Wednesday, October 28, 2020

Bitcoin has a ‘dark forest’ of its own, and it has to do with brainwallets

Must Read

Protect and serve? The dilemma of reissuing lost or frozen DeFi tokens

The recent KuCoin exchange hack and ongoing OKEx incident, during which withdrawals have been frozen, have raised questions as to how blockchain projects with...

NYSE’s former regulation head takes crypto job at Andreessen Horowitz

A senior regulation executive at the world’s largest stock exchange is moving into the cryptocurrency industry.Anthony Albanese, a former chief regulatory officer at the...

Malaysian Securities Commission issues revised digital asset guidelines

The Securities Commission Malaysia has issued revised guidelines governing digital assets, effective as of Oct. 28. These are intended to regulate initial exchange offerings,...

ConsenSys collaborates with Banque de France digital euro partner

Ethereum software firm ConsenSys has just sealed its sixth central bank digital currency project. On Oct. 28, the blockchain organization announced that it will be...

The concept of a blockchain “dark forest” has been popularized recently by Ethereum and the existence of front-running bots that will copy any profitable transaction pending for submission.

The bots are able to assess if any given transaction that just entered the mempool can be replicated, and they will immediately publish their own copy with a much higher gas fee, which virtually guarantees that they will be the first to claim it. The term “dark forest” is inspired from a sci-fi novel and indicates a place where detection means instant death — or in this case loss of funds.

In Ethereum, this usually happens with public smart contracts that for some reason came in control of funds. Dan Robinson from Paradigm Capital demonstrated one such case with money mistakenly sent to a contract address. These types of bots also threw a wrench into Bancor’s vulnerability mitigation plan in June.

Bitcoin (BTC) does not have smart contracts to front-run, but a post by BitMEX Research highlights how a similar event occurs when one uses brainwallets.

A brainwallet is the term for a private key that is only stored as a memory in a person’s brain, meaning that no physical backups exist. This approach is generally discouraged because relying on a person’s memory to store a complex alphanumeric string is not ideal.

A potential solution to this is creating a wallet from an easy to remember phrase. This is what the analysts did by generating a seed phrase from extracts of famous literary works, including the Bitcoin whitepaper.

Unfortunately, in some cases the BTC put into these wallets was swept away even before the transaction to fund them was confirmed. This was the case with simple seed words like “Call me Ishmael” from Herman Melville’s Moby Dick. Other longer and more complex excerpts were still swept within a day, with the Bitcoin whitepaper’s “The network is robust in its unstructured simplicity” lasting the longest.

The analysts concluded that addresses generated from these types of complex, but public-domain seed words are fully compromised and are constantly being monitored.

As Cointelegraph reported earlier, blockchain makes it hard to use any type of password-based generation mechanism. Passwords on traditional platforms are mostly protected by the fact that they’re stored on a secret database. The attackers must interact with it to make guesses, but the server will usually issue rate limit denials. Furthermore, having to make a web request to make a guess is already many times slower than hashing through locally-stored combinations.

Blockchain private keys can instead be pre-generated from massive dictionary databases, making attackers the effective owners of those addresses. There are ways to mitigate these vulnerabilities by using salt — random bits of data added to throw off brute force attempts. But the fundamental issue of brainwallets is that any address that is sufficiently resistant to brute forcing will likely be difficult to remember reliably.

There are many stories of people losing their BTC by forgetting a private key they stored in their brain, with one notable loss of $13 million reported in 2019 — though some believe it was fake. Ethereum is likely subjected to the same type of private key brute forcing, with millions of dollars in Ether (ETH) being reportedly stolen in the past.