However, a key concern for individuals and businesses considering using blockchain technology is security. Sure, the blockchain allows for seamless transfer and receipt of assets and data—but are these transactions secure?
And it's not just CTOs and CEOs who want assurances of blockchain security. Individuals trading cryptocurrencies, NFTs, and more want to know if their digital assets are secure.
If there's no central entity controlling and securing the decentralized ledger, then how is the blockchain secured?
That's what we're about to find out in this article.
The blockchain is a distributed ledger technology that records all transactions conducted by participants in the network. Blockchain networks are sustained by a group of computers (called nodes) distributed across the world. Each node can initiate transactions or validate new transactions, which is why blockchain networks are seen as "peer-to-peer" systems.
Not all blockchains are the same. Public blockchains like Bitcoin and Ethereum are "permissionless" since anyone with a computer and Internet connection can join the network.
Private (permissioned) blockchains, however, can only be joined upon authorization by the controlling entity. Later, we'll see why the distinction in blockchain types is important for security.
Blockchain's description as a "decentralized" system comes from the absence of a single authority controlling it. In other words, every participant in the network has as much power as the next.
Each new transaction gets added to a block, which is then added to the blockchain. Once other nodes agree to the transaction's validity, the new block is added to other blocks, creating a chain—hence the name. The process of nodes agreeing to the state of each transaction is called "consensus".
Blockchains are extremely secure, making them ideal for transactions requiring high levels of data integrity and safety. For example, blockchains can be used to securely transfer money, track charity donations, safeguard records, and conduct voting.
Blockchain security is achieved through a mix of cryptography, game theory, consensus mechanisms, and failure-resistant design. Let’s delve into each element to see how it contributes to securing the blockchain.
Blockchains are “immutable” because they prevent the alteration of transactions on the network. These transactions could be anything from the exchange of digital assets to the transfer of digital data.
We have cryptographic hashing to thank for blockchain’s immutability and data security. Hashing involves an algorithm (a “hash function”) generating a fixed output (hash) from a data input of any size. In most blockchains, the hash is an alphanumeric string of fixed length.
Because a hash is dependent on block data, hashes serve as unique identifiers for blocks on the chain. Running the same data through the hash function will produce the same hash no matter how many times you perform the operation.
A change in a block’s data automatically triggers the generation of a new hash. Which is why it’s easy to know if a block containing transactions has been altered.
Moreover, each block’s hash contains the hash of the previous block—blockchains are described as “hash-linked lists” for this reason. Changing a block’s hash requires changing the preceding block’s hash, and the one before that, up until the first block in the chain.
Not only does rewriting blocks require massive computing power, it’s prone to failure. Other nodes will detect the alterations (each one holds a copy of the blockchain’s history) and reject the newly added blocks.
Hashing ensures funds spent in one transaction cannot be used again, preventing the “double-spending” problem in cryptocurrency. That can only happen if someone rewrote the blockchain's history—and that’s extremely difficult like we’ve seen.
Beyond protecting the immutability of blockchains, cryptography is useful for safeguarding blockchain wallets. Wallets are used to store digital assets, including cryptocurrencies, non-fungible tokens (NFTs), or any other items created and transferred on the blockchain.
When users create a wallet, they get a public key and a private key. The private key is to your wallet what a password is to your bank account. Every transaction must be signed with a private key to prove ownership of the assets.
The existence of a private key means that no one can gain access to your wallet and move funds and other assets without your approval. It also serves as the ultimate proof of ownership since malicious actors cannot transact with assets they don't own.
Consensus algorithms allow participants on the blockchain to agree on the validity of transactions and the true state of the blockchain. In other words, a consensus is what makes the blockchain ledger a reliable and secure record of information.
In a blockchain network, every node must confirm the validity of each transaction. This makes it harder for anyone to perform the malicious activity and get away with it.
Moreover, nodes must agree on a single, shared history of the blockchain. No two versions of a blockchain can exist, making it impossible to alter records without getting noticed. Besides, controlling the consensus mechanism is made difficult by blockchain’s decentralization and lack of a single point of failure.
Blockchain networks use different consensus mechanisms. For example, Bitcoin and Ethereum 1.0 use a Proof-of-Work system, while Ethereum 2.0, Solana, Cardano and many new blockchains use a Proof-of-Stake system.
When Satoshi Nakamoto designed the first blockchain, there was the question of how to ensure network participants act honestly. Remember the blockchain is decentralized, meaning there's no one to wield the big stick and prevent malicious activity.
