Cryptocurrency Exchange Hacks — Holochain makes it difficult for the attacker
Introduction and purpose
For those of you who don’t know what Holochain or Holofuel or what Holo the company is you may want to have a read of my other article where I explain (or at least try to) the differences between Holochain and Holo the company.
In this article for those whom follow or are within the cryptocurrency space the majority would know that cryptocurrency exchanges are often subjects to hacks, thefts and other skulduggery.
This usually happens when the private keys of the exchange are compromised, the same as if you as a private person had your private keys compromised, you no longer have control of your assets.
What is Holofuel?
HoloFuel The worlds first price stable digital asset.
Before we talk about HoloFuel and how unique it is, its properties and the way it will benefit society, first let’s…
Holofuel is actually an application, unlike blockchain or other DLT technology, it is based upon DHT which stands for distributed hash tables.
If you take the time to read the article above you will see that Holofuel is entirely different to blockchain.
Not only is Holofuel unique but the Holochain architecture provides a framework for other cryptocurrencies to be created, these will also be applications.
Its time for cryptocurrency to grow up and move beyond blockchain which in 2020/2021 had demonstrated its obsolescence and its inability to move forward technologically and has many security risks.
These blockchain based hacks and thefts and the high volatility are the primary reasons that less than 1% of the world uses or trusts cryptocurrency.
Holochain is poised to change that, here is how……
Important: To avoid any confusion, anytime in this article that I make reference to Hot or HOT, I am not in anyway referring to the ERC20 token, it is in reference to HOT wallets.
In October 2020 a large cryptocurrency exchange based in Singapore or Hong Kong depending on where you read the information was hacked for around one hundred and fifty million dollars, plus or minus a few million.
It is yet to be fully known exactly how this hack happened but there are many reports stating that KYC/AML were either not in place or in place in a relaxed state which likely didn’t assist with the hacking but exposed how dangerous a loose exchange can be.
There were several different cryptocurrencies stolen from the Kucoin hot wallets which is where their clients funds were held. It is not known exactly how long the time was between the theft and the time that Kucoin realized it but suffice to say it would likely have been less than 12 hours, either way once it happened it was all too late.
Freezing of funds
Most of the involved cryptocurrency projects were Ethereum based ERC20 smart contracts. These are one of the highest used types of cryptocurrencies and are also claimed to be part of a decentralized immutable blockchain but as you can see from the image below, that is not really the case.
Many of the affected parties created new smart contracts and distributed new tokens to addresses and obviated the hacked version.
The fact that they can do this at anytime should be scary for anyone who truly believes in a decentralized immutable smart contract.
If smart contracts can simply be re-written & an entity or central authority can simply roll back the chain to replace it then it shows there is a lot of centralization involved.
With Holochain if you tried to roll back the chain as an individual the the other chains on the DHT using gossip, peer validation and cryptographic signatures would say “Hey you can’t do that” and your chain would instantly become invalid and a warrant issued.
Ethereum Classic is also a cryptocurrency that is often targeted and attacked and peoples funds stolen through 51% attacks.
But that’s a topic for another day.
Lets look at what a Holochain based Cryptocurrency exchange hack might look like & how it would be different.
There are two examples that need to be explored here, one is if the exchange hack involved Holofuel & the other if it involved any other cryptocurrency created on Holochain.
Holofuel is the internal currency of Holochain that is used to pay for services between dApp publishers & hosts. It can also be used by a 3rd party application should they wish to integrate Holofuel into their application as a payment method through an API.
A independent cryptocurrency created on Holochain would have different supply amounts, validation rules, & any other requirements the creator wanted to include to that of Holofuel but would still need to follow the base rules of Holochain.
To complicate things a little further from this breakdown of Holofuel to a separate Cryptocurrency we need to break it down one more step, that is if the creator of the cryptocurrency is actually using Holo Hosting or not, this is optional as Holochain is open source.
This comes into play as far as KYC goes. A Holochain cryptocurrency created on Holochain and hosted on Holo Hosting would mean that the creator would likely (not yet officially confirmed) need to go through KYC & AML in order for them to list their application on the Holo app store, they would also then likely be required by the exchange(s) where the currency is listed to go through KYC/AML.
