Krypton (KR), an Ethereum-based blockchain that develops immutable Smart Contracts and Apps for businesses and the Internet of Things was hit with a ‘51 percent attack‘ on August 26, a breach that some believe to be a prelude for potential future attacks. Since that time, Krypton successfully repelled a third advance, shutting down KR on the Bittrex exchange before additional funds were stolen.
The brainchild of technology engineer, currency trader, investor and analyst Stephanie Kent, Krypton serves as an alternative platform on which to deploy new technologies through a community of developers working to build these systems.
The vision has been to develop an ultra-fast blockchain that benefits from all of the features of Ethereum, all with a smaller cache of initial coins, stealth speed, and lower inflation. The development focus has to date been on ‘D-tech’, namely DAOs, DACs, and DApps.
Anatomy of the Attack
According to Kent, the attackers used a ‘double-spend’ approach to pilfer the KR from Bittrex. The exploit was two-pronged in its execution; first, the network was overwhelmed with a 51 percent attack that allowed the attackers to send KR to Bittrex and sell them for bitcoin before rolling back the blockchain to reverse the transaction.
Secondly, nodes in the networked experienced a distributed denial-of-service (DDoS), allowing for the multiplication of network power. The Suprnova mining pool and Krypton stats servers were also impacted by the attack, providing the intruders with a massive advantage over the network.
As a result, the attackers managed to heist around 21,465 KR (approximately $3000) from Bittrex wallets. To thwart additional collateral damage, KR deposits and withdrawals on the Bittrex and Yobit exchanges were frozen to mitigate other potential attacks on the network and Krypton-accepted exchanges.
Are Small Ethereum-Based Coins at Risk?
Kent believes that the Krypton attack highlights the importance of educating ‘small coin’ creators on remaining ever vigilant about this method of attack in order to reduce their vulnerability, elaborating further in her blog post,
“We suspect that the attack may be a prelude to similar attacks against other Ethereum-based blockchains such as ETC. In other words, this may have been a ‘dry run’ for the purpose of creating a proof of concept prior to the attack on other similar targets. Unfortunately, Ethereum-based blockchains are becoming prized targets for these sorts of attacks largely because of the ease in which they can be forked and manipulated offline, in conjunction with DDoS attacks.”
Questions are now being raised about whether smaller cap coins like Krypton are indeed being used as a testing ground for an attack on Ethereum Classic, although common thinking is that an attack of this magnitude may be more difficult to scale up because of the larger hashing power of ETC’s various pools. As was the case with Shift, which like Krypton experienced a 51 percent attack, Ethereum-based tokens are vulnerable to easy manipulation offline, particularly if they have low hash power.
Mitigation Efforts Underway
The Krypton core development team have been working to mitigate future vulnerabilities and problems tied to these recent attacks.
Krypton is addressing the issue of lost funds by proposing that Bittrex and Yobit significantly boost the wallet maturity on KR withdrawal times in order to make it harder to build such a long chain for use in attacks. As a result of this new confirm time, it would take about a day to move funds in or out of a wallet thereby mitigating the likelihood of another ‘double-spend’ scenario ensuing from the network being rolled back.
In another move, Bittrex has upgraded its Krypton client code to fix a caching bug with the new KR block explorer. Moreover, the Krypton client platform has been updated in an effort to eliminate a nasty caching bug allowing invalid transactions to remain in memory. Finally, changes were made to the stats server to better insulate it from DDoS attacks.
Says Kent: “The entire KR community of miners powered up massive rigs and also rented additional mining power from Nicehash in order to rebuff the attacker who brought significant power against us. Fortunately, our main node server, which hosts four nodes, remains unknown to the world and impervious to attacks.”
In an unprecedented move destined to garner a great deal of attention in the crypto world, Kent announced yesterday that the decision has been made to temporarily move KR to a Bitcoin-based Proof of Stake (PoS) chain until another method can be found to prevent further 51 percent attacks.
In a blog post released yesterday, Kent announced an abandonment of the Ethereum blockchain,
“Krypton is much much more than a coin. It does not depend on which type of blockchain KR is running on at the moment. What matters is the safety of the KR coins and Ethereum code has proven to be unsafe.”
Kent continues, “We originally chose Ethereum code to copy because of its distributed application functionality. When we recode our platform, we will incorporate this ‘D-tech’. If we can find a way to safely return to Ethereum code, so that we can continue to play with it, and support sidechains, we will. For now, we have no quick solution to doing this. So, we are moving to a PoS blockchain.”
At the time of writing, the Krypton development community is working with exchanges to get this new chain up and running and a coin swap completed. Updates regarding the decision to move away from Ethereum, the resulting KR swap and new Krypton wallets can be found here.
Kent imparts some advice for other blockchain networks, urging them to remain vigilant, “The Florida hurricane, Hermine, which directly hit my home two days ago and filled the lower level of my house with three feet of seawater did not cause as much damage as the attackers have done to both Krypton and Shift investors. It is my hope that other vulnerable blockchains take note and immediate precautions against a similar attack.”