Safe, secure, trusted, transparent … these are the bywords of the next-generation Internet, powered by blockchain thinking and technology. But these are merely relative terms. Any network system conceived by human beings can be cracked by human beings, particularly those who can assemble enough compute power. To this point, several security breaches of blockchain systems have recently come to light: DAO, Bitfinex, Mt. Gox, Pony Botnet, Coincheck and others represent growing list of such cases. A recent study found several vulnerabilities in smart contracts that automate the operation of select business applications on blockchain networks. Not surprisingly, a Greenwich survey finds banking, financial and technology executives wary of security concerns in blockchain (see Figure 1).
These findings highlight an urgent and vital need to acknowledge and thoroughly comprehend the full spectrum of security vulnerabilities, and start initiating measures to improve security. Part one of this two-part series focuses on different types of vulnerabilities in blockchain networks, smart contracts and cryptography while part two provides an overview of ways in which these vulnerabilities can be addressed through a well-conceived security policy.
Blockchain security challenges stem from both within and outside organizations. Those that originate externally are well known and common to most IT environments. And those that emerge from within are either evolutionary or structural. Evolutionary challenges emerge as blockchain matures from infancy to early childhood, much like the early days of Internet commerce. The structural ones are emerging from the defining characteristic elements of blockchain that give it the distinctiveness and strengths comprising its unique selling proposition (USP). In this sense, these elements are double-edged swords and companies that implement blockchain need to diligently master their use of blockchain technology and its accompanying tools.
Common Security Issues
Common security issues arise mainly due to human errors and relate to the safe-keeping of the private key, an identity and security credential in blockchain. The individual computers used to connect to the blockchain suffer from risks that are common to the Internet. Any negligence or human error could be a cause for concern.
Vulnerability exists when users decrypt the data. Once hackers access the private key of a node they get a freehand to attack its network. Recent attacks show that hot wallets used to store the keys are prone to attacks despite the claims of wallet providers that they safeguard the keys employing cold storage methods.
The safe-keeping of the key is critical in blockchain since lost or stolen keys mean irrecoverable loss of the corresponding tokenized digital asset itself. Known as non-reputable ownership, this unique element of the blockchain makes itself attractive to cyber criminals.
Nodes that become intermittently uncommunicative place the network at risk since the network integrity in blockchain systems is dependent on continuous communication.
Vulnerabilities from Structural Limitations
Blockchains operate on consensus protocols. Due to this mechanism, anyone gaining access to 51% of nodes on a system can get full control and decide the outcomes. When the number of nodes is small, as is the case with early-stage systems, this remains a potential weakness, while this 51% limitation-based attack is a remote possibility in other scenarios except perhaps when quantum computing emerges sometime in the distant future.
Distributed Nature and its Susceptibilities
Distributed nature is both a boon and bane to blockchains, just as centralized nature is to traditional systems. While traditional systems suffer from “single point of failure” limitation due to centralization, blockchain systems’ distributed nature makes it difficult to notice and prevent break-in attempts since hackers have a vast surface to attack.
Decentralized governance is largely an uncharted territory for enterprises and best practices are yet to emerge. Strategic decisions made in such settings can potentially render a blockchain network susceptible to attacks.
Moreover, organizations are still grappling with blockchain’s technological complexity. Systems built to handle intricate business functions are expected to carry vulnerabilities that pose security threats. In most enterprise settings, security begins with centralized logging and monitoring. This is yet to be matched with a blockchain system equivalent.
Transaction reversal, a common practice in the event of fraudulent transactions, is difficult to implement in blockchain-based systems. Formats and protocols necessary to ensure interoperability between blockchain networks that use different distributed ledgers is still a work-in-progress given the early stage of blockchain’s evolution.
Design deficiencies, time lags and flawed third-party systems can cause vulnerabilities. Design deficiencies can adversely affect the ability of the blockchain to perform at the required speed. When exchange doesn’t happen at the right speed, the system becomes vulnerable to risks. Time lags in the absence of adequate speed also make blockchain networks susceptible to double spending, a problem whose solution forms the very USP of blockchain. Third-party systems containing flaws may also render a distributed ledger vulnerable even when the blockchain is properly designed and functions well with requisite safeguards as has been the case with NiceHash, a bitcoin mining marketplace that relied on a third-party platform with vulnerability.
Smart Contract Programming Flaws
Programming code defects that go unchecked in smart contracts that run on blockchain make themselves susceptible. Analyses of smarts contracts that delved into the deficiencies in smart contracts programming unearthed several causes such as transaction-ordering dependence, time-stamp dependence, mishandled exceptions and re-entrancy vulnerability, etc.
Limitations of Cryptography
Traditional cryptographic security methods face severe limitations when applied to blockchain. Use of non-standard crypto such as the Elliptic Curve Digital Signature Algorithm (ECDSA) that are unsupported by most security encryption hardware can present scaling challenges that are necessary in blockchain settings. Private key seeding in which certain processes are employed to generate multiple private keys from the seed are mostly unsupported by security hardware. Multi-sign scalability is another challenge since the secure hardware can only handle thousands but needs the capacity to handle millions of keys in blockchains.
As quickly as these loopholes emerge, blockchain innovators are setting their focus on ways and means to effectively address security concerns in this nascent technology. Part two details 12 ingredients that can be used to develop and deploy a holistic security policy to effectively tackle security concerns.