Intro

The recent loss of $1.4 trillion in value across the combined crypto market has drawn fresh attention to cryptocurrency, the most popular application of blockchain technology. Yet while the volatility of cryptocurrencies is well-documented, the vulnerability of the blockchain technology underlying most of them also merits attention due to the risks posed to user privacy and funds.  We have previously examined blockchain basics, published on the CSINT site in November 2021. This article follows on from that introductory overview by zeroing in on known technological and social vulnerabilities of blockchain.

Technological Vulnerabilities                                                                                         

We begin our analysis of security risks by focusing on smart contracts, a high-demand feature of blockchain technology because they allow autonomous execution of agreements, streamlining many economic activities.  As of June 2020, a team of researchers from Hong Kong Polytechnic University, the University of Electronic Science and Technology of China, and Beijing University of Posts and Telecommunications noted nine known categories of risk to blockchain systems and, in particular, twelve known coding vulnerabilities for blockchain smart contracts (i.e., autonomous code that executes terms of an agreement once stated conditions are met). Most risks to overall blockchain systems stem from operation mechanisms. Operation mechanism vulnerabilities are exploitable gaps in how blockchain works. They include leakage of private information during transactions, theft of private keys needed to access funds and engage in transactions, and forced duplicated spending (aka double spending). But most risks to smart contracts stem from poor coding.

As programs that run on a blockchain, smart contracts created with poorly structured code can be hacked. Known issues include replicated functions and the publishing of private transaction information. For example, the 2016 theft of $60 million from The Decentralized Autonomous Organization, a decentralized investment fund centered on Airbnb interests, was the result of a replicated function vulnerability. Essentially, hackers were able to create a loop of fund withdrawals through the replication of the withdrawal function. (Decentralized Autonomous Organizations (DAOs) can be used by public and private sectors.)

On the other hand, a quick example of an operational mechanism vulnerability is private key theft. Private keys serve as ID and security credentials for individual blockchain users, and these keys are generated and maintained by the users – not by third parties. These keys are absolutely necessary for engaging in transactions, for using a given blockchain. Keys are used to verify transactions, and do so through signatures. However, the signature encryption algorithm ultimately generates insufficient randomness during the signature process, making it possible for a hacker to break the encryption and steal the private key. It is very difficult to recover a stolen key, or reset a user’s modified blockchain information (such as their transaction history). As such, the operational vulnerability posed by hackable signatures poses a threat to user funds and ability to use a given blockchain.

As developer communities (the software and hardware engineers building the Bitcoin, Ethereum, and other blockchains) continue to improve blockchain technology, they are trying to address many of these shortcomings. The previously mentioned team of Chinese university researchers (Xiaoqi et. all) note several of these proposed solutions. The Oyente, and Town Crier, softwares were created to bolster smart contracts. Oyente helps counter poor coding, serving as a bug-checker (essentially a spell-check which searches for common coding errors) for Ethereum smart contracts – including contracts already deployed. Town Crier provides an authenticated data feed system, plugging a security hole that results when smart contracts must draw information which is "off-chain" (any data external to a blockchain, such as product delivery times or prices) from the wider internet. SmartPool protocol aims to bolster the blockchain operational mechanism for transaction verification, otherwise known as "mining" (a metaphor for the process of receiving tokens in return for auditing and verifying a given blockchain’s transactions). Its novel data structure would prevent an attacker from resubmitting shares in different batches to be double-counted. However, few of these solutions address risks posed to blockchain by social factors which we will examine next.

Social Vulnerabilities: Small Groups of Actors and Financial Domination

As with any technology, blockchain can be exploited. Kelsie Nabben, of the Blockchain Innovation Hub at Royal Melbourne Institute of Technology (RMIT) University of Australia, has researched blockchain vulnerabilities from a social and technological (sociotechnical) lens. She found that both public and private blockchains can be compromised through systems that are shaped by software engineers, social processes, and financial power. In particular, Nabben notes that social and financial power can undermine the trust advocates place in blockchain’s decentralization and security.

The cryptocurrency mechanism called Proof of Stake, which verifies transactions, offers a market-based example. When the newer Proof of Stake mechanism was created to replace Proof of Work (largely aiming to have lower energy costs for verifying transactions) one goal was to reduce concerns over centralized processing power. If an actor had 51% or more of the total processing power (or “mining” power), they could alter information on the blockchain or impede other “miners” (see Xiaoqi et. all for details on the 51% vulnerability). However, Proof of Stake has higher barriers to entry due to requirements that) individuals verifying a given blockchain’s transactions in exchange for tokens) own substantial amounts of the given cryptocurrency (their “’stake”) in order to validate transactions and secure the blockchain. This market-based requirement leaves Proof of Stake mechanisms vulnerable to affluent actors with enough funds to dominate the staking market (examples include hedge funds or initial coin team developers for successful currencies), putting small investors at risk.

Additionally, some blockchain companies which service the infrastructure of blockchains offer “staking as service”, which is the process of locking up crypto holdings as a means to gain interest. The process is similar to putting money in a savings account, where the bank can temporarily use the funds for other purposes, such as lending, and rewards the client by offering interest. As such, these blockchain companies can become an epicenter for blockchain activity, making them susceptible to monopolization or widespread outages of service if the technology is compromised.

Conclusion

Developer communities are working to resolve many of blockchain’s technical issues (such as operational vulnerabilities with signatures) by bolstering the technology’s infrastructure. However few guardrails are currently in place for financial domination, excessive concentration, or non-technical vulnerabilities. As governments around the world seek to regulate cryptocurrencies, it is imperative that they also create policy around the blockchain that underlies them. Without regulation, the stability of increasingly popular transaction methods and user privacy and funds remain vulnerable. In order to establish a durable and more secure future for this highly versatile technology, social guardrails for blockchain technology must be addressed in order to ensure that this promising technology develops in a way that benefits all actors.

About the Author: 

Edgar Palomino is a recent graduate of American University where he served as a Fellow at the Center for Security, Innovation, and New Technology and as a Research Associate with the Internet Governance Lab. He studied emerging technologies as part of the International Affairs & Policy Analysis program. His research interests include blockchain policy, technology standardization, and competition within emerging markets. Previously, he was involved in Peace Corps service in the Republic of Moldova, where he promoted technology skills as a Community Development Volunteer.

*THE VIEWS EXPRESSED HERE ARE STRICTLY THOSE OF THE AUTHOR AND DO NOT NECESSARILY REPRESENT THOSE OF THE CENTER OR ANY OTHER PERSON OR ENTITY AT AMERICAN UNIVERSITY.