Blockchain Security: Protecting Distributed Ledger Technology

Blockchain technology – and more generally distributed ledger technology – has rapidly gained adoption and investment in recent years. Blockchain-based solutions such as Decentralized Finance (DeFi) have reached billions in total value locked (TVL).

One of the main selling points of blockchain technology is that it relies on cryptographic protocols and code for security rather than a centralized organization. Errors in the design and implementation of blockchain protocols and projects have exposed them to large-scale, expensive attacks with billions of dollars in losses to date. Many of the top hacks — such as Ronin, Poly Network, and BNB Bridge — exploited flaws in the cross-chain bridges that link blockchains together for over $500,000 apiece.

Blockchain cybersecurity is essential to protecting these systems and the value that they hold from potential attacks. This includes ensuring that blockchain systems are designed, implemented, and operated correctly.

Understanding Blockchain Cybersecurity

The core purpose of blockchain technology is to create a decentralized, immutable digital ledger. This ledger can be used to record cryptocurrency transactions or the code executed on a smart contract platform.

Instead of relying on a single, central authority – such as a financial institution – to maintain an official ledger, blockchain technology relies on a decentralized network of mutually-distrusting nodes.

The blockchain protocol is designed to incentivize good behavior by these nodes by making it more profitable than potential attacks. Some of the key components of blockchain security include the following.

Ledger Immutability

A blockchain’s digital ledger is designed to be immutable, meaning that it should be infeasible to change the ledger after a transaction is included in a block. Blockchain immutability is vital to security because each node in the blockchain network maintains its own copy of the ledger. If that copy was mutable, the node could rewrite history to its own benefit.

Blockchain Consensus Algorithms

Blockchain systems don’t have a central authority responsible for defining the official version of each block or the ledger as a whole. Blockchain consensus algorithms such as Proof of Work (PoW) or Proof of Stake (PoS) are designed to decentralize control over the process of adding blocks to the ledger, preventing any one party from having too much power or the ability to censor transactions.

One of the key attributes of a blockchain consensus algorithm is Byzantine Fault Tolerance (BFT). BFT ensures that the blockchain network can reach a consensus on the state of the ledger even if some nodes are malicious and lie for their own benefit.

Application Security

Blockchain systems are multi-layer applications. The blockchain software itself is an application that nodes run to maintain the environment. In smart contract platforms, these applications include virtual machines (VMs) that run smart contract code. The smart contracts run within these VMs are also applications.

This makes application security vital to the security of blockchain systems. Most blockchain security incidents are caused by design or implementation errors in blockchain applications. For example, the biggest hack of the Bitcoin blockchain — which was later rolled back — exploited an integer overflow vulnerability, not an issue with the protocol itself.

Key Blockchain Security Challenges

400;”>Hacks are common in blockchain ecosystems, and they can have various causes. However, in general, the root causes of these incidents can be grouped into a few main categories.

Protocol Vulnerabilities

Blockchain protocols are designed to ensure the immutability of the digital ledger and protect against various potential blockchain security threats. In general, they’ve done an excellent job. For example, Bitcoin – the original blockchain – has never suffered a hack due to an error in the protocol design. However, this is not true of systems built on top of the blockchain, and some security risks are built into the blockchain protocol. 

The most famous of these is the 51% attack where an attacker who controls over 51% of the computational power in a PoW network can rewrite the history of the blockchain. Since PoW is designed to implement a majority vote (with computational power as votes), this is an unavoidable risk since the majority should win the vote (even if they’re malicious).

Most design errors in blockchain protocols occur at higher levels, such as DeFi contracts. For example, reentrancy and price manipulation vulnerabilities – both common causes of DeFi hacks – are examples of vulnerabilities stemming from the design of the protocol.

Programming Vulnerabilities

The other primary source of vulnerabilities in blockchain protocols is implementation errors. Blockchains are created using software, and the functionality written in the code doesn’t always match the designer’s intent.

Vulnerabilities are especially common in smart contracts, which are programs that run on top of a blockchain platform. One example of a famous smart contract vulnerability is reentrancy, which was the cause of the $50 million DAO hack on the Ethereum blockchain. 

Key Management

Blockchain protocols use public key cryptography to control access to blockchain accounts. All transactions on the blockchain are digitally signed using the private key associated with the blockchain account.

Many blockchain hacks were caused by compromised private keys. An attacker might steal a private key using phishing attacks, malware, or similar means. With access to those keys, the attacker could transfer cryptocurrency out of the user’s account or use it to access privileged functionality. The Mixin Network hack in September 2023 — in which the attackers stole an estimated $200 million — was likely caused by compromised private keys.

Blockchain Security Issues and Mitigation Strategies

Blockchain protocols suffer from various security risks and potential attacks. These are some best practices for managing the major risks to blockchain security.

51% Attack

A 51% attack is an inherent security risk of blockchain networks. In a system that implements majority rule, there is the risk that an attacker might acquire a majority stake.

The most effective way to protect against a 51% attack is to build a large community of miners. This makes it more expensive for an attacker to gain a majority stake. For example, the reason why Ethereum Classic suffered various 51% attacks in 2020 and Bitcoin has suffered none is that Bitcoin has a much larger mining community and hash power.

