Explained: The Blockfolio Hack (Feb 2021)

The Blockfolio hack did not target the company’s trading infrastructure.  No trading functionality was impacted by the incident, user funds are still safe, and the company is even providing a $10 credit to current and new users (for one week).

The target of this particular attack was Blockfolio’s customer communications infrastructure.  The company uses Signal to broadcast messages to its users, enabling Blockfolio to provide direct updates to customers.  Additionally, Blockfolio maintains a display and news section for customer interactions.

These customer-facing systems are what were compromised in the attack.  With access to the company’s Signal submitter and other infrastructure, the attacker was able to push racist and offensive messages to Blockfolio users.

Unlike many blockchain project hacks, this particular attack did not involve the theft of users’ money or even place it at risk.  Instead, the attacker exploited a weak point in the company’s defenses to tarnish customer relationships.  Analysis of this attack provides a few important takeaways for Blockfolio in particular and any blockchain company in general.

In this hack, the attacker was able to take control of Blockfolio’s Signal submitter to broadcast racist and offensive messages to its users.  While the details of the incident are still unknown, it is likely that the hack was enabled by poor access management policies within Blockfolio.

Strong access management requires implementing least privilege and multi-factor authentication (MFA).  Least privilege limits the access of a particular user to what is necessary, which limits the damage that a user account can do if compromised.  MFA makes it harder for an attacker to compromise a user’s account by requiring access to the second authentication factor to log into the account.  By implementing both of these policies, an organization limits its attack surface and makes account compromise much more difficult to perform.

In response to the hack, Blockfolio CEO Sam Banman-Fried stated, “Over the next month I’ll be leading a security review of the old, non-trading-related parts of Blockfolio to bring them in line with the standards set by trading, and by FTX more generally.”  While this is a good effort, it amounts to locking the barn door after the horse has escaped.

Cybercriminals commonly take advantage of the weakest point in an organization’s or system’s defenses.  This means that true cybersecurity requires securing all aspects of an organization’s business.  For many dApps, a common mistake is to audit only the smart contract, leaving potential vulnerabilities in the web front-end overlooked.  In Blockfolio’s case of being a centralized app, a failure to secure its customer communications infrastructure led to an embarrassing security incident.

The Blockfolio hack allegedly did not impact the trading-related components of the Blockfolio application, meaning that users’ funds are not at risk and Blockfolio won’t have to pay restitution.  However, that doesn’t mean that this incident won’t hurt Blockfolio financially.

Reputation matters, and this hack may cause users to doubt Blockfolio’s ability to keep their money secure.  While this hack may not have cost the company any money directly, it definitely hurt its reputation and may have cost it in the long term as investors look elsewhere.

Blockchain infrastructure is complex, and that isn’t counting all of the blockchain-adjacent systems like an organization’s web front-end, communications systems, and other back-end infrastructure.  As this incident – and numerous other blockchain hacks – have demonstrated, an end-to-end security audit is essential for maintaining customer trust and confidence in an organization’s products.  Contact Halborn for help should your organization be in need: halborn@protonmail.com.