DARPA study challenges assumptions about distributed ledger (and Bitcoin) security

Blockchain not as decentralised as many assume, finds Pentagon sponsored research


US government sponsored research is casting new light on the security of blockchain technology, including the assertion that a subset of a distributed ledger's participants can gain control over the entire system.

The finding is part of a study [PDF] conducted by IT security researchers at Trail of Bits and commissioned by the Defense Advanced Research Projects Agency that points to several ways in which the immutability of blockchain – the distributed ledger on which Bitcoin and other cryptocurrencies rely – can be called into question.

Of Bitcoin's nodes, 21 percent were running an old version of the Bitcoin Core client that is known to be vulnerable in June of 2021

Rather than exploring attacks which target cryptographic vulnerabilities, the study instead focuses on approaches which might subvert the properties of a blockchain's "implementation, networking, or consensus protocol."

Blockchain underpins a raft of so-called Web3 technologies — including cryptocurrencies and non-fungible tokens — creating a lucrative, volatile and outspoken subset of the tech industry.

But the researchers found weaknesses in blockchain could simply relate to a version control of software controlling network nodes, for example. "Of Bitcoin's nodes, 21 percent were running an old version of the Bitcoin Core client that is known to be vulnerable in June of 2021," the study said.

Meanwhile, the study points out that Bitcoin traffic is unencrypted, meaning any third party on the network route between nodes, including ISPs, Wi-Fi access point operators, or governments could observe and drop any messages they wished.

"Of all Bitcoin traffic, 60 percent traverses just three ISPs," the report says.

Security – we've heard of it

The researchers said that while there are different types of distributed ledger technologies (DLTs) based on different designs, the "overarching value proposition of DLT and blockchains is that they can operate securely without any centralized control."

While the low-level protocols — or cryptographic primitives — underpinning DLT security were sound, implementation decisions mean the claim of immutability is open to question. "We show that a subset of participants can garner excessive, centralized control over the entire system," the researchers said.

Another weakness specific to Bitcoin was that not all nodes equally contribute to reaching consensus and communicating with Bitcoin miners, the parties responsible for the proof-of-work maths test which creates units of the crypto-currency.

"A dense, possibly non-scale-free, subnetwork of Bitcoin nodes appears to be largely responsible for reaching consensus and communicating with miners — the vast majority of nodes do not meaningfully contribute to the health of the network," the report says.

Meanwhile the combination of changes in the assumptions underpinning Bitcoin combined with the fact that Bitcoin miners use a select pool of software tools, also creates the potential for vulnerabilities.

The researchers explain that Bitcoin was founded on the assumption each node in the consensus network would also mine the coins. But as mining became more difficult, "mining pools" sprang up to group together both mining power and rewards.

"Today, the four most popular mining pools constitute over 51 percent of the hashrate of Bitcoin. Each mining pool operates its own, proprietary, centralized protocol and interacts with the public Bitcoin network only through a gateway node. In other words, there are really only a handful of nodes that participate in the consensus network on behalf of the majority of the network's hashrate," the authors say.

They argue this reduces the threshold for a so-called 51 percent attack. "If a node operator's self-interest is to be dishonest, then there is no explicit penalty for doing so. Moreover, the number of entities necessary to execute a 51 percent attack on Bitcoin was reduced from 51 percent of the entire network (which we estimate at approximately 59,000 nodes) to only the four most popular mining pool nodes (less than 0.004 percent of the network)," the study found.

"A subset of a blockchain's participants can garner excessive, centralized control over the entire system. The majority of Bitcoin nodes have significant incentives to behave dishonestly, and in fact, there is no known way to create any permissionless blockchain that is impervious to malicious nodes without having a trusted-third party," the report concludes. ®

Similar topics

Narrower topics


Other stories you might like

  • Crypto sleuths pin $100 million Harmony theft on Lazarus Group
    Elliptic points to several indicators that suggest the North Korea-linked gang was behind the hack

    Investigators at a blockchain analysis outfit have linked the theft of $100 million in crypto assets last week to the notorious North Korean-based cybercrime group Lazarus. The company said it had tracked the movement of some of the stolen cryptocurrency to a so-called mixer used to launder such ill-gotten funds.

    Blockchain startup Harmony announced June 23 that its Horizon Bridge – a cross-chain bridge service used to transfer assets between Harmony's blockchain and other blockchains – had been attacked and crypto assets like Ethereum, Wrapped Bitcoin, Binance Coin, and Tether stolen.

    According to blockchain analytics company Elliptic, the attacker immediately turned to Uniswap, a decentralized exchange, to convert most of the assets into 85,837 Ethereum, which researchers said is a common method used by hackers to avoid the stolen assets from being seized.

