Feb. 22, 2019
Once Hailed as Unhackable, Blockchains Are Now Getting Hacked
(MIT Technology Review) By Mike Orcutt, February 19, 2019 – Early last month, the security team at Coinbase noticed something strange going on in Ethereum Classic, one of the cryptocurrencies people can buy and sell using Coinbase’s popular exchange platform. Its blockchain, the history of all its transactions, was under attack.
An attacker had somehow gained control of more than half of the network’s computing power and was using it to rewrite the transaction history. That made it possible to spend the same cryptocurrency more than once—known as “double spends.” The attacker was spotted pulling this off to the tune of $1.1 million. Coinbase claims that no currency was actually stolen from any of its accounts. But a second popular exchange, Gate.io, has admitted it wasn’t so lucky, losing around $200,000 to the attacker (who, strangely, returned half of it, days later).
Just a year ago, this nightmare scenario was mostly theoretical. But the so-called 51% attack against Ethereum Classic was just the latest in a series of recent attacks on blockchains that have heightened the stakes for the nascent industry.
In total, hackers have stolen nearly $2 billion worth of cryptocurrency since the beginning of 2017, mostly from exchanges, and that’s just what has been revealed publicly. These are not just opportunistic lone attackers, either. Sophisticated cybercrime organizations are now doing it too: analytics firm Chainalysis recently said that just two groups, both of which are apparently still active, may have stolen a combined $1 billion from exchanges.
We shouldn’t be surprised. Blockchains are particularly attractive to thieves because fraudulent transactions can’t be reversed as they often can be in the traditional financial system. Besides that, we’ve long known that just as blockchains have unique security features, they have unique vulnerabilities. Marketing slogans and headlines that called the technology “unhackable” were dead wrong.
That’s been understood, at least in theory, since Bitcoin emerged a decade ago. But in the past year, amidst a Cambrian explosion of new cryptocurrency projects, we’ve started to see what this means in practice—and what these inherent weaknesses could mean for the future of blockchains and digital assets.
How do you hack a blockchain?
Before we go any further, let’s get a few terms straight.
A blockchain is a cryptographic database maintained by a network of computers, each of which stores a copy of the most up-to-date version. A blockchain protocol is a set of rules that dictate how the computers in the network, called nodes, should verify new transactions and add them to the database. The protocol employs cryptography, game theory, and economics to create incentives for the nodes to work toward securing the network instead of attacking it for personal gain. If set up correctly, this system can make it extremely difficult and expensive to add false transactions but relatively easy to verify valid ones.
That’s what’s made the technology so appealing to many industries, beginning with finance. Soon-to-launch services from big-name institutions like Fidelity Investments and Intercontinental Exchange, the owner of the New York Stock Exchange, will start to enmesh blockchains in the existing financial system. Even central banks are now looking into using them for new digital forms of national currency.
But the more complex a blockchain system is, the more ways there are to make mistakes while setting it up. Earlier this month, the company in charge of Zcash—a cryptocurrency that uses extremely complicated math to let users transact in private—revealed that it had secretly fixed a “subtle cryptographic flaw” accidentally baked into the protocol. An attacker could have exploited it to make unlimited counterfeit Zcash. Fortunately, no one seems to have actually done that.
The protocol isn’t the only thing that has to be secure. To trade cryptocurrency on your own, or run a node, you have to run a software client, which can also contain vulnerabilities. In September, developers of Bitcoin’s main client, called Bitcoin Core, had to scramble to fix a bug (also in secret) that could have let attackers mint more bitcoins than the system is supposed to allow.
Still, most of the recent headline-grabbing hacks weren’t attacks on the blockchains themselves, but on exchanges, the websites where people can buy, trade, and hold cryptocurrencies. And many of those heists could be blamed on poor basic security practices. That changed in January with the 51% attack against Ethereum Classic.
