New Report Explores Accidental Centralizations in Distributed Ledgers
Blockchains can help push the boundaries of current technology in useful ways. However, to make sound risk decisions about exciting and innovative technologies, people need demonstrable facts, obtained through repeatable methods and open data.
The risks inherent in blockchains and cryptocurrencies are poorly described and often ignored – even mocked – by those seeking to cash in on this decade’s gold rush.
For the past year, Trail of Bits has been engaged by the Defense Advanced Research Projects Agency (DARPA) to investigate the fundamental properties of blockchains and the associated cybersecurity risks. DARPA wanted to understand these security assumptions and determine what decentralized blockchains really are like.
To answer the question, researchers at Trail of Bits conducted analysis and meta-analysis of past academic work and real-world results that had never been pooled before, in some cases updating past research with new data. They’ve also done new work, created new tools, and done original research.
The report also contains links to key supporting and analytical documents. The results of their research are reproducible and open source.
The report documents security vulnerabilities within decentralized ledger technologies, raising concerns about the security of cryptocurrency transactions.
Researchers examined the features and vulnerabilities of distributed ledger technologies to determine whether the software is truly decentralized or free from outside control.
Distributed ledger technologies refer to software that stores information on a secure, decentralized network where users need specific cryptographic keys to decrypt and access the data. This is the core technology that manages cryptocurrency transactions. Often referred to as blockchain, distributed ledger technology is intended to be decentralized to prevent a single stakeholder from tampering with information stored on its network.
“The report demonstrates the ongoing need for careful consideration when evaluating new technologies, such as blockchains, as they propagate across our society and economy,” said Joshua Baron, the supervisory DARPA program manager. “We should not take any promise of security at face value and anyone using blockchains for things of great importance should be aware of the vulnerabilities associated with it. »
The report found that some blockchain technologies can be volatile and subject to change, posing a threat to data stored in the proof-of-work blockchain.
This conclusion stems from the increased centralization of ledgers associated with popular cryptocurrencies, namely Bitcoin and Ehtereum.
“This report provides examples of how this immutability can be breached not by exploiting cryptographic vulnerabilities, but rather by undermining the properties of a blockchain’s implementations, networks, and consensus protocol,” the report begins. “The data – and more importantly, the code – deployed on a blockchain are not necessarily semantically immutable. »
Several factors contribute to vulnerabilities in blockchain systems. One of the essential elements of a secure and decentralized blockchain ledger is the system of nodes or participating computers in the network.
If one of these nodes does not have adequate security protocols or is simply controlled by a dishonest actor, the data passing through the blockchain is susceptible to hacking or alteration. This discovery undermines the idea of security inherent in the blockchain, which has been around for a long time, and threatens the information stored in the various blocks.
In addition, inconsistencies in the security protocol between nodes in a blockchain network or mining pool threaten the security of all nodes involved.
The report also notes that not all Bitcoin protocol traffic is encrypted in particular, which initially poses no threat to data exchanged between nodes in a network. However, if a third party within the network chain between nodes is corrupted, external actors could potentially disrupt ledger transactions.
Concerns about the software underlying cryptocurrency transactions come as this emerging technology takes a larger market share and remains volatile. Through an executive order and numerous bills, the federal government is trying to regulate the cryptocurrency arena to better understand this new asset class and its impact on the broader economy.
The report’s findings are worrying for a wide range of industries, but especially serious for the security, fintech, bigtech and crypto industries, which continue to expand.
According to Trail of Bits, it only takes four entities to disrupt Bitcoin and only two to disrupt Ethereum. In addition, 60% of all Bitcoin traffic goes through just three ISPs. Outdated and unencrypted blockchain software and protocols have also been identified by the organization.
The report came out just weeks after the Luna cryptocurrency crashed. In May 2022, the decentralized stablecoin TerraUSD, whose parity with the US dollar was 1:1, plummeted to pennies when an algorithm running on the blockchain crashed. Financial experts warn that the Luna crash was an important lesson in blockchain risk.
Since the Luna crash, cryptocurrencies have collapsed with billions of dollars lost and investors cashing in on their crypto assets. Cryptocurrencies continue to be impacted by the global economy, supply chain problems, interest rate hikes, inflation and an impending recession. The report commissioned by DARPA only adds additional concerns about blockchain and affects investor perception and confidence.
In addition, the world of cryptocurrencies and blockchain operations is now deeply entwined with many industries that intend to use cryptocurrencies because of their flexibility, immediacy, product potential, and ability to provide easier access to financial services for the global population. Security remains a priority, a challenge and a major concern in this new digital financial age.
Blockchain Security Challenges
“The security of a blockchain depends on the security of its software and the protocols of its off-chain governance or consensus mechanisms,” the report states. The researchers registered several accounts with mining pool sites to study their code when it became available. Their findings are shocking.
ViaBTC, a leading global mining pool, assigns the password “123” to its accounts. Pooling, another mining organization, doesn’t even validate credentials, and Slushpool — which has mined more than 1.2 million bitcoins since 2010 — asks users to ignore the password field. Together, these three mining pools account for about 25% of bitcoin’s hash rate, or total computing power.
Trail of Bits warns that nodes used by cryptocurrency miners can be easily implemented using a cheap cloud server. They can be used to flood the network in what is known as a Sybil attack. Sybil attacks can perform an eclipse attack, where a malicious actor tries to isolate users by denying them access to nodes.
The report presented evidence that a dense subnet of public nodes is largely responsible for consensus building and communication with miners. An example of a Sybil attack has been linked to a malicious actor believed to be from Russia. The attacker took control of nearly 40% of Tor exit nodes and used them to rewrite Bitcoin traffic.
Moreover, software errors and bugs are also a major security problem in the blockchain. Ideally, all nodes should use the same latest software version, but this is not the case. Software bugs have previously caused blockchain flaws in Ethereum, and 21% of Bitcoin nodes are using an older version of the Bitcoin Core client, which is known to be vulnerable, according to Trail of Bits.
Blockchain software developers and operators, as well as millions of cryptocurrency users around the world, are also targeted by attacks, as are mainstream tech sites that are starting to use blockchain as a new source of revenue.
The report finds that big tech is at a critical juncture, with many leading companies already investing heavily in blockchain technology. Online advertising has been the main source of income for decades. However, the global trend, fueled by concerns about user privacy, is ending the era of third parties, significantly impacting online advertising revenue.
A vulnerable blockchain environment – as detailed in the Trail of Bits report – is putting these companies, their investments, years of work and hundreds of thousands of jobs at risk.
These companies develop financial services, asset tokens, metaverse, NFTs, supply chain management solutions, capital markets and insurance products, as well as mining and trading cryptocurrencies, among others. They are poised to disrupt and influence all industries. But is the world ready to embrace blockchain?