Cryptoeconomics is based on game theory, a field of study that attempts to predict the interactions between different participants in a situation with defined rules and outcomes. When applied to blockchain networks, game theory can be used to encourage honest activity by providing adequate incentives.
Cryptoeconomics works differently depending on the blockchain. Bitcoin uses a Proof-of-Work system where nodes (called miners) must expend some resource (electricity, in this case) before confirming transactions. This rule is enforced by asking miners to solve complex equations in exchange for the right to add new transactions to the blockchain.
The computing-intensive nature of Bitcoin mining disincentivizes malicious activity. Any would-be malicious actor has to spend enormous time and money (on electricity) on dishonest activity (like confirming invalid transactions). Even then, the chances of success are horribly slim.
Moreover, dishonest miners lose block rewards for confirming valid transactions. Now, our hapless hackers will waste electricity and lose money in the process of attacking the Bitcoin blockchain.
New-generation blockchains like Ethereum 2.0, Solana, and Cardano use the Proof-of-Stake system. The PoS system mirrors PoW in how it punishes bad behavior and rewards honest activity.
Nodes must “stake” some cryptocurrency before validating transactions, which raises the barrier to entry. If nodes (called validators) confirm valid transactions, they receive cryptocurrency rewards.
But should they broadcast an invalid transaction, and other nodes reject it, they lose both the staked funds and their expected rewards.
While blockchain security is impressive, it doesn't rule out the possibility of a breach. Here are the most common threats to blockchain security:
If a group of hackers manage to control a significant amount of the computing power (at least 51 percent) in a blockchain network, then they could take over the entire blockchain. Known as a 51% attack, this is the most realistic scenario in which a blockchain can be hacked in theory.
However, it's difficult to orchestrate a 51% attack for reasons we discussed under “cryptoeconomics”. Bitcoin has 15,000+ nodes (computers) running on its blockchain, while Ethereum has 2,000+ nodes. The sheer amount of resources to take over half of either network makes a 51% attack impractical and costly.
It's important to point out that Bitcoin and Ethereum benefit from a robust network. Smaller blockchains running fewer nodes are more susceptible to attacks since breaching the network requires less investment. Bitcoin SV, Ethereum Classic, Bitcoin Gold,Verge, and Vertcoin are some notable blockchains to have suffered 51% attacks in the past.
Private blockchains have a higher security risk than private blockchains because they have less participants. While controlled access improves security, an inside attacker can easily wrest control of the blockchain. This is an important consideration for companies who may be considering using private blockchains for enterprise-level transactions.
A distributed denial-of-service attack happens when cybercriminals disrupt a blockchain network by overloading it with transactions. Most blockchain networks have a defined transaction limit and will crash if the limit is exceeded.
While many believe blockchain networks are immune to DDoS attacks, this is untrue. Solana is a prime example of how malicious actors can bring down a blockchain with a DDoS attack.
On September 14, 2021, the blockchain network was flooded with up to 400,000 transactions per second in a coordinated DDoS attack. Validators couldn’t keep up, causing unconfirmed transactions to clog the network and knock the system offline.
Outside of a 51% attack or DDoS hack, the means of attacking a blockchain are few and far in between. In fact, most of the hacks reported in the news aren't attacks on the blockchain per se.
Rather, hackers often exploit vulnerabilities at the point of contact between the blockchain and the outside world. Think third-party applications, software clients, and other means of interacting with the blockchain.
Here are some examples:
Many attacks on cryptocurrency exchanges have targeted "hot wallets" (Internet-connected storages) used to store cryptocurrencies. Ideally, exchanges should transfer assets to a "cold wallet", which is offline storage to protect them. But that rarely happens, making these assets ripe pickings for sophisticated crypto thieves.
A user's private keys could also be compromised and used to transfer assets without their knowledge. Classic tactics like phishing have proved surprisingly effective for getting users to unwittingly part with their private keys. This gives bad actors unlimited access to wallets, enabling them to steal crypto and other assets.
Bugs in smart contracts can allow hackers to breach blockchain-based decentralized applications (dApps). In such cases, it's the security of the smart contract—not the blockchain itself—that's suspect. The recent Wormhole hack is a prime example of how poor smart contract code can cause problems.
Blockchains remain one of the most secure options for transferring assets and data. When the right elements—cryptography, cryptoeconomics, and consensus—are in place, breaching a blockchain network is next to impossible.
However, not all blockchains are made equal. Everything from the consensus algorithm and cryptoeconomic structure to the size of its network can impact blockchain security.
Finally, users of blockchain-connected applications like crypto exchanges and dApps must understand that these services do not benefit from the blockchain's security. Therefore, it’s important to implement other measures to make them secure.
First Published here