockchain as a technology cannot be underestimated. The principle of unchangeable data allows the exclusion of intermediaries from any sphere of human activity: from medicine and education to trade, production and logistics. And this opens great prospects for the development of a new economy.

The principles of decentralization and transparency allow access to any services, knowledge and financial resources to any person from anywhere in the world. And this is fine, because it gives all people equal opportunities.

However, any system invented by a person can be hacked by another person, so it needs to develop general principles of protection and rules of conduct. And blockchain, here, is no exception.

More likely, the law of Michigan is only the first precedent of legal protection of blockchain, which — as many thought until recently — generally does not need protection at all.

Posted on

Bitfinex Recovers from Cyber Attack to Resume Trading

The world’s fourth largest crypto exchange by trade volume, Bitfinex, suffered a cyber-attack yesterday that halted services and prevented trading temporarily.

The Hong Kong headquartered exchange, which has handled $430 million in trade in the past 24 hours according to coinmarketcap.com, went offline for a few hours with what it determined as unscheduled maintenance.  It was subsequently revealed that the servers were the target of a distributed denial of service (DDoS) attack which overloaded them with spurious traffic causing the website and trading platform to shut down temporarily.

The status monitoring systems for Bitfinex reported that;

“The cause of the outage has been identified. A DDoS attack was launched soon after we restarted operations. The previous outage was caused by issues with one of our infrastructure providers. While the platform was recovering, the attack caused extreme load on the servers. We are adjusting the DDoS protection measures to fend off the attack and be able to relaunch.”

These types of attack are not designed to steal currency but to disrupt services. Bitfinex quickly recovered from the incursion and trading resumed within a couple of hours;

Traders and investors had every reason to be concerned since Bitfinex lost almost 120,000 Bitcoins to hackers back in 2016. In June 2017 the exchange also reported being the victim of cyber-attacks so it is quite familiar with them.

The ongoing saga with Tether is also a cause for concern with Bitfinex and those that use the platform. There have been fears that the company would close due to links with USDT and an ongoing investigation by the Commodities Futures Trading Commission which subpoenaed the exchange in January. Since then the exchange has been operating as normal even though it still holds the largest amount of Tether which is currently responsible for over 17% of all Bitcoin volumes.

Security is a major headache for exchanges which are now the modern version of a bank, which of course can be robbed. Several have fallen victim this year with the largest hack being Coincheck at the beginning of the year.

The advice is always the same; do not hold any significant amount of crypto on exchanges no matter how safe you think they are. Wallets and cold storage are far safer alternatives however even they are not completely infallible.

Posted on

Weiss Ratings Gives Bitcoin C+, Sparks South Korean DDoS Revenge

South Korean Bitcoin “investors” allegedly launched the DDoS attack that shut down Weiss Ratings’ website after the agency gave the cryptocurrency a ‘C+’ rating.

According to a press release citing “numerous mentions on social media” about plans to attack Weiss, staff were “up all night” attempting to restore normal service after the release of ratings for Bitcoin and other cryptocurrencies Thursday.

Earlier commentary on social media expressed considerable fear we were about to release negative ratings on their preferred currencies,” founder Martin D. Weiss commented, “so this may be an attempt to thwart our release today.

No cryptocurrency managed to gather an ‘A’ on Weiss’ list, while the rating agency’s other conclusions also drew criticism from commentators.

Bitcoin Cash fared only slightly worse than Bitcoin itself with C-, while Ethereum scored a B and Dogecoin C, placing it similarly just below Bitcoin in terms of providence.

All else being equal, as a cryptocurrency overcomes its individual challenges, it’s likely to be upgraded promptly,” Weiss himself nonetheless added adopting a somewhat more bullish tone.

In the week of the 2018 World Economic Forum in Davos, legacy finance entities are delivering curious appraisals of cryptocurrency as it faces its most mainstream year yet.

Former US Secretary of State John Kerry told Cointelegraph that crypto “has value” at the event, while JPMorgan CEO Jamie Dimon privately denied he was a “skeptic” when it came to Bitcoin.

Posted on

When IaaS Meets Blockchain

With data circulation increasing exponentially, a new solution for a more effective and safer storage is necessary. Recent news of faulty widely-used Intel, AMD and ARM chips has sparked growing concerns over cybersecurity and data protection.

With costs of having a physical server to store data being often unbearable, the cloud is the solution adopted by an overwhelming majority of businesses. According to cybersecurity and risk management firm Delta Risk, 90 percent of companies use the cloud for data storage, despite concerns over data security. A survey carried by the company has shown that the major risks users worry about are data loss, data privacy and confidentiality breaches.

The misconfiguration or mismanagement of cloud services or SaaS can lead to data breaches which can be propelled by human error or cyber-attacks. These often harm business operations, as was the case with Equifax and Deloitte.

The move to the cloud allows for a cost reduction and more flexibility for the companies. However, as companies often handle the configuration and usage of the accounts themselves, data breaches frequently occur.

