DARPA report exposes blockchain vulnerabilities

DARPA report exposes blockchain vulnerabilities

DARPA report exposes blockchain vulnerabilities

How secure are Bitcoin and Ethereum, really? We often hear that Proof-of-Stake blockchains could theoretically become centralized in the hands of a few rich players, while Bitcoin and Ethereum (for now) are relatively immune.

Now, a new Defense Department-sponsored study reveals that most blockchains are more centralized (and thus less secure) than we’re led to believe.


An uncomfortable report

Trail of Bits, a cybersecurity research and consulting firm whose clients include Google, Microsoft and Meta, released an important study on June 21 entitled “Are Blockchains Decentralized?” It concludes that many blockchains are more vulnerable to centralization dangers than previously thought.

The report was produced for the US Defense Advanced Research Projects Agency (DARPA), an agency founded in 1958 to manage the development of emerging technologies for use by the Department of Defense. The agency developed and furthered much of the conceptual basis for ARPANET, the prototypical communications network that became today’s Internet.

Research focused mainly on Bitcoin, revealing several security weaknesses that could be exploited by bad actors to gain greater control of the network.


Bitcoin nodes

According to the report, approximately 6–11% of Bitcoin nodes are responsible for reaching consensus and communicating with miners, while a “vast majority of nodes do not meaningfully contribute to the health of the network.”

Bitcoin nodes store and verify blocks, monitor the health and security of the Bitcoin blockchain and validate transactions. Nearly all nodes run the same client software, known as Bitcoin Core; the current version is 23.0.

The study found that 21% of Bitcoin nodes are running older versions of Bitcoin Core, known to have vulnerabilities including the possibility of consensus errors. “It is vital that all DLT nodes operate on the same latest version of software, otherwise, consensus errors can occur and lead to a blockchain fork,” the report states.

Another issue is the uneven geographic distribution of nodes, making routing attacks possible. “What would happen if a malicious internet service provider or nation-state decided to block or filter all DLT traffic?”

A further weak point is Bitcoin’s Stratum mining protocol. The current version is unencrypted and has other security flaws that will be addressed in an upcoming V2. Malicious attacks can “estimate the hashrate and payouts of a miner in the pool” and “manipulate Stratum messages to steal CPU cycles and payouts from mining pool participants.”


ISP bottlenecks

The report also noted that Bitcoin protocol traffic is unencrypted, and since at least 2021, 60% of all network traffic uses only three ISPs. Countries hosting the most nodes are the US (about 1/3), Germany (25%), France (10%), The Netherlands (5%) and China (3%).

This is a problem because “ISPs and hosting providers have the ability to arbitrarily degrade or deny service to any node.”


Holding your own keys

Finally, a majority of cryptocurrency traders appear to be using centralized custodial exchanges, rather than managing and storing their own credentials in a non-custodial environment (like Exodus).

This report is well-timed. Last week, Solana-based DeFi lending protocol Solend put together a governance proposal to take control of a whale’s wallet that was facing liquidation and threatening to strain its resources. It was initially passed by a single Solana whale. A Twitter uproar forced a second proposal to invalidate the first. Several observers remarked that this would damage DeFi’s image.

Fixing these vulnerabilities is easier with blockchains developed by centralized entities. Bitcoin has a tougher road, since all security updates must be made by consensus.

In any case, this report is a sobering reminder that cryptocurrency is still a young and imperfect technology, and malicious behavior is improbable but not impossible.

This content is for informational purposes only and is not investment advice. You should consult a qualified licensed advisor before engaging in any transaction.

Get insider crypto knowledge and product updates from the world’s leading crypto wallet
Sign me up