A Titanic Problem: Is the Blockchain Really Unsinkable?
Every day new data breaches and hacking attacks teach us how fragile the world of digital security is.
At stake are our personal data, as well as our monetary possessions. While the concern for the former is a rather new phenomenon, the latter have been guarded by a multi-layered web of intermediaries. And still banks and other financial institutions regularly witness the weaknesses of this set-up. Below Igor Pejic, author of new book ‘Blockchain Babel: The Crypto-Craze and the Challenge to Business’, confronts the question: Is the Blockchain Really Unsinkable?
In recent years a technology hailed for immutability entered the stage: the blockchain. This cryptographically secured, distributed ledger technology was initially designed to bypass the financial system by enabling digital currencies, yet today banks are the most active in blockchain research, trying to reap the benefits of this supposedly tamper-proof ledger. But is the blockchain really unhackable?
In many a head there are probably stories whizzing around about stolen bitcoins and hacked exchanges. Mt. Gox is such a story. In 2014 Mt. Gox was the world’s largest crypto-exchange which processed around 70% of the world’s bitcoin transactions. 850.000 bitcoins were lost (of which around 200.000 were recovered). Further hacks such as the one of the Slovenian exchange Bitstamp followed. Most recently Quadriga, a Canadian exchange, made headlines because its founder Gerald Cotten supposedly passed away on a trip in India. He was the only one to knew the private keys to the wallets of 115,000 customers with funds worth $143m. That funds are thus not accessible and lost.
Yet when commentators use these examples to sow doubt about blockchain-security, they mix up different dimensions of data security, in particular data’s integrity during a transaction with its integrity before or after a transaction. The aforementioned hacks can be attributed to lax security standards aside of transactions such as the storage of private access keys. While parts of the crypto-sphere are reacting – Bitstamp has introduced two-factor authentication to access funds – many wallets and exchanges continue to operate with hair-raising security standards.
But what about the mechanism itself? Can attackers inject bogus transactions or rewrite past ones? This answer depends on the validation mechanism each particular blockchain uses. Let us illustrate this with bitcoin and other chains that work with so-called proof-of-work validation. In this set-up, validator nodes, also known as miners, are investing massive computing power to solve a mathematical puzzle with trial and error mechanisms. They are interested in the “right” solution, because only if they find it first, they are rewarded with freshly minted coins. Once found, the correct value can be verified quickly by the network. The major danger here is that a possible attacker gains control over more than 50% of the hashing power in a network and can vote a wrong truth into reality. The attacker could then submit a transaction to the network, and after getting the good or service he paid for simply use his computing majority to fork the network at a point in time before he sent the money.
Critics will point to the infamous DAO-hack. The DAO (Decentralized Autonomous Organization) was a leaderless organization that issued a token built on Ethereum’s smart contract code. A hacker exploited a cryptographic vulnerability to capture $50m. An ideological conflict of the Ethereum community prevented a soft fork that would have reversed the hack. Thus, a hard fork split the chain into Ethereum (version without the hack) and Ethereum Classic (version including the hack). But even this example was not a hack of the blockchain, but rather a bug that pestered the DAO-code sitting on top of the Ethereum-blockchain. Despite many problematic constellations – e.g. a high concentration of mining pools, as well as a limited number of ISPs hosting large parts of prominent blockchains – the mechanism as such has never been hacked. Attacks are very expensive and the advantages for the most part short-lived.
Does this mean the blockchain is immutable? No. We have to get the fairytale out of our heads that there is something like absolute security. There is always a way to trick the system, even if it is highly unlikely as the aforementioned 51%-attack. The question we should ask instead is whether blockchain is more secure than current systems. What most most critics of new payment technology do not know is that even the SWIFT-network, which enables monetary transactions between 11.000 financial institutions worldwide, has been subject to hacking in the past. In one heist, banks in Bangladesh and Ecuador lost millions. Blockchain technology has proven to be less susceptible to several attack vendors while doing away with intermediaries. This should render the discussion about absolute immutability superfluous.