Safe and efficient technology for data storage

Access to data, data storage and security are big concerns for businesses and can be quite overwhelming for small companies with little resources. That’s where IaaS (Infrastructure as a Service) comes into action, as it provides virtualized solutions like servers, storage and databases. As the services are usually charged based on utilization, companies have more flexibility to scale their operations.

Titanium Blockchain Infrastructure Services (TBIS) is running IaaS on their own dedicated Ethereum Blockchain, leveraging Raiden technology to achieve Visa-like speeds, offering a safe, flexible and decentralized service. This solution is not only effective, as there is no outage, but it is also cheaper than most alternatives.

Whenever a problem is detected, the system is prepared to run autonomous “healing” actions, and if a device wavers, the operation is transferred to another network of redundant nodes. Through combining Raiden and Plasma scaling solutions, Titanium is looking to achieve faster transactions, being able to compete with processing networks such as Visa’s, which can handle 2,000 transactions per second.

The company aims to virtualize and decentralize every device and infrastructure that make up a company’s Internet network from routers to firewalls and even servers. Ultimately, TBIS wants to enable the creation of a global company from a laptop, desktop, smartphone or tablet without leaving your home, by providing the tools to easily set up an enterprise level infrastructure.

As it only exists on the Ethereum Blockchain, the system is immune to attacks such as DDoS or other address-specific attacks.

An experienced team bringing network to the future

The founder and CEO of TBIS, Michael Stollaire, has also founded EHI, a technology consultancy specializing in enterprise infrastructure management. He is bringing not only his expertise but also EHI clients, which include small and medium-sized enterprises, as well as giants like Boeing, Apple, IBM, Microsoft or Walt Disney Studios.

Working with Mr. Stollaire to push this project forward is a very experienced team with expertise in Blockchain technology, business management and Internet Network Infrastructure management.

Besides IaaS, the company is also looking to provide services such as CaaS (Company as a Service), DEXchange, BYOC (Bring Your Own Cloud), InstantMiner or Instant ICO Incubator (III).

A Titanium Blockchain user would be able to virtualize its entire IT enterprise and create a private cloud environment with native monitoring of mission-critical devices, applications and services. It would also be able to create and network a server or a custom cryptocurrency miner or set up an ICO in seconds.

First BBB and D&B certified ICO

Investors can get in on the Titanium ICO, the first ICO ever to be D&B and BBB certified, by buying TBIS’s native BAR tokens. Out of the total supply of 60 mln BAR tokens, 60 percent (35 mln BARs) will be available for purchase. Whereas 20 percent (12 mln BARs) will be ascribed to the TBIS team and 10 percent (six mln BARs) will be allocated to the bounty campaign. The remaining 10 percent is to be held as a reserve.

Disclaimer. Cointelegraph does not endorse any content or product on this page. While we aim at providing you all important information that we could obtain, readers should do their own research before taking any actions related to the company and carry full responsibility for their decisions, nor this article can be considered as an investment advice.

Posted on

Kraken Down Nearly 48 Hours, Gives Engineers Time to ‘Rest” Before Resuming Service

Cryptocurrency exchange Kraken is still down nearly 48 hours after the site initiated a system upgrade. Kraken engineers had estimated the downtime would only be two hours. Much like Gilligan’s three-hour cruise that went horribly wrong, Kraken users all over the Internet are raging over the downtime and asking difficult questions.

Beset by problems

Nearly all digital currency exchanges have faced significant growing pains in the last year, as the interest in cryptocurrencies has grown exponentially. Coinbase and Bitstamp have been overwhelmed with user traffic, leading to delays. Bitfinex has been hit by DDOS attacks and recently had to stop registration for new users because of overwhelming demand. Binance and Bittrex have also halted new user signups.

Still, Kraken has arguably suffered the most problems of all major exchanges. Users, including myself, have experienced multiple connection errors and extraordinary difficulties placing and cancelling orders. It’s sometimes necessary to refresh Kraken’s page 10-15 times before being able to execute an action. Numerous users have complained that Kraken posted their orders multiple times (after telling them their order failed initially), in some cases costing them thousands of dollars.

Upgrade to fix it all?

While many have encouraged users of Kraken to go elsewhere, it’s not always that easy. US users are particularly limited in the exchanges they can use, particularly with Bitfinex ditching them earlier last year. For certain altcoins, US traders may only be able to use Kraken to trade them against fiat. Likewise, Kraken is one of the only markets where US residents can long or short Bitcoin.

Such users were delighted when, on December 15, Kraken announced a major upgrade to fix the site’s usability problems:

“Kraken.com performance is extremely degraded and unreliable.  Clients can expect severe latency and difficulty interacting with all web and API services.  Requests will frequently timeout and fail.  At the moment, the only solution is to wait and try again later.

Next week we will be rolling out a major systems upgrade which should resolve these scaling and load issues.  The upgrade is long overdue and has been substantially delayed by the diversion of resources toward the protracted fire fighting effort required to deal with the last several months of unrelenting growth.”

Two hours, possibly longer

The upgrade scheduled for the third week of December was rescheduled twice, before finallying commencing January 10 at 9 PM PST. The status page Kraken set up for the upgrade stated:

“We are performing a system upgrade on Thursday, January 11 at approximately 5:00 UTC (Wednesday January 10 at 9 pm PT). Kraken services will be offline for about 2 hours during the upgrade, possibly longer.”