Smart Contract Vulnerabilities

Smart contracts such as DeFi projects can contain programming errors that leave them vulnerable to attack. Many of the largest and most expensive smart contract hacks – such as the hack of Poly Network for $611 million – exploited vulnerabilities in smart contracts.

The risk of smart contract vulnerabilities can be greatly reduced by performing smart contract security audits before deploying code to the blockchain. Of the 20 biggest smart contract hacks where audits could have helped, 18 were of unaudited protocol or ones where the exploited vulnerability was outside the scope of past audits.

Data Privacy

Most blockchains’ distributed ledgers — with the exception of privacy chains like Monero — are designed to be transparent. Anyone in the blockchain network can read the contents of blocks and transactions. This means that sensitive data stored on the blockchain could be exposed to unauthorized users.

The best practice for data privacy is not to store sensitive data on the blockchain. Instead, the blockchain can be used to store a hash of the data (for data integrity) or a link to access-controlled data stored off-chain.

If sensitive data must be stored on-chain, it’s best to use a private, permissioned blockchain rather than a public chain such as Bitcoin or Ethereum. This enables an organization to control access to the blockchain and what data individual users can access.

Key Management

One of the most common causes of blockchain hacks is compromised private keys. An attacker with access to an account’s private key can perform transactions for that account. This can be used to steal money stored in the account or take advantage of the privileged access that the account might have with smart contracts.

The risk of key theft can be managed using multi-signature wallets, a technology also used in Kelvin Zero’s multipass. A multi-signature wallet breaks a secret key into multiple chunks where several chunks are required to generate a valid digital signature or require signatures from multiple keys to approve a transaction. For example, a multi-sig wallet may require 3 or 5 signers to agree to generate a transaction. This helps to protect against key theft since an attacker needs access to multiple keys to perform an attack.

The most expensive DeFi hack to date exploited poor key management for the Ronin Network cross-blockchain bridge. The bridge used a 5 of 9 approval scheme where the same organization controlled four keys and had access to the fifth. An attacker who gained access to the organization’s systems was able to approve a malicious transaction and steal $624 million from the protocol.

Emerging Technologies and Trends in Blockchain Security

Blockchain technology is an area of active, rapid research and development. Some of the technologies currently being explored and built into blockchain protocols and projects include zero-knowledge proofs, multi-party computation, and AI-driven security.

Zero-Knowledge Proofs

Zero-knowledge proofs (ZKPs) are designed to prove that some secret is true without revealing the secret itself. For example, a ZKP can prove that the value of a blockchain transaction is within a certain range without revealing the actual value.

ZKPs have a couple of applications in the blockchain space. One is to enhance privacy by limiting the information revealed on the blockchain network. Another is enhancing scalability by performing transactions off-chain and including proofs of their correctness — which are smaller than the transactions themselves — on the blockchain.

Multi-Party Computation

One of the biggest challenges in computing and data security is the fact that — with most encryption algorithms — data can’t be encrypted while in use. Outsourcing computing to a third party (or the blockchain) requires entrusting them with the data.

Multi-party computation (MPC) enables multiple parties to perform a shared computation on secret, individual data. Each party computes their part of the puzzle, and these contributions are combined to reach the final answer.

MPC is useful on the blockchain because all data placed on the digital ledger is public, and some protocols require a trusted setup to initialize decentralized protocols. MPC has the potential to truly decentralize these systems by eliminating the trusted setup.

AI-driven Security

Artificial intelligence has potential applications in most industries. In the software development space, a common use case is improving the development of secure code.

Many blockchain hacks are enabled by software vulnerabilities that attackers exploit. AI has the potential to identify vulnerabilities in smart contract code before it is released, reducing the risk of multi-million dollar blockchain hacks. 

Educating Users About Blockchain Security

User education is essential to the security of blockchain systems. Scams are a major risk on blockchain platforms. Training users to identify red flags of potential pyramid schemes and rug pulls can help them avoid investing in risky projects.

One of the most common causes of blockchain hacks is compromised private keys. If an attacker has access to a user’s private key, then they can perform transactions on the user’s behalf, stealing cryptocurrency from them. Cold and multi-signature wallets provide greater security than other wallet options by eliminating reliance on a single private key.

Blockchain users have numerous options to learn about blockchains and blockchain security. This includes free online content, online training, and books that perform more in-depth explorations of blockchain security topics.

Conclusion

Blockchains have matured to support complex protocols and safeguard large amounts of money. Blockchain security is essential to protecting these protocols against attacks and money from being stolen. Keeping up with the evolving blockchain security threat landscape is essential for blockchain developers and solutions architects.

At a personal level, the biggest blockchain security challenge is private key management. Protecting these keys against potential loss or theft can be difficult, and a private key, once lost, can be impossible to recover or result in a hack or the theft of valuable assets.

Kelvin Zero is creating next-gen passwordless authentication systems that can help organizations empower their users with technology to better safeguard their private keys and blockchain authorizations. Book a demo today to learn more about how your enterprise can replace passwords, and enhance private key security with cutting-edge, phishing-resistant MFA.