However, a cryptocurrency created on Holochain but hosted independently would not need any KYC from Holo and the only KYC a creator might go through is through an exchange.
That is important to keep in mind for the future. Remember cryptocurrencies are traditionally exploited by people to relieve you of your money so even though Holochain has several protections in place including the CAL or Cryptographic Autonomy License, the first ever open source license approved by the open source foundation to apply directly to cryptographics, there are still bad actors out there looking to find exploits.
So when live anyone looking at investing into a cryptocurrency created using Holochain as its framework the first thing people should be looking at is has the creator been through KYC/AML.
Before we go any further though while there is a lot of definitive knowledge about Holofuel, how it will operate and some of its parameters etc but the actual Holofuel document has not yet been released by Holo, so there are some instances below where I will make either an assumption or a suggestion from my personal point of view.
HoloFuel on a compromised cryptocurrency exchange
Like all cryptocurrencies if your private keys are compromised by an attacker then there is a very good chance that they will take control of your funds and send them to an address they personally own or another exchange or a friend etc.
With cryptocurrencies like Bitcoin or Ethereum this is very easy to do and you can create several new addresses in minutes then spread the stolen funds around through a variety of decentralized exchanges or send it to sites that will “mix” or “tumble” your funds and return them to you with the origin cloaked and not seen by anyone.
There are also a lot of nefarious exchanges out there who will even tacitly facilitate this for you by allowing you to sign up without KYC then create another account and transfer them internally etc, this helps a thief to dilute the funds into several different currencies to cashing out at a later date.
This happened recently with a large exchange called Bitmex but there are many where their governments do not care if they are operating without KYC/AML, those exchanges should be avoided.
So, lets assume that an attacker has hacked into an exchange and obtained the private keys for one particular HoloFuel address which is holding 500 Million Holofuel.
It is important to keep in mind that Holofuel is not a “dumb” ledger that just does what its told like a blockchain therefore because it is an actual “application” and is the newest form of cryptocurrency ever created, this also allows it to be more robust and user friendly/safer.
Trying to steal HoloFuel or a Holochain based cryptocurrency means that not only do you need access to the private keys but also a running app instance connected to that key. This doesn't totally prevent theft but requires you to gain control a higher level of access controls to facilitate a theft.
This means the attacker would need to have either the ability to make API calls to the hot wallet’s running node, or a copy of the hot wallet’s source chain so they can run it on their own computer.
These exchanges deal in large sums of money and big transactions are the norm, they will also build their security around Holofuel to meet their own exchanges requirements so the actual architecture individual exchanges server/network security is super important.
Although there are currently many tools out there that allow exchanges to add different layers of notification and alerts to their wallets, HoloFuel addresses and any currency created on Holochain are all applications which adds another layer of customization.
Therefore it should be even easier for exchanges to customize and beef up their security for these cryptocurrencies because there are able to interact with them at a higher level than a blockchain ledger.
They could even add a time-lock delay for transactions over a certain amount and require 2FA and or email confirmations, facial recognition etc,
So lets assume this thief has sent their Holofuel to himself and it is now sitting in his address.
He now wants to swap it for either USD or another Cryptocurrency. Because Holo is a company that will provide hosted cloud computing and Holofuel is its internal currency for transactions (as well as third party use outside of the paying for hosting) any exchange that lists Holofuel will have different levels of KYC/AML, from the very basic email and phone number to full disclosure depending on the account and the usage, however this is yet to be defined and disseminated.
So this thief could only send it to himself if he is that dumb, a friend or family member or other associate who would then try and deposit to an exchange and likely be caught within hours because of KYC/AML.
But even getting full access/control of the HoloFuel or other Holochain based cryptocurrency on the exchange in the first place is difficult.
Unless the attacker actually has the power to make function calls to the hot wallet instance right on the exchange’s machine, they’re forced to clone the hot wallet’s source chain onto their own computer and commit the theft from there.
An exchange hot wallet would be a pretty busy account, so it wouldn’t take long (seconds) for that chain to get forked and recognized as bad by the DHT.
As for where those funds now live, they’re kind of auto-frozen, as a forked chain is invalid from that point on-wards, this chain is now unusable, but that means that the attacker can’t use it either so it’d be silly to even try.
