Tech expert and entrepreneur Sherman Lee recently said, “Blockchain itself may be trustless, immutable and incorruptible, but if we ignore the bugs present in them, they are as good as multi-billion dollar safes with faulty locks.” Blockchain praises itself of being incorruptible due to its complex math, but in reality, when implemented in real-case scenarios, the resulted software might come with flaws that can tear the whole system down. Hackers only need a back-door that has been left ajar, to exploit flaws in the system. Tiny fissures within the nodes, in the proof-of-work protocols or in the blocks to cause mayhem within the software. For they only need human misuse of the blockchain code to break a complex-maths, hacker-proof algorithm.
What Mr Lee is saying can be explained in other words, much simpler but graphically more explicit: blockchain as a technology is in itself secure; humans, on the other hand, aren’t. As people don’t fully trust each other, we develop tools that allow us to trade, transact, share or store all sorts of assets (including sensitive information and money) in safer ways.
Blockchain isn’t much different from already-implemented technologies out there, but what makes it special is the complexity of the system as a whole. Blockchain offers us the possibility of platforms that offer extra layers of security, badly needed in our increasingly complex world.
Basically, a blockchain is a computational system which holds the particular ability to keep track of all transactions made in the system. Transactions also concern here any sort of modification made into the system by any other user or computer. These changes in the blockchain system are stored and added to the system as if they were written in an accounting ledger. This ledger, or list of records, is then stored throughout the system, which means in every single computer connected to each other, that is part of the network. These are the nodes in a blockchain network system.
Up to this point, one can say that blockchain is just a digital accounting ledger in which its information is shared among a network of computers. However, the particularity within the blockchain lies in all the processes that a given transaction has to go through to become written in that ledger. To start with, every modification (or transaction) has to be approved by all members (or computers, as the operation is quite automated) within the blockchain platform, which means by all the nodes of the network. If these validate the intended change, this modification becomes a block and it is added up to the existing ledger. This ledger keeps growing, transaction after transaction, and thus it becomes a chain.
We can thus see the two major security traits underlying blockchain: its trustless principle and its decentralization scheme or consensus protocol: all members of the network have to validate any given modification to the network. Otherwise, it won’t be added to the blockchain. The consensus protocol also carries along the fact that every time a modification has been validated and added, the complex-maths behind the network uses cryptographic encryption to do so and, furthermore, it leaves a fingerprint in the last modification called hash (in Bitcoin’s blockchain), which is again summed up to all the blocks before it.
Simply put, all blocks within the chain contain this fingerprint or hash for all, past and future, modifications made in the network. This process, also called proof-of-work by the very first blockchain platform, Bitcoin, is probably the most innovative one, but unfortunately, it requires huge amounts of energy consumption due to the high degree of complexity of the problems solved by the computers to produce new coins. It also requires that hundreds, sometimes thousands of computers agree on the same thing: that a modification is genuine and as such can be added to the blockchain.
So, in a nutshell that’s basically the principles of security in a blockchain platform: confidentiality in the shape of trustless principles to avoid undesired eyes watching; integrity of the system and its data through the mentioned consensus protocol; and availability, as all members of the network share the records and hashes for all transactions completed and validated, so the network is always up and running.
Cheating the blockchain
Despite all the complexity and security protocols behind blockchain, nothing is truly and completely safe in computing systems, and humans, by action (or no action), have already found ways to exploit bugs and other glitches in blockchain networks.
This is a major concern concerning blockchain security. Due to the complexity of its maths and algorithms, building up a new software out of blockchain is quite an endeavor. It doesn’t help, either, the fact that blockchain protocols are still at early stages of development. Altogether, it is not a surprise that developers find themselves with unrefined software which lacks a real environment to test it into. This leads in many occasions to bugs and inconsistencies within the new software. Take the example of Ethereum’s Constantinople hard fork, an upgrade for the Ethereum blockchain that had to be delayed more than a month after a critical vulnerability was found in it. In fact, this hard fork was developed precisely to close down and fix bugs within the Ethereum blockchain.
Another way to cheat a blockchain platform was discovered by Emin Gün Sirer and his colleagues at Cornell University. They found out that a selfish miner can trick every node in the network by fooling them into wasting time on already-solved crypto-puzzles, which would give to this selfish miner a critical advantage in solving new blocks.
Another cheating option would be as it is called an eclipse attack. Nodes on the blockchain must remain in constant communication in order to compare data. An attacker who manages to take control of one node’s communications and fool it into accepting false data that appears to come from the rest of the network can trick it into wasting resources or confirming fake transactions. Phishing in the blockchain is, then, also an alternative.
Smart contracts, a milestone feature of blockchain in terms of security, can also bring new problems that need to be tackled. Smart contracts are automated computer programs stored in certain kinds of blockchain, that can automate transactions. But these are highly complex and at very early stages of development. Due to this, numerous smart contract software has found themselves in massive security breaches due to bugs and incompatibilities. The cryptocurrency industry has already faced some cases of security breaches that have cost hundreds of millions of dollars.
Other questions also arise when speaking about blockchain and security. It is said that it is decentralized, but most of Bitcoin and Ethereum’s consensus protocol is hold by a really small number of users (with hundreds of computers farming these digital coins). The proof-of-work scheme they use has also risen some controversy. This protocol, which is critical in validating new modifications in the blockchain and is executed by all computers in the network, has been argued to give too much power to miners, allowing them to set the guidelines, velocity, and quantity of blocks solved.
These are the major hazards that blockchain and their developers have to face today. As Mr Lee said in the very beginning of this piece, blockchain is secure by definition. Its algorithm is just a state-of-art of modern computing, and the way it stores, secures and shares data is almost magical. However, the problem comes when humans put their hand in it. The question, thus, is: blockchain is now secure from whom? And for what? Once we have the right answers to those questions (if we ever have them), blockchain will, surely, becomes one of the greatest technologies of our time.