Decentralized blockchains are largely mythological heroes with all-too-real vulnerabilities, according to a new report prepared for the U.S. military’s top R&D outfit.
This week saw the release of Are Blockchains Decentralized?, a report prepared by tech security assessors/advisors Trail of Bits (ToB) for the Defense Advanced Research Projects Agency (DARPA), the legendary research and development arm of the U.S. military.
About a year ago, aware that blockchain technology is increasingly making inroads into areas far beyond financial transactions, DARPA asked ToB to kick blockchains’ tires—specifically, the BTC and Ethereum chains—to ascertain whether their claims of decentralization were warranted and what cybersecurity risks these chains might face due to their decentralization (or lack thereof).
Worryingly, ToB concluded that while the immutability of blockchains is taken for granted nowadays, said immutability “can be broken not by exploiting cryptographic vulnerabilities but instead by subverting the properties of a blockchain’s implementations, networking, and consensus protocol. We show that a subset of participants can garner excessive, centralized control over the entire system.”
While the headline findings may not necessarily come as shocking news to blockchain veterans, they may serve as a wake-up call for neophytes, particularly politicians who gleefully spout every ‘crypto’ cliché in the book after accepting hefty campaign contributions from ‘crypto bros’ eager to see the sector either lightly regulated or not at all.
Here be decentralized dragons
Chief among the report’s caveats is the fact that all major blockchains have “a privileged set of entities that can modify the semantics to the blockchain to potentially change past transactions.” For BTC, the bar is set low at four entities (i.e. mining pools representing a mere 0.004% of all network nodes). For Ethereum, it is only two (as of January 2021) or three (as of April 2022).
Both BTC and Ethereum utilize proof-of-work consensus mechanisms, but most proof-of-stake chains can be hijacked by a handful of validators who collectively control one-third of the staked assets. In the case of the perpetual vaporware known as Ethereum 2, as few as 12 staking whales could take control of the network for whatever purposes they desire.
The off-chain governance structures of mining pools and staked validators also comes under ToB’s suspicion. In the case of the pools, their use of the unencrypted Stratum protocol to assign jobs to individual miners exposes these operations to “an eavesdropper such as a nation-state, ISP or local network participant” that could employ ‘man in the middle’ attacks to steal CPU cycles and payouts. Patches to the Stratum protocol have been made but there’s been little progress on moving to a more secure protocol.
Miners also either rely on hard-coded passwords for their accounts or don’t validate passwords during authentication. ToB cited three mining pools that collectively account for one-quarter of the BTC hashrate and found that one didn’t validate any authentication credentials, another assigned all accounts the password ‘123’ while the third told users to ignore the password field because it was “a legacy Stratum protocol parameter that has no use nowadays.”
Total eclipse of the Sybils
As for the fabled proof-of-work blockchain bugaboo, the 51% attack, the report delves into how its ‘Sybil’ and ‘eclipse’ sub-categories work together to compromise networks. ToB notes that the natural latency of the BTC network meant that the network’s effective computational power between January-June 2021 was only 98.68% of its theoretical maximum. This means that it would actually only take 49% of the overall hashrate to pull off an attack and this could dip even further—as low as 20%—through the “accidental or nefarious introduction of further latency.”
Adding new Sybil nodes requires no expensive specialized mining hardware, yet optimal network distribution requires the cost of a single participant operating multiple nodes to be greater than the cost of operating one node. ToB claims the only current way for a permissionless blockchain to achieve this is to utilize a centralized trusted third party, which kinda undermines the whole decentralized thing.
On a related note, echoing a view that our own Kurt Wuckert Jr. has been espousing for years, ToB state that the “vast majority” of BTC nodes—possibly as much as 94% of the total—“appear to not participate in mining” and therefore “do not meaningfully contribute to the health of the network.”
Don’t mention the TOR
Blockchains are also vulnerable due to the underlying network infrastructure on which they exist. ToB says that over the past five years, 60% of all BTC traffic “has traversed just three ISPs,” while around half of BTC traffic was routed through the TOR network. All of which opens up new avenues for eclipse attacks, “since the ISPs and hosting providers have the ability to arbitrarily degrade or deny service to any node.”
The report singles out TOR for special scorn, noting that it routes traffic for around 20% of BTC nodes, making it “more popular than any other [autonomous system] or network provider.” Malicious TOR exit nodes “can modify or drop traffic similar to an ISP” and the report cites a recent incident in which “a malicious actor (widely believed to be from Russia) used a Sybil attack to gain control of up to 40% of TOR exit nodes,” which said suspected Russian used to rewrite BTC traffic.
Softwear & Tear
Over one-fifth of BTC nodes are running out of date ‘Bitcoin’ Core client software with known vulnerabilities, making the network not only slower but also less secure. But while software bugs are problematic, blockchains are also vulnerable to “overt software changes.” This puts a bulls’ eye on the handful of individuals who develop and maintain blockchain software, making them “susceptible to targeted attack.”
The report notes there are currently only four “active contributors with access to the Bitcoin Core codebase, the compromise of any of whom would allow for arbitrary modification of the codebase.” The report makes clear that this is no idle speculation, citing a recent incident in which the Polygon network’s lead developer was targeted with Pegasus malware (the same malware that El Salvador’s BTC-loving president had installed on the phones of unfriendly journalists).
The centralization and security of mining pool infrastructure is another potential avenue of attack. ToB says that, to the best of its knowledge, “there has never been a third-party security assessment” of mining client software. As a result, “any remote code execution vulnerability in a mining pool client would allow an attacker to either deny service to the mining pool (i.e., reducing the overall hashrate) or redirect the hashrate toward a 51% attack.”
On-chain software, including Ethereum’s smart contract ecosystem, is also “susceptible to code reuse and vulnerabilities.” The report found that “90% of the Ethereum smart contracts were at least 56% similar to each other,” while 7% were “completely identical.” That seemingly endless series of DeFi exploits suddenly makes a lot more sense, doesn’t it?
The bottom line is that while blockchain technology’s cryptography remains “quite robust,” the implementations of particular blockchains leaves a lot to be desired—and a lot of attack vectors. The authors make the acerbic point that blockchain/crypto’s inherent risks “have been poorly described and are often ignored—or even mocked—by those seeking to cash in on this decade’s gold rush.”
The ToB report was in the works long before the current crypto crash began in earnest, but the timing of its release—amid a deluge of human and technical cock-ups that have pulled back the curtain on the sector’s criminality and incompetency – was spot-on. Decentralization, particularly in terms of DeFi, is largely illusory and thus the entire concept of decentralization requires a rethink.
Watch: BSV Global Blockchain Convention presentation, Sentinel Node: Blockchain Tools to Improve Cybersecurity
New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.