A Holo hosted cryptocurrency theft scenario
As I alluded to earlier, any cryptocurrency created on Holochain means it is for the most part entirely customizable because it is itself an application.
So for the purpose of this scenario lets assume the involved currency is a Bitcoin clone named Digital Bitcoin or DBTC with the same supply but obviously not the same POW system.
If I hacked into an exchange and was able to compromise one of their DBTC addresses I have control of it. Now imagine it has 1 million DBTC, I send it to my DBTC address and now I want to try and spend it or “cash out” into another cryptocurrency or USD.
Because the currency is itself application it may be the case in the terms and conditions that where a theft or unlawful activity is suspected there may be a clause where metadata can be accessed by the creators to help identify the individual involved that will obviously be different for each currency.
But what if I there was secondary or other markets where I could spend my DBTC, couldn’t I just send it to them and take the money and run?
Because of the technology involved including the DHT where for security the individual DHT (in this case for the currency application) requires peer validation, cryptographic signatures and gossip, by now the exchange is aware that someone has stolen their DBTC and it depends entirely on what the internal security setup is for each individual exchanges.
If someone has all of the required access and proof currencies built on Holochain can be stolen but because as I mention below the attacker needs access to the chain source code it is another level of difficulty that the person needs to go through in order to complete the theft.
A Holo hosted cryptocurrency is also totally customizable by the creator so again it would come down to what security precautions are in place and set up by the builder.
Theft of a non Holo hosted cryptocurrency
Non Holo hosted cryptocurrencies created on Holochain use the same rules for Holo hosted but again it is up to the individual creators to decide what this application will consist of.
With a non Holo hosted cryptocurrency created by anyone you should do your due diligence. That’s not to say that all non hosted applications on Holochain are going to be scams but if it involves peoples money and a way to digitally separate them from it, there is a good chance some will try.
There will be many non Holo hosted applications created for lawful purposes on Holochain including Banking and Finance, Storage and IPFS, Web Design & Hosting, supply chains, etc.
And some may be hybrid designs that allow for some public facing UI but also include private internal features. Off topic but Holochain is ideal for a company to run a secure and private intranet.
But back on topic, assuming someone has created a cryptocurrency on Holochain for public use but their identity remains anonymous. Firstly they will likely not be listed on any reputable cryptocurrency exchange without first having to undergo extensive KYC/AML, so that leaves the shady exchanges as the only ones who will facilitate currency exchanges.
So your answer is right there in front of you, ask yourself, I don’t know who created this currency or do I know that the exchange this currency is on is reputable and the exchange has done due diligence?
If it is on a reputable exchange like Binance or Coinbase and the currency creators identity is not known publicly but known to them then it is likely that it would make no difference because you have the protection of knowing the entity was vetted by them.
The other protection features in place are as I mentioned above the CAL which means even if you do not know whom the creator of this currency is, the DNA of Holochain requires that you own your private keys, this doesn’t mean some won’t try and break the rules of the license so again due diligence is required.
The source code for any public facing Holochain cryptocurrency creation is also required by the CAL and it requires hApps to give full control of keys to end-users, but it doesn’t require hApps’ source code to be auditable.
So in summary an exchange theft of a non Holo hosted cryptocurrency would mean the same applies for the others but if that currency also happens to be on a dubious exchange and the creators are not known there is a high chance that even the exchange itself would also not bother to investigate the theft in the first place or is a party to it.
With all of that said, knowing or the exchange knowing the identity of the currency creator is just a small added layer of protection it doesn’t stop or increase theft of cryptocurrencies from external attacks but it is a way to gauge the currency itself if they are listed on a reputable exchange with high security, then better that than a shady exchange with loose governance.
No exchanges are immune from hacks and attempted theft but the ones who have high security in place are the safest bet.
Other Points about Holochain based Cryptocurrencies
So to be clear if an attacker has the exchange’s hot wallet key, any transaction signed by that key and committed to their source chain and countersigned by the account they’re draining the funds to, which presumably they’d also have the private key for is considered valid as it is following the validation rules.
The beauty of Holochain is that the application is so customizable that any creator can enforce numerous and likely never see before security precautions, there is no limit to that its an application so it can be as creative as anyone's mind allows it to be.
