Is blockchain -- the network of global online ledgers -- really secure? Its proponents say yes, as it assigns transactions or smart contracts to an immutable ledger, verifiable by multiple parties. However, a recently published paper calls out some vulnerabilities that may subject blockchain entries to inefficiencies, hacking and other criminal activity.

Photo: Joe McKendrick

The paper, published by Xiaoqi Li, Peng Jiang and Xiapu Luo (all with Hong Kong Polytechnic University), Ting Chen (University of Electronic Science and Technology of China), and Qiaoyan Wen (Beijing University), asserts that blockchains have several points of vulnerabilities of which users need to be aware.

As blockchain increasingly becomes part of business operations, there needs to be a closer examination of the potential security liabilities that come with this emerging technology. With the growth of the number of decentalized applications, "the privacy leakage risk of blockchain will be more serious," Li and his co-authors state. "A decentralized application itself, as well as the process of communication between the app and Internet, are both faced with privacy leakage risks." They urge greater adoption of techniques to address the challenge: "code obfuscation, application hardening and execution trusted computing."

The researchers outline key known risk factors with blockchain:

Blockchain efficiency: For starters, he efficiency of blockchains themselves may become overloaded with complex consensus mechanisms and invalid data. Li and his co-authors note that the consensus mechanisms employed across the Internet are computing resource hogs. For instance, most popular consensus mechanism used in blockchain is Proof of Work, which the researchers call a "waste of computing resources." They say there are efforts to develop more efficient and hybrid consensus mechanisms that combine PoW and Proof of Stake (PoS). In addition, blockchains will produce a lot of data -- block information, transaction data, contract bytecode -- that may be outdated and useless. "There are a lot of smart contracts containing no code or totally the same code in Ethereum, and many smart contracts are never be executed after its deployment. An efficient data cleanup and detection mechanism is desired to improve the execution efficiency of blockchain systems."

"51% vulnerability:" Blockchain "relies on the distributed consensus mechanism to establish mutual trust.However, the consensus mechanism itself has 51% vulnerability, which can be exploited by attackers to control the entire blockchain. More precisely, in PoW-based blockchains, if a single miner's hashing power accounts for more than 50% of the total hashing power of the entire blockchain, then the 51% attack may be launched. Hence, the mining power concentrating in a few mining pools may result in the fears of an inadvertent situation,such as a single pool controls more than half of all computing power."

Private key security: "When using blockchain, the user's private key is regarded as the identity and security credential, which is generated and maintained by the user instead of third-party agencies. For example, when creating a cold storage wallet in Bitcoin blockchain, the user must import his/her private key." An attacker could "recover the user's private key because it does not generate enough randomness during the signature process.Once the user's private key is lost, it will not be able to be recovered. Since the blockchain is not dependent on any centralized third-party trusted institutions, if the user's private key is stolen, it is difficult to track the criminal's behaviors and recover the modified blockchain information."

Criminal activity. "Through some third-party trading platforms that support Bitcoin, users can buy or sell any product.Since this process is anonymous, it is hard to track user behaviors, let alone subject to legal sanctions." Frequent criminal activities with Bitcoin include ransomware, underground markets and money laundering.

Double spending. "Although the consensus mechanism of blockchain can validate transactions, it is still impossible to avoid double spending, or using the same cryptocurrency multiple times for transactions. The attacker can exploit the intermediate time between two transactions' initiation and confirmation to quickly launch an attack."

Transaction privacy leakage. "Unfortunately, the privacy protection measures in blockchain are not very robust," Li and his co-authors state. "Criminal smart contracts can facilitate the leakage of confidential information, theft of cryptographic keys, and various real-world crimes (e.g.,murder, arson, terrorism, etc.)"

Vulnerabilities in smart contracts. "As programs running in the blockchain, smart contracts may have security vulnerabilities caused by program defects." For example, one study found that 8,833 out of 19,366 Ethereum smart contracts are vulnerable to bugs such as transaction-ordering dependence, timestamp dependence, .mishandled exceptions, and .re-entrancy vulnerability."

Under-optimized smart contracts: "When a user interacts with a smart contract deployed in Ethereum, a certain amount of "gas" is charged. Gas can be exchanged with "Ether," which is the cryptocurrency in Ethereum. This results in "useless-code related patterns," and "loop-related patterns." This consists of "dead code, opaque predicate, and expensive operations in a loop."

Under-priced operations: "Ethereum sets the gas value based on the execution time, bandwidth, memory occupancy and other parameters. In general, the gas value is proportional to the computing resources consumed by the operation. However, it is difficult to accurately measure the consumption of computing resources of an individual operation,and therefore some gas values are not set properly. For example, some IO-heavy operations'gas values are set too low, and hence these operations can be executed in quantity in one transaction. In this way, an attacker can initiate a Denial of Service attack on Ethereum."