The 51% rule
Susceptibility to 51% attacks is inherent to most cryptocurrencies. That’s because most are based on blockchains that use proof of work as their protocol for verifying transactions. In this process, also known as mining, nodes spend vast amounts of computing power to prove themselves trustworthy enough to add information about new transactions to the database. A miner who somehow gains control of a majority of the network's mining power can defraud other users by sending them payments and then creating an alternative version of the blockchain in which the payments never happened. This new version is called a fork. The attacker, who controls most of the mining power, can make the fork the authoritative version of the chain and proceed to spend the same cryptocurrency again.
For popular blockchains, attempting this sort of heist is likely to be extremely expensive. According to the website crypto51.com, renting enough mining power to attack Bitcoin would currently cost more than $260,000 per hour. But it gets much cheaper quickly as you move down the list of the more than 1,500 cryptocurrencies out there. Slumping coin prices make it even less expensive, since they cause miners to turn off their machines, leaving networks with less protection.
Toward the middle of 2018, attackers began springing 51% attacks on a series of relatively small, lightly traded coins including Verge, Monacoin, and Bitcoin Gold, stealing an estimated $20 million in total. In the fall, hackers stole around $100,000 using a series of attacks on a currency called Vertcoin. The hit against Ethereum Classic, which netted more than $1 million, was the first against a top-20 currency.
David Vorick, cofounder of the blockchain-based file storage platform Sia, predicts that 51% attacks will continue to grow in frequency and severity, and that exchanges will take the brunt of the damage caused by double-spends. One thing driving this trend, he says, has been the rise of so-called hashrate marketplaces, which attackers can use to rent computing power for attacks. “Exchanges will ultimately need to be much more restrictive when selecting which cryptocurrencies to support,” Vorick wrote after the Ethereum Classic hack.
A whole new can of worms - bugs
Aside from 51% attacks, there is whole new level of blockchain security weaknesses whose implications researchers are just beginning to explore: smart-contract bugs. Coincidentally, Ethereum Classic—specifically, the story behind its origin—is a good starting point for understanding them, too.
A smart contract is a computer program that runs on a blockchain network. It can be used to automate the movement of cryptocurrency according to prescribed rules and conditions. This has many potential uses, such as facilitating real legal contracts or complicated financial transactions. Another use—the case of interest here—is to create a voting mechanism by which all the investors in a venture capital fund can collectively decide how to allocate the money.
Just such a fund, called the Decentralized Autonomous Organization (DAO), was set up in 2016 using the blockchain system called Ethereum. Shortly thereafter, an attacker stole more than $60 million worth of cryptocurrency by exploiting an unforeseen flaw in a smart contract that governed the DAO. In essence, the flaw allowed the hacker to keep requesting money from accounts without the system registering that the money had already been withdrawn.
As the hack illustrated, a bug in a live smart contract can create a unique sort of emergency. In traditional software, a bug can be fixed with a patch. In the blockchain world, it’s not so simple. Because transactions on a blockchain cannot be undone, deploying a smart contract is a bit like launching a rocket, says Petar Tsankov, a research scientist at ETH Zurich and cofounder of a smart-contract security startup called ChainSecurity. “The software cannot make a mistake.”
There are fixes, of a sort. Though they can’t be patched, some contracts can be “upgraded” by deploying additional smart contracts to interact with them. Developers can also build centralized kill switches into a network to stop all activity once a hack is detected. But for users whose money has already been stolen, it will be too late.
The only way to retrieve the money is, effectively, to rewrite history—to go back to the point on the blockchain before the attack happened, create a fork to a new blockchain, and have everyone on the network agree to use that one instead. That’s what Ethereum’s developers chose to do. Most, but not all, of the community switched to the new chain, which we now know as Ethereum. A smaller group of holdouts stuck with the original chain, which became Ethereum Classic.
