Dubbed Crypto’s Hot New Trend, Staking Raises Major Security Risks

April 7, 2019 1:30 PM UTC

During what has become the longest bear market to date in cryptocurrency, it’s no surprise that anxious investors are eager to find alternative strategies to continue making gains during the downturn. One of those strategies, which has become a hot trend in crypto, is the practice known as staking.

Staking: Crypto Investing’s Hot New Trend

In staking, investor-owned tokens are placed in digital crypto wallets and then used to validate transactions that create new blocks in blockchain networks. This, in turn, produces coin rewards that can increase the holder’s total asset value.

While vaguely similar to traditional banks’ interest-bearing accounts, the proof-of-stake (PoS) process can generate wide-ranging returns, depending on the coin type and amount held. Recent reports indicate that PoS cryptocurrencies have $4 billion in staked funds.

Consider Ethereum, the second-largest cryptocurrency that was founded as a pure proof-of-work-based blockchain. Now the project’s developers are working on a PoS system that will let stakeholders deliver new services to Ethereum-based applications, which offers them a way to build on the community while earning more coins.

Even though staking represents a major deviation from how transactions have been typically verified in mining, it’s easy to see the appeal. As the major cryptocurrencies tumbled more than 80 percent in value last year, staking purports to give a promising way for the investors to “play it safe,” staying “in it” for the long game.

3 Security Risks Crypto Investors Face When Staking

But staking is far from safe. Quite the opposite, it introduces a slew of new problems. Media coverage has called out risks, but they’ve mostly focused on the financial ones. That’s not the only thing that should keep stakers up at night. There is a big safety risk outside of price fluctuations or the long-term cryptocurrency viability that exists in staking, and by and large many are completely unaware of it. In fact, the threat derives from an increasing problem in the larger cryptocurrency ecosystem: hacking, theft, and data exposure.

In many ways, blockchain’s overall perception of security seems to have lulled some to take the larger ecosystem’s security — including the networks it runs on — for granted. However, we continue to see cracks in blockchain’s hack-proof veneer, most recently noted by MIT Technology Review. The truth is that staking additionally introduces many security issues that, to date, haven’t been properly handled. Consider a few possibilities.

Risk #1: Crypto-Staking Computers Are Always Online

If the crypto network on which you are staking funds requires computers always to be online, your IP address will be at significant risk. | Source: Shutterstock

Often, staking requires computers to be always online. That fact alone exposes the IP address of the staker and introduces the potential to be hacked.

Once a machine is compromised, you can bet that hackers will immediately target the private key of the staker, creating increased theft vulnerability. In this way, many versions of staking are completely different than mining with proof of work. With most proof of work networks, nodes can mine without requiring any private keys to be present. Keys can instead be kept safely offline in cold wallets. But with many forms of staking, keys must be kept online.

Due to hackers’ ability to glean IP addresses and other metadata such as the amounts being staked, the stakers might as well be leaving their cash stacked next to their window. Sure, the front door might be locked, but is that going to stop a determined thief?

Risk #2: Cryptocurrency Pools Are Vulnerable to Hacks

In another example, we’ve seen the emergence of staking pools as an alternative to managing one’s own staking infrastructure.

However, that in and of itself means that you’re then putting your trust in the group maintaining the pool. It’s not like there’s any shortage of ways to insecurely operate pool infrastructure, as pools can and do get hacked all the time.

If large companies with valuable brands like Yahoo and eBay get hacked in spite of employing dedicated cybersecurity teams, then how can you trust a staking pool?

Risk #3: More Transactions Creates More Risk of Losing Crypto or Exposing Personal Data

Every transaction increases your risk of exposing your IP address to hackers. | Source: Shutterstock

Decred is one example of a coin that can be done with “always online” mode or through staking pools. But, even coins which don’t require a computer that is always online, like the way that NEO does staking, still can have security issues.

With NEO, when you claim your staking rewards (“gas”), you perform a transaction which again exposes an IP address, introducing the potential to be hacked. On top of that, with NEO, if you want a strong compounding effect, then you must claim rewards often, converting them back from gas to NEO.

All of these actions require more transactions that compound risk of exposure of computers, IPs, and private keys. Particl, which recently introduced cold-staking hardware, even acknowledged that:

“No matter how secure the staking process is, users still need to execute transactions to either spend or sell their staking rewards or rearrange their setup. That means private keys still need to ultimately be exposed in plain text, even if only for a brief moment.”

How to Protect Your Cryptocurrency When Staking

Cryptocurrency stakers should take proactive steps to secure their funds. | Source: Shutterstock

So, are there ways to reduce the chances that staking transactions expose your IP address, location, and data? Yes, but historically it’s been tricky, because the tools and low-level networking knowledge that are necessary to properly obfuscate traffic are hard to come by.

Some address it by setting up a VPN proxy, but VPNs are notoriously complex where even one misconfiguration can result in no protection.

However, blockchain-based relay networks may offer a better solution. Instead of setting up your own VPN or trusting a third party, it’s now possible to obfuscate where a transaction is coming from and always keep your data encrypted over internal hops. The key is to set up your own mini-relay network that can proxy traffic on and off multiple servers globally. This has become easier and easier thanks to the power of high-quality, open source blockchain and peer-to-peer networking implementations. Imagine if you own ten nodes, where one is behind a firewall (never publicly facing), and the other nine are acting as relay nodes, bouncing traffic from server to server. If your primary server is in Russia, this configuration will look like you were broadcasting from there.

Taking it a step further, you can obfuscate even more if you use multiple servers and have traffic exiting off of multiple nodes, leaving hardly any ability to trace where the server location is. It’s sort of like having your own TOR network, but the key distinction is that you control your own nodes. And, of course, there is the fact that TOR networks are famously slow. Even constructing the most complicated obfuscation topologies has now been made so easy by emerging blockchain projects that if you are considering staking, there is no reason not to be looking into these solutions.

The bottom line is that everyone should understand the security threats associated with staking. It wasn’t too long ago that blockchain as a whole was considered uncrackable, and sophisticated hackers caught up in short order. It’s almost the irony of humanity. It’s only when large sums of money are at stake that humanity often is at its craftiest. The key is for the rest of us to continue being one step ahead.

About the Author: Jong Kim is the chief architect at Marconi Foundation. He’s also an experienced blockchain developer, investor, and Bitcoin miner since 2011. He previously served as a Google network infrastructure lead after Appurify, where he led hardware and software development, was acquired in 2014. Jong also was the founder of HashLayer, one of the first multi-blockchain explorers, and has been a senior software engineer for Zynga and Qualcomm.

Last modified: June 14, 2020 11:11 AM UTC

Show comments
More of: EthereumNEO