    Continue reading
  • China's blockchain boosters slam crypto as Ponzi scheme
    Communists reckon Bill Gates and Warren Buffet got it right

    Executives at China's Blockchain-based Service Network (BSN) – a state-backed initiative aimed at driving the commercial adoption of blockchain technology – labelled cryptocurrency "the biggest Ponzi scheme in human history" in state-sponsored media on Sunday.

    "The author of this article believes that virtual currency is becoming the largest Ponzi scheme in human history, and in order to maintain this scam, the currency circle has tried to put on various cloaks for it," wrote Shan Zhiguang and He Yifan in the People's Daily.

    He Yifan is the CEO of startup Red Date Technology – a founding member and architect behind BSN – where he serves as executive director. Co-author Zhiguang Shan is chair of the BSN Development Alliance.

    Continue reading
  • DARPA wants to refuel drones in flight – wirelessly
    Boffin agency seeks help to shoot 100kW through the air with lasers, but contributors don't have long to deliver

    US military researchers are trying to turn in-flight refueling tankers into laser-shooting "airborne energy wells" for charging drones, and they want the public's help to figure out how.

    The Defense Advanced Research Projects Agency (DARPA) published a request for information (RFI) from anyone willing and able to contribute their tech, with a few caveats. It needs to fit on existing in-flight refueling tankers (the newer KC-46 and Cold War-era KC-135, specifically) and be able to deliver 100kW of power.

    Militaries around the world have been using in-flight refueling for decades to extend aircraft patrols and long-range missions. With a history of development stretching back to the 1920s, the practice has since developed into a standard part of operating an air fleet powered by aviation fuel.

    Continue reading
  • Bill Gates says NFTs '100% based on greater fool theory' amid crypto cataclysm
    Plus: Non-fungible tokens for dummies

    Comment Microsoft co-founder Bill Gates has declared that "expensive digital images of monkeys are going to improve the world immensely."

    He was joking, obviously, though considering Gates's supposed connection to microchips in vaccines, one can never be too careful. What he's talking about are non-fungible tokens (NFTs), which came up at a TechCrunch event in Berkeley, California, on Tuesday. Specifically the Bored Ape Yacht Club variety.

    You know those kids' books where the picture is divided into three (head, body, legs) so you can turn different sets of pages to get a different image? That's what the Bored Ape Yacht Club is for those willingly parted from large amounts of money for the right to stand next to a picture of a cartoon chimp.

    Continue reading
  • China’s top court calls for blockchain to record vast number of transactions
    Leases, IP rights, ownership of goods … it’s almost easier to list things the Supreme People’s Court doesn’t want on a blockchain

    China’s Supreme People’s Court has issued an opinion calling for massive adoption of blockchain across China’s judiciary, financial sector, and government, and for the technology to underpin intellectual property in the nation.

    Published last week, the opinion* reveals that the Court has already recorded 2.2 billion items on a judicial blockchain. The Court now suggests 32 more initiatives, most of which concern using blockchain to enhance efficiency of, and trust in, the nation’s judiciary.

    But the recommendations also go far wider, calling for the creation of “an interoperation collaborative mechanism with blockchain platforms”. That effort will allow “market regulation, property registration … and enable inquiry about and verification of information related to the ownership registration and status of transactions, such as basic business profile, variation of corporate equities, correlation between businesses, ownership of immovables and movables, financial leasing, precious metal trading, to facilitate the identification of ownership and transactions of property rights, so as to intensify the development of the classified and categorized supervision system based on data and credit, and to further improve the national business environment.”

    Continue reading
  • DARPA backs virtual worlds for autonomous off-road vehicles
    Intel and co outline Holodeck-like efforts for combat bots

    Intel has shed some light on its participation in a DARPA program set up to aid the development of autonomous combat vehicles that can go off road. 

    The x86 giant on Tuesday outlined its involvement in the US government agency's Robotic Autonomy in Complex Environments with Resiliency – Simulation (RACER-Sim) project.

    RACER-Sim is part of DARPA's wider RACER program to foster the advancement of self-driving machines that can keep up with human-controlled vehicles over tough terrain amid conflict and other real-world situations. RACER-Sim, as its name suggests, involves the creation of simulations in which these autonomous systems can be developed and tested before being tried out in the real world. That's useful because it's a good idea to perfect the code as much as possible in a virtual world, where it can do no actual harm or damage, before putting it behind the wheel of pricey and dangerous hardware.

    Continue reading

Biting the hand that feeds IT © 1998–2022