Last month, Tsankov’s team at ChainSecurity saved Ethereum from a possible repeat of the DAO catastrophe. Just a day before a major planned software upgrade, the company told Ethereum’s lead developers that it would have the unintended consequence of leaving some contracts on the blockchain newly vulnerable to the same kind of bug that led to the DAO hack. The developers promptly postponed the upgrade and will give it another go later this month.
Nevertheless, hundreds of valuable Ethereum smart contracts were already vulnerable to this so-called reentrancy bug, according to Victor Fang, cofounder and CEO of blockchain security firm AnChain.ai. Tens of thousands of contracts may contain some other kind of vulnerability, according to research conducted last year. And the very nature of public blockchains means that if a smart-contract bug exists, hackers will find it, since the source code is often visible on the blockchain. “This is very different than traditional cybersecurity,” says Fang, who previously worked for the cybersecurity firm FireEye.
Buggy contracts, especially those holding thousands or millions of dollars, have attracted hackers just as advanced as the kind who attack banks or governments. In August, AnChain identified five Ethereum addresses behind an extremely sophisticated attack that exploited a contract flaw in a popular gambling game to steal $4 million.
Can the hackers be defeated?
AnChain.ai is one of several recent startups created to address the blockchain hacking threat. It uses artificial intelligence to monitor transactions and detect suspicious activity, and it can scan smart-contract code for known vulnerabilities.
Other companies, including Tsankov’s ChainSecurity, are developing auditing services based on an established computer science technique called formal verification. The goal is to prove mathematically that a contract’s code will actually do what its creators intended. These auditing tools, which have begun to emerge in the past year or so, have allowed smart-contract creators to eliminate many of the bugs that had been “low-hanging fruit,” says Tsankov. But the process can be expensive and time consuming.
It may also be possible to use additional smart contracts to set up blockchain-based “bug bounties.” These would encourage people to report flaws in return for a cryptocurrency reward, says Philip Daian, a researcher at Cornell University’s Initiative for Cryptocurrencies and Contracts.
But making sure code is clean will only go so far. A blockchain, after all, is a complex economic system that depends on the unpredictable behavior of humans, and people will always be angling for new ways to game it. Daian and his colleagues have shown how attackers have already figured out how to profit by gaming popular Ethereum smart contracts, for instance.
In short, while blockchain technology has been long touted for its security, under certain conditions it can be quite vulnerable. Sometimes shoddy execution can be blamed, or unintentional software bugs. Other times it’s more of a gray area—the complicated result of interactions between the code, the economics of the blockchain, and human greed. That’s been known in theory since the technology’s beginning. Now that so many blockchains are out in the world, we are learning what it actually means - often the hard way.
3 Ways to Include Wealth Management Services in Your Practice
(AccountingWEB) By Lawrence Sprung
, February 15, 2019 – Tax advisors and wealth management professionals have much in common. Each of us is trying to work with our clients and assist them in reaching their goals. Over the years, I have found clients who have their wealth management and tax advisors in touch with one another tend to be on a better path to reaching their financial goals than those who do not.
An accounting professional will typically act as a sounding board for the client and their financial situation. Many times, a CPA will look to incorporate financial planning or investment management into their practice to insulate their clients from the outside forces of a wealth management firm.
Here’s where they run into trouble, though: How should they structure their firm to handle the delivery of services that go along with a wealth management practice and do so in a profitable way? There are several models that can be followed, each with advantages and disadvantages.
Here are three options:
1) The firm can build their own internal wealth management practice to be there as a resource for their current clients and used as a tool to attract new ones. The wealth management arm could potentially introduce a new client to the tax side of the practice, even if they did not originally opt for these services. This method is usually easiest for large firms that have the capital to allocate to starting, building, and maintaining this new business line. Although it involves planning, money and advising clients, similar to a tax or audit practice, it is a different business line and needs to be treated as such. You also risk losing a tax client if their investment portfolio goes the wrong way, even if their decision simply has to do with an outcome of the current markets.
