What is a Cryptocurrency Attack Surface?

Attack surface

Question: I’ve read that Ethereum is less secure because it has a larger attack surface than Bitcoin… What does “attack surface” mean in cryptocurrencies?

Answer: In computer security, an attack surface refers to the sum of the number of places (aka “attack vectors”) where a malicious user (the “attacker”) may be able to gain access to a software environment.

If an attacker is able to obtain access to a system, he or she may be able to enter or extract data from the software environment.

In general, a computer running more complex software (incrementally greater lines of code) has a larger attack surface than one running simpler software. As such, keeping an attack surface as small as possible is considered a basic security measure.

In crypto coins and tokens, smart contracts and blockchain applications, the attack surface is of considerable concern. Indeed, attack surface size in cryptocurrencies is of perhaps greater concern than in non-blockchain applications. This is because of the immutability1, or unchangeable nature, of a blockchain ledger.

The Ethereum attack surface is considered larger than Bitcoin’s because it can do more than Bitcoin. Ethereum enables users to program additional instructions comprised of metadata and code into their transactions on the network.

The DAO and Cryptocurrency Attack Surface Area

Ethereum is commonly referenced example of problems that can occur with large cryptocurrency attack surfaces because of the attack on the “Decentralized Autonomous Organization” aka the “DAO“.

The DAO was an open source, autonomous investment platform. It was conceived by cryptocurrency and blockchain enthusiasts and crowdfunded in May 2016 in the largest crowdfunding campaign in history.

The DAO raised $150 million in digital currency through a token sale.

The DAO was instantiated on the Ethereum blockchain network, a blockchain platform for smart contracts (decentralized applications), and a cryptocurrency called “Ether”, that had gone live only a year earlier, in July 2015.

The DAO’s investment operations were run not by people, but by the “smart contracts” themselves, which resided on the Ethereum network, and which were programmed in advance to be self-sustaining.

With the $150 million in capital raised in the token sale, the smart contracts directed venture capital investments to fund various commercial ventures and non-profit enterprises.

A month after being founded, in June 2016, the DAO was attacked by hackers who claimed $50 million USD worth of ether tokens.

To address the vulnerability of the Ethereum network, a “hard fork” of the Ethereum blockchain was conducted which split the network in two. In an effort at attack surface reduction, Ethereum conducted two additional hard forks to address other security vulnerabilities discovered during subsequent attacks. These surface reduction efforts increased DDoS protection, de-bloated the blockchain and thwarted further spam attacks by hackers.


  1. In object oriented and functional computer programming, such as Cardano’s Haskell, an immutable object is an object whose state cannot be modified after it is created.