If Blockchain Is "Perfectly Secure," Why Does It Keep Getting Hacked?
28 April 2022

Someone IRL asked me this question recently. I’m sure it’s a common question, so I thought I’d write a quick explainer. If cryptocurrency and other blockchain technology is supposed to be secured by unbreakable cryptography, why does it seem to be getting hacked every other day? The answer might not be obvious to those not versed in cybersecurity, but it cuts to the core of the problems with cryptocurrency.

Securing Your Wallet

Cryptocurrency is like a giant warehouse full of locking donation boxes. Anyone can drop money in a donation box, but only someone with the key can take the money out. Crypto wallets are similar. You can spend money from a wallet only if you have that wallet’s key, which is like a password generated for you when the wallet is created.

However, having the wallet’s key is different from being the wallet’s legal owner. If someone steals the key, as far as the technology is concerned, they have full rights to spend its money. So the “unbreakable” security of cryptocurrency all depends on keeping those wallet keys safe. If, say, they’re backed up to iCloud and someone hacks your account there, or any number of other things happen to them–cybersecurity is really complicated–all the cryptography in the world can’t help you.

Is It Even Your Wallet?

Making the issue worse is that many people who hold cryptocurrency don’t even have their own wallets. Instead, they hold their currency through an exchange, which is basically a less-regulated version of a bank. The exchange has its own wallets, and they keep their own records–just like a bank–of which customers own what funds. Hopefully, the exchange keeps better track of their wallet keys than most individuals could hope to. However, holding so many people’s funds in their own wallets also makes them a juicy target. Instead of wallets containing one person’s funds, a hacker could steal wallets with thousands of people’s money. If that happens, the exchange probably won’t be able to cover withdrawals and, without FDIC insurance or any other typical legal protections, customers are out of luck.

Good Old-Fashioned Scams

Some of the “hacks” are really just scams. Nothing is being hacked, everything is working as intended: to steal money from victims and give it to the scammers. Tons of new coins are pump-and-dump schemes, where a cryptocurrency is marketed by its creators so they can sell it to the marks they’re hyping it up to–only to run away with their profit, leaving the abandoned coins to rot, worthless.

Ethereum and DAOs

Ethereum is a blockchain that gets even more complicated. With it, you can create decentralized autonomous organizations, or DAOs. Just like a non-profit, members of a DAO can vote on what to do with the organization’s funds. But instead of bylaws, a DAO is governed by code. If bylaws are deeply flawed, a judge can overrule them. But if the DAO code is flawed, there is no recourse. If it allows a hacker to steal all the funds for themselves, there’s nothing to stop them.

What Is Security?

In the narrow case of preventing people without a wallet’s key from spending that wallet’s money, yes, cryptocurrency is secure. But that’s not what we want. When we ask for “security,” we want to be assured that our money will not be lost, that malicious people won’t be able to interfere with our lives, and that the products we use will live up to their promises. These are social and legal questions, and technology alone cannot solve them.

You can also support my work on GitHub Sponsors.


Next Steps for Blueprint

Blueprint is my markup language for creating GTK user interfaces. Since the last blog post, I and several contributors have fixed a number of bugs that have come up and added several bits of missing syntax. Thanks to everyone who’s contributed by reporting issues or submitting merge requests!