Holochain also gives creators the opportunity to create total privacy coins. So even if the privacy coin is listed on an exchange where the creators undertook KYC/AML it is still possible to for the public to own, buy and sell the said cryptocurrency.
For those that do not know Holochains method of DHT consensus allows any attempted alteration or double spend attacks to see a warrant automatically issued.
A warrant actually is when a validation authority produces a receipt for every commit they validate. If the result is ‘valid’, it’s a white heavy check mark receipt and gets passed back to the author (if they’re still online) and gossiped to neighbors who are also validators for that commit. But if the result is ‘invalid’, it’s a cross mark receipt, AKA a warrant.
That gets gossiped to neighbors too, but it also gets gossiped to the validation authorities for the author’s public key — that is, the author’s neighbors. .
This warrant is passed around the network like an antibody causing a rapid immune system response that pushes the attacker out of the network.
They hold that warrant for future potential counter-parties and also gossip it through the neighborhood. Because the malicious agent’s neighborhood is their primary connection to the DHT, it can be quite damaging for them to be rejected from their neighborhood and thus their reputation score and entire account would be affected.
Decentralized Public Key Infrastructure (DPKI)
HoloFuel will be tied to DPKI, the app that manages key revocation. So the exchange would probably write a key revocation strategy that says “As the owner of the HoloFuel agent ID A, I declare that it can only be revoked and replaced if at least 75% of DPKI agents B, C, D, E, F, and G sign off on it.” B, C, D, E, F, and G would of course also be owned by the exchange and would be in cold storage for such a time as this.
In Blockchain if you lose your private keys or they are stolen you have lost your funds forever and there is no way to recover them.
With Holochain you can use another device to revoke keys if for example you lost your cellphone, just use your laptop revoke the keys, this is not possible with blockchain and yet another way Holochain is not only user friendly but it provides another layer to help you protect or recover your assets.
Depending on the exchange itself it could even be the case that there’s really no need for a person to deposit their funds into an exchange at all.
A design could be for the exchange to secure a promise from A to pay 100 HF to B in exchange for B promising to give A 1.00 USDT .
Once both promises are provably secured, both parties release the funds. Basically an atomic swap with the exchange as a matchmaker.
The nice thing about the new Holochain is that the exchange can secure A’s promise of 100 HF in the form of a ‘capability token’ which allows the exchange to automatically get A’s HF node to release the funds.
It is really hard to go into all possible scenarios with Holochain created cryptocurrencies because it is a new invention that is not yet live and we need to be honest and know that there will be attempts at theft, that is just how the world works, being able to mitigate these attacks is not only the end users responsibility but the exchanges themselves and they need to be vigilant in doing so.
One thing that is for certain is the amount of customization that is available is to a Holochain based cryptocurrency is endless, this means that the scope of what the currency can do, how it functions, its security features, its target market etc is all up to the creators needs and imaginations.
This in turn would likely lead to more trust from the general public, so it is to everyone’s advantage within the crypto space to use cutting edge technology that benefits everyone, especially when it comes to security.
The same will likely apply for exchange based currencies, it could be the case that some cryptocurrency exchanges which run their own native token/coin may switch to a Holochain based currency because the customization of it will also allow them to apply more rigid security features.
If the most known a secure exchange Binance switched to Holochain not only could its currency and exchanges, websites and all other ancillary services be more secure and faster they could even save millions of dollars per year on hosting costs alone.
Their BNB currency could be created so that it is proof of host, in other words BNB could be awarded to thousands of different people across the globe for participating in the shared hosting of Binance who could then reward their clients by paying them for hosting services rather than paying AWS.
It would be a win win situation.
If you made it this far thank you for reading, I am very excited about what Holochain will bring not only to its core efficiency in distributed applications and cloud computing.
It is such a giant and multipurpose architecture that it will be used for IOT, supply chains, social media, payments, remittances and yes it also is ideal for creating digital currencies.
Special thanks to Paul d’Aoust who gave me some much needed guidance and input for this article.
Check out the full HoloFuel documentation when it is released as this article is a presumptive and speculative guide only and not officially from Holochain or Holo.