The blockchain ecosystem is exploding in both popularity as well as funding. With billions of dollars flooding into hundreds of upcoming initial coin offerings (ICO’s), existing blockchain technology companies are expecting high levels of profitability. While all of these trends are promising for the industry, the bad news is that these projected earnings can be crippled if potential blockchain security problems end up disrupting the marketplace.
Many people would be surprised to even hear that blockchain technology could have potential vulnerabilities in the first place. While it’s true that security is a selling point for blockchain technology as a whole, there still exist some hypothetical vulnerabilities that can be exploited, especially if the blockchain world doesn’t focus on addressing these concerns within the near future. Distributed ledger technologies (DLT’s), while resistant to a number of attacks, find themselves more vulnerable to certain issues that centralized databases are not.
If distributed ledger technologies are truly going to transform how our commercial, industrial, and governmental sectors do business, these vulnerabilities need to be addressed before they enter mainstream use.
Private or Public Blockchains
Before we begin discussing the specific vulnerabilities, it important to elaborate on some key concepts within this technology. Blockchains can be classified as either permissionless (public) or permissioned (private) chains. Permissionless chains let any party regardless of vetting to participate in a network, while permissioned chains instead only permit specific groups or entities to participate in the framework.
Private blockchains offer faster transaction and verification speeds, a greater ability to fix errors, and the capacity to restrict access as well as minimize the likelihood of outside attacks. On the other hand, public blockchains are more suitable for those requiring widespread participation, greater transparency, as well as third-party verification. While it’s easy to look and say that a private blockchain shortcuts many of the security problems were going to mention below, it’s impossible nor desirable for every solution to use a permissioned blockchain for its applications.
Among the most vulnerable aspects of blockchain technology actually comes from outside the chain itself. Endpoints refer to the points along the blockchain where humans and their devices interact. This means computers, laptops, and other devices that individuals or businesses use to access the blockchain. No matter what happens in between, the use of blockchain-powered applications begins with information being entered into a computer and ends with information coming out from a computer. This is the first and arguably biggest security weakness in the entire process, as a potential virus, trojan, or key-logger could lead to a compromised account.
Accessing a blockchain requires a private key, similar to the idea of a password except their length and complexity makes guessing them impossible. Since getting a lucky try or brute-forcing one’s way would take years, no foreign party can ever access your data by these methods. However, if the privacy of your key is compromised, there’s nothing to stop a hacker from pilfering all of your blockchain-assets with no chance of recovery.
Since hackers know there is no point in blunt-force guessing anyone’s key, more effort is being spent on finding methods to steal them. Novel forms of covert malware that exploit vulnerabilities in Android and Windows platforms (especially mobile devices) are entering the cyber-world and are only going to be more prominent as the years go on. While this is more of a personal security issue than one related to blockchains technology, most lapses in security stem from human error in the first place and are worth addressing.
Businesses and individuals will need to make sure they keep every device they use updated frequently, along with having an adequate anti-malware system installed. It’s also important to know where to store you blockchain key. Never keep them in a text file or word document which can be easily read by an unauthorized party. If you need to store them on your computer, make sure they are locked behind a reliable encryption software.
Vendor Architecture Risks
The market for third-party solutions has exploded, with platforms, wallets, payment platforms, and other services popping up thanks to the growth of decentralized ledger technology, but this influx also creates room for additional security loopholes to crop up. Since most organizations looking to adopt blockchain applications likely won’t have the technical expertise entirely in-house, the use of third-party Blockchain-as-a-Service (BaaS) services will become required. Since the BaaS market is still developing, businesses need to be careful about which companies they chose to work with for their blockchain needs.
Even if one vendor provides a quality third-party application, it’s still possible for security risks to exist on the vendor’s side, rather than in the application itself. The more companies that have access to private information, the more possible angles there are for a potential leak. In the case where multiple-third party platforms are being used, this can be a significant issue going forward.
The best way to mitigate this risk requires a thorough vetting for every vendor that seeks to contribute to you blockchain project. Experience, history, and reputation are all things to keep an eye out for in third-party providers.
Unexpected Problems at Full Scale
Although people have been excited about implementing blockchain technology onto wider, more mainstream markets, there remains an undercurrent of worry about what might happen when applications, who have operated on smaller levels, are brought up to full scale?
Technical problems that arise from scalability are generally not an issue of concern among more optimistic blockchain experts, especially since to date, there haven’t been any security issues arising from the organic enlargement of existing blockchains/cryptocurrencies. However, some regulatory groups, such as the Financial Stability Oversight Council (FSOC), has voiced concerns over two problems.
First of which is that we are approaching uncharted territory with every gigabyte of blockchain expansion, and since the blockchain industry is so young, our collective experience in identifying, rectifying and resolving sudden problems is also limited. Their concern is that should such a problem pop up, we might not be as able to deal with it as we would like to believe.
A second issue identified by the FCOS is that if a significant enough number of participants on public blockchains conspire together, they can take over the platform. Also known as a majority attack, if 51% of a public blockchains userbase joins together, the decentralized, impartial strengths of this technology will disappear. Some worry that this problem could materialize in the future in certain countries where oversight is minimal and electrical power is cheap, which are the ideal conditions for mining farms to operate in.
While the risks of the unknown will always remain, that doesn’t mean that progress should be halted. As long as the blockchain community continues to move forward cautiously with best practices in mind, experts remain optimistic that any unexpected hurdles along the way can be handled.
Insufficiently Tested Code
Similar to the previous vulnerability in some ways, decentralized ledger technologies are still highly experimental, with some developers being more eager to put their projects out on the marketplace and seize the sea of investor funding/profits rather than sufficiently test their code on live blockchains.
The DAO Debacle
DAO refers to a Decentralized Autonomous Organization built on a blockchain, executing code for various smart contracts primarily in the venture capital world and operating as a crowdsourced investment fund almost entirely on a blockchain. While there are many DAO’s, one particularly infamous one created in 2016 by the German startup Slock.it, ended up making blockchain history. Despite raising over $150 million in crowdfunding, this DAO went down in history as the first blockchain program to get hacked.
Despite the concerns of some members on the platform after finding a “recursive bug”, the team remained steadfast that no funds were at risk of getting hacked. Unfortunately, a lone hacker transferred over $55 million worth of Ether, proving the need for more extensive testing.
Unfortunately, even the much-venerated smart contracts of Ethereum – often touted for their safety – can contain potential security risks, usually due to errors or miscalculations on the developers end.
According to an analysis of one million smart contracts, over 3.4% or 34,000 were found to have vulnerabilities. A team of computing experts from the University of Singapore published a study using a custom-built tool called MAIAN which looked for ways that contract hackers can manipulate the system to lock funds indefinitely. The team proceeded to analysis 3, 759 manually, confirming that they could exploit vulnerabilities in 3,686 of them.
More than anything, blockchain projects need to utilize heavy peer-review of their code before deployment, along with extensive smart contract testing in independent environments.
Blockchain technology has still a way to go before it’s perfected. With more conservative pundits expressing concern over the security flaws of this technology, advocates and businesses looking to expand DLT’s into more mainstream use will need to prove that these concerns are unjustified. Addressing these security vulnerabilities, even as unlikely as they can be, will go a long way to solidifying blockchain’s reputation among the general public.
Also published on Medium.