Researchers have been diligently prodding cryptocurrency and blockchain companies for kinks in their security – and it seems some of them are finally getting recognition for their work.
Three researchers are up for Pwnie Awards this year – an annual showcase of the best and worst in information security. Little toy ponies are given to the most deserving hackers and security researchers.
MIT Digital Currency Initiative director Neha Narula and Boston University researcher Ethan Heilman have been nominated for “Best Cryptographic Attack” after cracking a hash function in popular cryptocurrency IOTA. In addition to that, ConsenSys security engineer Bernard Mueller is also up for “Most Innovative Research” for his work on securing Ethereum smart contracts.
Cracking IOTA’s hash function
Forging IOTA transactions was apparently achievable “in just a few minutes,” according to Narula and Heilman. The pair discovered a method that allowed funds to be stolen directly from users wallets. They attribute the security hole directly to IOTA’s implementation of its hashing algorithm.
The vulnerability was originally discovered last year, and IOTA has since addressed it in a series of blog posts. While Narula and Heilman are clear to state that the exploitable attack vectors have been plugged, they do note that the faulty hash function is still being used in some parts of the IOTA platform.
Keeping smart contracts secure
Muller is nominated for his extensive research on the security of Ethereum’s blockchain. His paper, titled Smashing Smart Contracts for Fun and Real Profit, introduces a new security analysis tool for smart contracts called Mythril.
He pokes fun at the tech community for not “learning much since 1996,” with a myriad of security vulnerabilities stemming from a reliance on older programming languages when creating smart contracts. Myrthil is Muller’s contribution to smart contract security, with an intention to remove bugs that may lead to money loss.
Muller’s research also celebrates the modern hacking infrastructure. He does note, though, that the dawn of Ethereum’s “world computer” and its constant security concerns are eerily reminiscent of the early internet.
This time around there’s one crucial difference, though. In the early days, bug bounty programs didn’t exist, and zero-day vulnerabilities were dumped on mailing lists just for the so-called lulz, so unless you had rather dubious connections, the only profit to be made was gaining the respect of other security researchers. Hack a smart contract, however, and you see some actual money.
The awards are scheduled for later today, so we’ll update this piece with the official standings. The full list of nominations can be found here.