When Is Blockchain Not Secure?
The mere fact of having a Blockchain doesn’t mean it’s safe. As my previous article pointed out, Blockchain creates certainty, which can create an illusion of security that will make some people complacent. Take cryptocurrency hack, for example, has led to over billions lost. In the biggest hack as of today, $530M was stolen from Coincheck.
Business leaders are urged to equip themselves with the skills of seeing through technical buzzwords, which is actually not too different from spotting financial shenanigans. In this article, we will look at when Blockchain is secure and when it is not, either unavoidably or intentionally.
What can go wrong with Blockchain?
The answer lies behind the operational flow of blockchain.
To better illustrate, let’s assume our blockchain application only does one thing:
“if today is Jan 1st, send my partner a birthday wish”
Of course, in this example the cost of misexecution is so high that we would build a blockchain to ensure it. However, here’s what can go wrong, following the order of the flow chart.
- Wrong input
Due to the immaturity of the technology, you have to manually input today’s date for the application to start counting — and let’s say you input the wrong date.
So far, Blockchain cannot avoid vulnerabilities embedded in the external data it connects to, which is common in tracing supply chains and IOT applications(and IT in general). The level of vulnerability varies across three scenarios below, starting from the highest
- data is inputted by humans, who may make errors or commit fraud
- data is shared by smart devices, which can be hacked in transit
- data is extracted from an external database, which could be hacked or manipulated
2. Flawed code
This time, you make a mistake in the code — putting Feb 1st instead of Jan 1st.
While fixing the code ex post is easy in most conventional applications, it becomes almost impossible due to Blockchain’s immutability. Immutability means a blockchain application cannot be shut down (even for updates and maintenance) once its been initiated and its data/code can hardly be changed (or in this case corrected).
The severity of the issue depends on the level of decentralization and flexibility of the blockchain. If founders of the application have the majority of voting power in the blockchain network, they can pass the code-changing request without the need for consent by other participants.
An agile process is a common solution for this issue. As the launching of a Blockchain requires getting it right the first time, most projects go through a rigorous process of “design workshop-> proof of concept -> testing -> adjustment -> scaling”.
However, unidentified flaws may emerge as applications scale, especially those allowing greater flexibility. For example, suppose we edit our previous code to:
“If today is Jan 1st, send my partner X (message)”, where multiple applications can run at the same time with different X’s
Essentially, Ethereum uses such a structure to allow applications built on its blockchain using smart contracts, which in our case is the X.
This open structure increases the applications of Blockchain dramatically, as well as its risk exposures. This vulnerability was exploited in the DAO, a Decentralized Autonomous Organization on Etherum, resulting in a $55M heist in Ether.
3. Corrupted Network
Back to our original code: “if today is Jan 1st, send my partner a birthday wish”
Today is Jan 1st, 10 people are in your blockchain network verifying the date. But 6 of them forget to send a birthday note to their partners, so they decide to collude and let you feel their pain.
The corruption of the majority, known as the 51% attack, is unavoidable in any blockchain. Under PoW (proof-of-work), the predominant governance system used in blockchain, decision making power derives from computational power.
As our example illustrates, such concentration is not difficult to achieve in a small network. Even for the largest blockchains, Bitcoin and Etherum, this 51% is concentrated in the top 3~4 miners. Moreover, the 51% can be reduced to 33% with some tricks explained by Emin Gun Sirer.
Ironically, blockchain’s anonymity makes it nearly impossible to identify these “big brothers”.
4. Mis-stored Data
Assuming the participants don’t collude in our last example, you need to pay for their service in dollar bills, which are stored in a locked box — and someone steals your key.
It’s the same issue with digital tokens (dollar bills) that are stored in an e-wallet (locked box, whose address is the public key) accessed by a private key (similar to a physical key).
Simple as it sounds, this is the most common reason for centralized cryptocurrency exchange platforms being hacked and losing millions of dollars worth of cryptocurrency. They store their customers’ cryptocurrency in servers connected to the internet (known as a “hot wallet”), rather than devices disconnected from the internet (known as a “cold wallet”).
The real issue here is the lack of a cybersecurity mindset by the developers — understanding that a device connected to the internet can be as accessible as your backyard for thieves.
Meanwhile, security is also a strategic trade-off
For businesses adopting Blockchain, security might be traded for other features, such as control, cost and/or speed.
For example, enterprise blockchain solutions, such as hyperledger by IBM, are predominantly private blockchains. Private blockchains restrict the network access, where only nodes with permission, usually stakeholders, can participate.
The design controls the data, whose encrypted form can still contain valuable information, such as volume. Stakeholders can amend applications after they are launched. With a small private network, companies can speed up verification processes and avoid the costs of rewarding public participants(miners).
Compared to a public blockchain, private blockchains face a lower risk of flawed code but a much higher risk of network corruption. The success of such solutions relies on establishing trust among participants. This means restricting access to only stakeholders and business partners becomes key. Private blockchains are also used in combination with other enterprise technologies, such as cloud databases, to compensate for this dilution in security.
Finally
If there’s only one thing you can remember from this article —
The certainty of Blockchain does not necessarily equal security, which remains as a function of the technological limitations, structural vulnerabilities, and strategic decisions made by its users.
Images by Andrew Worley
Claire Liang is the person who did send birthday wishes to her loved ones before writing this article. She led multiple tech startup projects, helped clients solve problems at McKinsey, and spoke at TEDx. | Find her on LinkedIn
Many thanks to Osama I. Malik from IBM and our editor Paul Crognale, who decided to get a Blockchain certificate after editing many Blockchain articles.
