This article explores the world of blockchain security, addressing various areas of concern and providing insights into blockchain development, security considerations, and practical tips for end users when discovering new blockchain applications.
The blockchain inspires a young population who have adopted its features through mobile apps, crypto wallets, and Web3. Companies also view smart contracts as a new way to enhance the reliability of transactions and contracts (business agreements). A large ecosystem is currently emerging, comprising financial and technological players, with several new frameworks and practices. Digital natives have grown up in a digital world and are more inclined to explore new technologies and digital innovations. Far from having reached a high maturity level, we are also witnessing the first long-range cyberattacks targeting blockchains, including phishing attacks, data breaches, and DDoS attacks that render network resources unavailable indefinitely.
Who is concerned?
Users of the blockchain share different responsibilities and face different challenges when targeted by attacks. However, end users are always the most affected. The targets of the attacks can be:
- Crypto-assets which are part of cryptocurrency exchange networks and their components. A fully decentralized peer-to-peer electronic payment network (shared and dispersed computers processing transactions). The target can be the mechanisms put in place to respect the traceability and integrity of the transactions carried out.
- Blockchains for storage that can be used to store documents, for example: patents, diplomas, personal documents. If the information becomes unavailable for days or is lost, it may result in financial and credibility damage.
- Smart Contracts are automated contracts in the form of computer code. Contracts established between stakeholders and executed automatically. Based on pre-established trigger events and conditions (e.g: Ethereum). Attackers can attempt to compromise the integrity of the contracts.
- IoT Blockchain Platforms based on the exchange between connected objects using smart-contracts. Blockchain enables connected objects to become autonomous and independent of human intervention. Attacks can target the personal data of users or availability of the service.
What is blockchain security and why are we all concerned?
As users, we interact with web/mobile applications that use software and backends which interact with decentralized protocol layers. The end user uses a programmable currency based on the rules of the application (written code using most common programming and script languages). Each layer can present the following security challenges:
Application Layer: What the final user can see and interact with
-
This exposes the user to the application vulnerabilities and common issues of Application Security (OWASP Top 10).
-
Periodic audits can assess the exposure to the internet of your blockchain operations and identify areas for improvement.
Contract Layer and/or Incentive Layer: Define how contracts are done or currency handled.
Consensus Layer: Ensure the logic of consensus of the blockchain is followed
-
PoS (Proof of Stake): Interact with how the consensus layer chooses the owner of a new block based on the wealth they have.
-
PoW : Interact with how the consensus layer requires the user to mine or solve a complex operation to verify the transaction.
Data Layer : comprised of data blocks, chain structure, time stamp, hash function, & encryption
Network Layer: P2P & verification mechanisms (who are the network participants / nodes : who are the miners / who are the block generators ? Who are validators ? Who are the clients ?)
- If network nodes remain unavailable for extended periods, end users cannot use the application or confirm transactions.
- High availability mechanisms must be configured to avoid a Single Point of Failure.
The security by design approach is crucial. The following questions must be considered in every new innovation:
- Transactions between two parties are grouped into a block. Input validation and proper transaction control are necessary to ensure data integrity.
- The block is validated by network nodes using cryptographic techniques. Strong cryptographic algorithms should be implemented.
- The block is timestamped and added to the blockchain, which all users can access. The blockchain must be designed according to high availability principles.
- It is always possible to assert that the transaction has taken place. Strong integrity checks for compliance are required.
- Transactions occur between users who do not necessarily trust each other. Implement data privacy techniques like Zero Knowledge principle.
- Architecture must study how to define if the blockchain will be single-ledger based or multi ledger based and interoperability based.
- Each mobile or PC is considered a terminal node that interacts with service nodes through APIs, which are part of the application's architecture. Which APIs are used? Can we trust end users?
The Zero Trust approach can help implement various security mechanisms and controls as a protection to cyberattacks.
Basic checklist and security requirements
Implementing security by design can be as straightforward as taking these simple steps. Ensure that security considerations are integrated into the software development lifecycle (SDLC). This may involve modifying development methodologies and workflows. Any DevOps team must be concerned by the following requirements:
Dev Layer is composed of it’s front and back end with:
- Secure version control using git: limiting access.
- CRUD Operations implementation : Secure how the following operations are implemented (create / retrieve/ update/ delete) with best practices.
- Use known tools like NPM (Node Package Manager) and known SDK.
- Recognize and reward individuals or teams who actively contribute to security initiatives. This can boost motivation and engagement.
Infrastructure layer:
- Control interactions with wallets to store digital assets and with oracles (an agent who verifies and submit information to a blockchain to be used by smart contracts.
- Distributed and scalable: The application must be developed with a highly scalable approach to adapt following the amount of transactions and data related to transactions grows.
- Keep the hardware and software for running blockchain nodes and mining updated. Control the metrics (CPU, RAM, Storage and network) of the infrastructure assets.
Business layer:
- Establish a strong relationship between the token (digital asset), the Genesis Block (the initial block), and the Consensus Criteria (criteria for validating a transaction by the majority of the network).
- Implement Sharding: Dividing a blockchain into several smaller networks called shards.
- Anticipate the 'Nothing at Stake' problem: When a validator approves all transactions after a hard fork occurs (A fork is an alteration of data in a public blockchain. It’s a hard fork when it requires all network computers to upgrade to the new version.).
- Data integrity: Written data must not be changed any more and unalterable. These characteristics must be balanced with a new property : performance.
- Provide training and educational resources on security principles and best practices.
Use strong cryptographic mechanisms:
- Use Cryptographic or Hash functions to create digital ID and thumbprints
- Implement Digital Signature to present the authenticity of digital assets
- Emphasize the importance of continuous improvement. Encourage teams to identify areas where additional security enhancements can be achieved.
How to audit a blockchain application as an end user ?
When using a blockchain application, you must understand your role as data owner (you own your data) and consumer (you also consume data from others). Here is a very basic flow to do an audit at the end user level:
- Identify the central trustworthy authority. Understand if it’s centralized or decentralized. Centralized authorities focus on performance while decentralized ones favor trust and integrity
- Understanding how it works. The technical stack determines the kinds of vulnerabilities of the application and support that will be given to the developers. Sometimes layers that are fully open source can also requiremore deployment and use costs. Ask yourself if you can use your assets on other platforms ?
- Understanding how to secure the application at your level. Could you configure a strong authentication mechanism such as MFA and strong password when connecting to your app?
- Confirming the maturity of the blockchain. Is the Consensus layer capability based ? voting based ? compute-intensive based ? Who is behind the nodes : who are the miners ? the block generators ? the validators ? the clients ? Is the 51% Rule at stake ? Situation in which a majority of miners are owned or controlled by the same entity and can launch and attack or badly interfere on the rest of the network.
Conclusions
Educational institutions and online courses are offering blockchain-related education, making it easier for young individuals to learn about blockchain and its applications. The idea of financial freedom and independence is attractive to many young people. However when using any application with blockchain capacities behind, ask yourself how you can protect your data and assets.
Conducting thorough investigations and vigilantly monitoring safety mechanisms is imperative.
If possible try to understand what frameworks are used and how the app and the technology will change in the following months and years.
Achieving maximum energy efficiency may conflict with some principles of decentralization and mining optimization, as it might concentrate control within a smaller group. Optimizing smart contracts for energy efficiency can be challenging and may lead to unintended vulnerabilities if not done correctly. This opens up new opportunities for more innovations regarding sustainable and “eco-friendly” blockchain solutions.