2) Many larger brokerage firms will offer a revenue sharing agreement with a CPA. They require the latter to get licensed. Then, they can refer clients to the firm and share in the revenues generated. This allows the CPA to simply concentrate on their tax and accounting practice while outsourcing the wealth management component and still being compensated. This method allows you to get started with no capital outlay, other than the materials needed to study for the exam and maybe a class and receive compensation for the business generated by your clients. The major hurdle to this relationship is the time needed to study for and pass the necessary exams, but it’s a viable option for those who are willing to accept their schedule might be tight for a little while.
3) One of the easiest ways a CPA can add wealth management services to their practice is by becoming a solicitor for a Registered Investment Advisory (RIA) firm. This type of arrangement does not require any tests, so there’s no studying, and it allows the CPA to be compensated for their referrals. They would not be able to give any advice and guidance on behalf of the RIA, but they could be involved in discussions between the client and wealth management advisor. The client will need to sign off on a disclosure making them aware the accounting professional is being compensated for the referral, but transparency is a best practice we should all be striving for anyway. Using this method, the CPA doesn’t have to invest any money up front to add this aspect of advice to their practice. They will want to make sure they have a complete understanding as to how the firm practices and services their clients. It also creates a separation of the tax planning and providing investment advice and guidance.
While I’m aware some tax advisors do not want to have anything to do with wealth management advice and guidance and do not see the need to get paid for their referrals, I think those not exploring one of the previously mentioned opportunities are missing the boat in several regards. Many of your clients are looking for wealth management advice and guidance, whether you offer it or not. Wouldn’t it make the most sense, be in the best interest of the client and put the client in a better position to succeed if you and their wealth management advisor were on the same page? I think so.
CPA firms should be seriously considering how they are going to incorporate wealth management advice into their practices. It allows them to create a new revenue stream and keep the client closer to the firm. It’s a win-win for everybody.
This article represents the opinion of Mitlin Financial Inc. It should not be construed as providing investment, legal and/or tax advice.
Optimism Sprouts Over Chances for Retirement Reforms
(Pensions & Investments) By Brian Croce, February 18, 2019 – Since the start of the 116th Congress, the headlines out of Washington have mostly concentrated on shutdowns and investigations, but legislators in both chambers have also made retirement issues a focus, and industry sources are optimistic major legislation on that front will be passed.
House Ways and Means Committee Chairman Richard Neal, D-Mass., held a hearing earlier this month on retirement security where issues like Social Security solvency, the trouble certain multiemployer pension plans face, and the success of Oregon's state-based automatic IRA program were front and center. A longtime proponent of enhancing workers' retirement preparedness, Mr. Neal said the Feb. 6 hearing will be the "first of many conversations on this issue."
With Mr. Neal at the helm of the Ways and Means Committee, retirement-related issues will get a lot of attention, said Kent Mason, a partner with Davis & Harman LLP in Washington, who represents numerous plan sponsors and service providers.
"I think it sets a good tone for this year for activity in retirement, setting the stage for this to be an important issue for Chairman Neal," Mr. Mason said.
The same day as the hearing, Reps. Ron Kind, D-Wis., and Mike Kelly, R-Pa., reintroduced the Retirement Enhancement and Savings Act in the House.
Among other provisions, the bill would make it easier for smaller employers to join open multiple employer plans, ease non-discrimination rules for frozen defined benefit plans and add a safe harbor for selecting lifetime income providers in defined contribution plans.
RESA drew bipartisan support when it was introduced in both congressional chambers last session, but it never ultimately passed.
In testimony before the Ways and Means Committee, Roger Crandall, chairman, president and CEO of Massachusetts Mutual Life Insurance Co., urged lawmakers to pass RESA. He is in favor of RESA's open MEPs provision, its expansion of employer tax incentives designed to help offset the costs associated with establishing a new workplace retirement plan, and its provisions designed to simplify and streamline plan administration.