Over the next two days, Kraken has continued to update the status page, complaining of late starts and the upgrade progressing more slowly than expected. Finally, they announced that the upgrade was in its final stages, before then posting that “a number of issues” came up in their “final testing.” Kraken is not clear on why this “final testing” was apparently done on production servers.

About one day after the two hour upgrade began, Kraken posted:

“We are making progress on the few remaining issues but don’t have a definite launch time yet. We intend to cancel stale (and possibly all) orders and pause liquidations upon resuming service. More details to follow soon. Thank you for your patience.”

It’s unclear exactly how this will work. The price of Bitcoin and altcoins has of course changed over the last two days, and nobody is quite sure how Kraken will keep people from losing money on long and short positions that might have been closed had the exchange been working properly.

Most astonishing of all, about 36 hours after the upgrade began, Kraken apparently sent their engineers home to take a nap! Kraken writes:

“We are close but rather than launch immediately ahead of the team passing out, we will push off a bit to get some rest and be able to better monitor systems and react to problems following launch. Unfortunately, this means several more hours of delay.”

At press time, Kraken is still down with no ETA for resumption of trading, and the exchange has not responded to our requests for comment.

Posted on

Report Shows Cryptocurrency Exchanges Most Common DDoS Victims Worldwide

Digital currency operators and Bitcoin exchanges are the most common targets of distributed denial of service (DDoS) attacks according to a report titled “Q3 2017 Global DDoS Threat Landscape.” Imperva Incapsula said that three out of four Bitcoin sites were victims of DDoS attacks in the third quarter of 2017 alone. A DDoS attack happens when multiple users flood the bandwidth or resource of a targeted system with traffic, thus disallowing legitimate parties to access the site or service.

DDoS Victims

The said report also cites that the reason behind the attacks is the phenomenal rise of Bitcoin price, which increased by more than twofold during the quarter.

Part of the report reads:

“[We] saw attacks targeting a relatively high number of cryptocurrency exchanges and services. This was likely related to a recent spike in the price of Bitcoin, which more than doubled in the span of the quarter. Overall, more than 73 percent of all Bitcoin sites using our services were attacked this quarter, making it one of the most targeted industries, despite its relatively small size and web presence.”

Other highlights of the report

Based on the report, other sectors like Internet service providers and online gambling and gaming operators were also hit by DDoS attacks. For network layer DDoS attacks, the countries that experienced the highest number of attacks and number of targets include the US, China, Hong Kong and the Philippines.

For application layer DDoS attacks, the most targeted countries included the US, the Netherlands and other developed countries with mature digital marketplaces like Singapore, Japan and Australia.

The report also claimed that the countries where the majority of botnet traffic originated included China, Turkey and India. China has maintained its position as the main location of attack devices with more than 40 percent of the total.

Posted on

How DDOS Attacks Affect Bitcoin Exchanges

As if the massive influx of users wasn’t enough to deal with, cryptocurrency exchanges have to deal with the constant threat of DDoS attacks.

As Bitcoin price continues to soar, hitting a new high $12,000, people are clamoring to get their hands on the lucrative virtual currency which places a huge strain on exchanges and their servers.

While they do their best to meet the needs of an ever-growing customer base, exchanges are also doing their best to fight against hackers who are looking to cripple their services and find vulnerabilities in an effort to steal Bitcoin.

The most common attack on exchange websites and their platforms is a DDoS attack.

In layman’s terms, a DDoS is defined as a distributed denial-of-service attack. It is a cyber-attack on a service provider that looks to disrupt its service, usually by flooding the server with too many requests to handle.

By using multiple sources to attack a server, DDoS attacks can be difficult to stop because they are not started by a single source.

Timing couldn’t be worse

Bitcoin’s mega bull run has seen the biggest ever demand for the virtual currency play havoc on exchanges around the world.

As the various service providers did their best to upgrade systems to handle the increased traffic caused by frantic trading and news users as Bitcoin approached the $11,000 milestone a fortnight ago, two exchanges had to deal with cyber-attacks.

Bitfinex scheduled server maintenance and were hit by a DDOS attack at the same time.

Meanwhile, Bittrex also detected a DDOS attack on their system.

These attacks are part and parcel of online life – as banking systems, online shopping platforms and other services providers are usual targets of DDoS attacks.

They happen often as well – and almost always at the most inopportune time.

Late in October, the third split from Bitcoin’s original Blockchain, Bitcoin Gold, was hit by a massive DDoS attack. Its launch was unceremoniously disrupted by over 10 mln requests a minute, rendering their site inaccessible.

In May, Poloniex exchange was taken down – with users outraged that they could not trade their virtual currency. Luckily no assets were stolen during the attack – but the panic that ensues is no laughing matter.

Ironically, Blockchain technology could be the very answer to stopping DDoS attacks.

By renting out bandwidth on a Blockchain, these attacks can be mitigated by the increased capacity to handle website traffic.