Blockchain Security – Penetration Testing

Many new blockchains are being created, but what about the security aspects? Blockchain is claimed to be ultra-secure, and not many people have doubted this statement. Blockchain developers can become quite creative in building new platforms, but, leaving room for errors, which is normal.

In addition, modern software development, especially in the ICO space, is firmly focused on speed. The race to be first in the market is extremely competitive. To innovate, companies develop at breakneck pace, quickly establishing feedback loops that allow them to hone their software. Security, however, is often an afterthought for stressed developers and the business people pushing them to deliver results faster.
Blockchain Security Testing
Consensus Algorithm Testing
The consensus algorithm is maybe the most crucial part of the blockchain as it enforces trust. It is responsible for determining if data is valid or not. A Proof of Work algorithm is, for example, vulnerable to a 51% attack where an attacker gains 51% of the network nodes by GPU mining.

For the Bitcoin network, this is theoretically possible, however, in practice, it would be very costly. A website called has calculated the theoretical cost of a 51% attack on several networks that implement Proof of Work.

Note that the attack cost does not include the block rewards that the miner will receive for mining. In some cases, this can be quite significant, and reduce the attack cost by up to 80%.



Hash Rate

1h Attack Cost



34,116 PH/s




221 TH/s




304 TH/s


Bitcoin Cash


5,643 PH/s




494 MH/s




560 MH/s


Bitcoin Gold


29 MH/s




8 TH/s


Private Keys (Wallets)
All nodes contain software that can access users’ wallets using its private key and password. It’s very important to secure this part of the node as it can give access to the coins a user owns. There are two mechanisms to make this more secure.
1. Password Strength Review
In case an attacker is able to retrieve the private key of a user, they will need a password to access the wallet. The password strength is crucial here. We can test this by performing a brute force and dictionary attack to crack the password. A weak password policy can be detected if the passwords can be cracked within a couple of minutes.
2. Key Storage Review
While blockchain technology secures data in transit from place to place using cryptography, the private key becomes vulnerable to theft when it is stored or displayed at one end or the other – whether that is on a piece of paper, screen, disk, in memory or in the cloud.

To keep digital assets and private keys safe, most people currently use software called hot wallets or multi-signature wallets, but these solutions are driven more by convenience than security. Hardware wallets (cold wallets), such as Trezor, were designed to offer a higher level of private key security, but even these solutions are vulnerable to various hacks, including fault injections.

A hacker can inject malicious code that introduces an error in your wallet in order to alter the software execution. For example, the attacker can leak your private key or bypass security checks.

However, a very secure key storage does not guarantee user safety. Today, hackers commonly target online services that store the private keys for a large number of users or infect network participants with a malware that searches for private keys.
Synchronisation Testing
It is important to test synchronisation between nodes and how the application is polling the blockchain for synchronisation updates. This process should be fast and efficient. What happens if we push multiple transactions to the blockchain that all affect the same object state? And what happens if the synchronisation fails on a certain node?
Redundancy Testing
This testing should reveal any issues with redundantly sharing data across nodes. We need to evaluate the impact of multiple nodes failing at the same moment. Some blockchain networks try to become more scalable by implementing a redundancy factor of 3. This means that each piece of data has three copies in the network. On the other side, there is a bigger chance that an attacker can take down the nodes which contain the copies of the data.
Timejacking Attack
Sometimes, the attacker announces an inaccurate timestamp while connecting to a node for a transaction. The network time counter of the node is altered by the attacker and the deceived node may accept an alternate blockchain. The serious consequences of this are double-spending and wastage of computational resources during the mining process.
Blockchain API Testing
The endpoints of a blockchain are critical, as users will be interacting with the blockchain via this API. There are many dApps that hook the Ethereum blockchain API to work properly. As we mentioned in the beginning of this article, injection is the most common security issue. We need to make sure the blockchain API endpoints are not vulnerable to this attack as this would allow an attacker to insert malicious data which can lead to data corruption or even halting the network.
DDoS Attack
A distributed denial of service (DDoS) attack is a resource intensive attack. The idea is to send a large number of similar requests that change the same object state. The goal is to clog the nodes’ memory, corrupt the data or prevent other users from adding transactions to a block as the block size is often limited.

Many blockchains have built-in mechanisms to prevent this like prioritizing transactions that are sent with a fee or requesting a minimal amount to be transferred.

The Bottom Line
Blockchain penetration testing is still a very new field, but is highly needed. Blockchain code is still in its infancy and may be subject to currently unknown security vulnerabilities. In particular, the Ethereum smart contract language is relatively new and there may be vulnerabilities such as a zero day attack, which hackers may exploit.

  • facebook
  • googleplus
  • twitter
  • linkedin
  • linkedin

ICO Crowd is the world’s first and foremost publication on Initial Coin Offerings (ICO).