Specifically, Mr. Crandall told the committee it's time to make open MEPs a reality. "For too long, unrelated employers have unnecessarily been prevented from joining together to offer important retirement benefits to their employees," he said. "This barrier to expanded access to workplace retirement plans unfortunately persists despite bipartisan support for open MEPs in both houses of Congress and support across Democratic and Republican administrations in the White House."
There are also other bills that feature elements of RESA that could be incorporated when a retirement reform package is ultimately passed, Mr. Mason said. Those bills include the Retirement Security Act, which was introduced by Sens. Susan Collins, R-Maine, and Maggie Hassan, D-N.H., earlier this month. That bill, among other provisions, would simplify compliance for small businesses that choose to provide employees with employer matches on contributions up to 10% of pay, with an aim of encouraging more generous retirement contributions.
In January, the first bill Mr. Neal introduced was the Rehabilitation of Multiemployer Pensions Act. The bill would establish the Pension Rehabilitation Administration, a new agency within the Department of the Treasury, authorized to issue bonds to finance loans to multiemployer pension plans that are in a "critical and declining" status, plans that have suspended benefits and to some recently insolvent plans currently receiving financial assistance from the Pension Benefit Guaranty Corp.
In the PBGC's annual report released in November, Director W. Thomas Reeder Jr. stressed that most of the 1,400 multiemployer plans covered by the PBGC are not at risk, but 130 plans are, and some will run out of money in less than 10 years. The PBGC's multiemployer program is also headed toward insolvency by the end of fiscal year 2025.
"There's a desperate need here to fix this problem," Mr. Mason said. "I think everybody agrees. I know that there's been a tremendous amount of bipartisan work on it but there are still some sticking points and I think they very much want to work it out, both Republicans and Democrats."
Under the legislation's loan program, terms will require the plan in question to make interest payments for 29 years with final interest and principal repayment due in year 30, according to a summary prepared by the committee's Democratic staff.
For the plans that receive a loan, one restriction for borrowers is they would not be able to make risky investments. Plans that receive a loan must fund the plan's obligations by either purchasing an annuity, investing in a cash-matching or duration-matching portfolio, or a portfolio with a similar risk profile.
There's also a bill introduced by Rep. John B. Larson, D-Conn., chairman of the Ways and Means Social Security Subcommittee, that aims to shore up Social Security while implementing an across-the-board benefit increase for current and new beneficiaries and improving cost-of-living adjustments, among other provisions. The added benefits would be paid for by gradually increasing the contribution rate beginning in 2020 so that by 2043, workers and employers each would pay 7.4% toward Social Security, instead of the 6.2% today, according to the congressman's website.
On Feb. 13, Sen. Bernie Sanders, D-Vt., and Rep. Peter DeFazio, D-Ore., introduced legislation similar to Mr. Larson's in that it expands Social Security benefits. The Social Security Expansion Act would further tax people earning more than $250,000 a year. Current law caps the amount of income subject to payroll taxes at $132,900.
Support for a retirement reform package isn't the issue, said Bradford Campbell, a Washington-based partner for Drinker Biddle & Reath LLP. The question, he added, is whether legislators can "find a vehicle to pass the Congress as a whole to which these sorts of bills can be attached?"
Typically, that vehicle is a spending bill or some other must-pass legislation.
"If there's a budget deal, maybe we could get attached to it, but there's a chance we won't," Mr. Mason said. "It's possible to move on its own but that's hard to do."
Jana Greer, president and CEO, retirement, at American International Group Inc., said she's encouraged by the bipartisan commitment to improving retirement security. "We're close, but I would say to our elected officials: Now is the time to get retirement legislation across the finish line."
Mr. Campbell said he's "cautiously optimistic" that retirement reform legislation will pass this Congress. "Whether it's RESA, whether it's Portman-Cardin (a bill from last Congress), whether it's a bill that Chairman Neal puts together … the bills share a lot of common characteristics so I don't think it would be that difficult to craft final legislation," he said. "It's not as though the sides are miles apart; in fact, they're pretty close together."