DARPA report finds vulnerabilities in Blockchain Tech, insecure crypto transactions

New research challenges the security of the ledger technology on which the blockchain software runs, and raises concerns about its use, from spending on cryptocurrency and trading to electronic voting.

Commissioned by the Defense Advanced Research Projects Agency, researchers reviewed the features and vulnerabilities of distributed ledger technology to measure whether the software is truly decentralized or free of external control.

Distributed ledger technologies refer to software that stores information on a secure, decentralized network where users need specific cryptographic keys to decrypt and access data. It is the key technology that drives cryptocurrency transactions. Commonly known as blockchain, distributed ledger technology should be decentralized to prevent a single player from tampering with information stored over the network.

“The report demonstrates the continuing need for careful review when considering new technologies, such as blockchains, as they are spreading in our society and economy,” said Joshua Baron, DARPA program leader overseeing the study. “We should not make a promise of security at face value, and anyone who uses blockchains for matters of high importance must think through the associated vulnerabilities.”

Authored by cybersecurity consulting firm Trail of Bits, the report found that some blockchain technologies may be mutable and susceptible to change, threatening the data stored in proof-of-work blockchain.

This conclusion stems from the increased centralization of general ledger related to popular cryptocurrencies, namely Bitcoin and Ehtereum.

“This report provides examples of how that immutability can be broken not by exploiting cryptographic vulnerabilities, but instead by undermining the properties of a blockchain’s implementations, networks and consensus protocols,” the report begins. “The data – and more importantly, the code – distributed to a blockchain is not necessarily semantically immutable.”

Several factors contribute to vulnerabilities within blockchain systems. A critical component of a secure and decentralized blockchain directory is the system of nodes, or participating computers, included in the network.

Should only one of these nodes not have the correct security protocols or only be operated by a dishonest actor, the data passing through the blockchain is subject to hacking or modification. This finding erodes the long-held notion of the blockchain’s inherent security and threatens the information stored in various blocks.

In addition, inconsistencies in the security protocol between nodes in a blockchain network or mining pool pose a threat to the security of each included node.

The report also notes that all Bitcoin protocol traffic in particular is unencrypted, which in principle does not pose a threat to data going between nodes in a network. However, should a third party within the network route between nodes be destroyed, external actors could potentially disrupt transactions in the general ledger.

Concerns about the software underlying cryptocurrency transactions arise as emerging technology encompasses a larger segment of the market and continues to be volatile. With an executive order and a series of bills, the federal government is seeking to find a regulatory grip on the cryptocurrency arena to better understand the new asset class and how it will affect the broader economy.