Blockchain technology has many advantages, the biggest of which is arguably, blockchain security. Through clever use of cryptography, decentralization and consensus algorithms, blockchain protocols enable clever ways to securely store and exchange information without the need for an overseeing institution or pre-existing trust between the different parties. Here’s why blockchain security works.
Basics of blockchain security
It all starts with Satoshi Nakamoto, the enigmatic creator of the original Bitcoin. In his seminal whitepaper “Bitcoin: A Peer-to-Peer Electronic Cash System”, Nakamoto proposes a way to make secure payments and avoid the double spend problem.
Decentralization lies at the heart of the proposed system. Nakamoto realizes that if the ledger containing the transactional history of a peer-to-peer network is shared among all members of that network, then everyone on the network can verify that no fraudulent transactions have been recorded in it. The only thing that is needed is a way to get everyone on the network to agree on which version of the ledger is the correct one. Nakamoto utilizes cryptography to power the first such mechanism – Proof of Work.
Bitcoin actually uses cryptography in two ways. For starters, it underpins the digital signatures that prove that individual transactions are valid. Verified transactions are then organized into discrete data packages we call blocks. And here comes the interesting part. The people that add new blocks to the ledger – we call those people miners – include an extra record in the block, a special number that ensures that the block produces a certain outcome when run through a mathematical algorithm called a cryptographic hash function. The key here is that finding such a number requires a lot of computational work, but verifying whether it’s valid is very easy – we only need to run the block through the hash function and check whether it produces the required outcome. Such numbers are known as а proof of work.
Finally, every new block also contains the proof of work of the block that precedes it. This essentially means that blocks are cryptographically linked.
This whole system guarantees that proof-of-work blockchains are immutable and resistant to hacking attacks.
Proof of stake
While proof of work has been instrumental in powering the first generation of blockchain protocols, the algorithm has its drawbacks – mainly its limited scalability and high energy consumption. That’s why contemporary blockchain development has been focused on finding alternatives to PoW and Proof of Stake has emerged as one of the most prominent consensus algorithms.
Under the PoS model, people need to stake tokens in order to become validators. The stake requirement is meant to ensure that a validator acts in the interest of the blockchain network. To that end, if validators are diligent in performing their duties – which typically include creating new blocks and validating the blocks they do not create – they are eligible for receiving staking rewards. Conversely, validators who engage in fraudulent activities, such as creating or validating malicious blocks, risk losing some of their staked tokens through a process called slashing. In addition, PoS models typically employ complex random algorithms for choosing who gets to create the next block, which adds another layer of security by making coordinating large scale attacks practically impossible.
Public vs private blockchains
Through the inception of Bitcoin more than a decade ago, the core design principles of blockchain technology were established. Blockchain protocols were public, permissionless and decentralized and had to feature some sort of a mechanism (a consensus algorithm) that could ensure that network participants could always trustlessly agree on what is the correct version of the blockchain ledger.
Those concepts informed the design of the next wave of flagship blockchain protocols such as Ethereum and Litecoin. However, as blockchain technology continued to evolve, blockchain developers started experimenting with more relaxed implementations of those core tenets. As a result, they started realizing that sometimes these more relaxed approaches opened interesting new possibilities. Private blockchains are a prime example of that.
Private blockchains are what happens when we disregard the permissionless principle completely. In other words, we build a blockchain network, but instead of leaving it open for anyone to join, we make it so that only entities who have permission can join in. This is why private blockchains are also called permissioned.
Private blockchains do not have the same level of security as their public counterparts. They are not completely trustless and are usually used to connect a small number of network members. The smaller the network, the more vulnerable it is to attacks, especially if a bad actor manages to impersonate a legitimate network member. There are also no guarantees that the network’s ledger cannot be tampered with,
All that creates the impression that private blockchains are inferior to public protocols. But while such a conclusion is not without merit, it also misses the point. It’s more accurate to say that private protocols are tuned to serve a specific use case and because of that their creators are willing to make sacrifices in some areas. For example, private blockchains are very useful for creating enterprise-grade solutions that businesses can use without having to compromise the privacy of their operations.
At the same time, there are certain techniques that allow private protocols to utilize the immutable ledgers of public blockchains like Ethereum to address some of their security shortcomings. With the help of mathematical instruments known as zero-knowledge proofs, for example, a private protocol can submit evidence that its stored data is valid to a public ledger without revealing the actual data.
The fact that private blockchains typically focus on a small number of stakeholders with known identity also allows those protocols to utilize a Proof of Authority (PoA) consensus algorithm. In addition to being lighter than their PoW and PoS counterparts, PoA algorithms actually address an apparent security weakness that’s inherent to PoS design.
Proof of Authority
Proof of Stake systems operate on the assumption that people with staked tokens in a network will be incentivized to act in the network’s interest, otherwise they risk losing their stake. So it seems reasonable to conclude that a bigger stake translates to greater motivation for the stakeholder to look after the success of the network. However, this line of thinking fails to take into account that while identical stakes may be equally valuable from a monetary standpoint, they might not be equally valued by their holders. For example, a person who has 20% of their total holdings staked in a network is likely to be much more invested in that network’s success than a person who has 1% of their holdings staked, regardless of the actual stake size.
PoA aims to solve this problem by having network validators stake their reputation instead of tokens. And since their reputation is on the line, stakeholders have internal motivation to work for the network’s success.
The drawback of PoA is that it requires validators to be known entities, which makes it impractical for large-scale decentralized systems.
Blockchain security issues
So if blockchain networks are so resistant, why are there so many instances of stolen crypto tokens? Well, those incidents typically occur as a result of frond-end exploits and human error, rather than problems with the blockchain layer. For example, a user responding to a phishing attack to reveal their wallet’s seed phrase or sending tokens to a fake address. Or a crypto exchange leaving funds in a hot wallet that can be targeted by hackers.
That said, there are some tactics that hackers can use to try to gain control over an entire network. It is important to note that those tactics become less effective as the level of decentralization of a network grows. In other words, networks with greater levels of decentralization have higher resistance to attacks.
A 51% attack happens when a bad actor or a group of bad actors manage to acquire more than half of a network’s computational power. A successful 51% attack means that the attackers gain control over the network’s ledger and can manipulate the information recorded on it.
Sybil attacks target reputation-based systems, aiming to gain control by forging fake identities.
Routing attacks can be used to hinder communications between network nodes, which can enable exploits like double spending and even lead to the creation of parallel blockchains.
Smart contract issues
While it’s not a type of attack, the quality of the smart contracts living on a blockchain shouldn’t be overlooked. Unoptimized, badly-written and especially malicious smart contract code can create vulnerabilities and enable exploits in a blockchain system. That’s why it is important for every bit of smart contract code to be thoroughly audited. The good news is that bad smart contracts do not affect the entire network, rather, their effect is limited to the decentralized apps using them.
In the years since Bitcoin’s inception, the term blockchain security has been increasingly used to describe a top-tier level of protection and with good reason. Blockchain technology was invented to provide a secure and trustless alternative to the financial sector – one of the most demanding industries in terms of security and regulation. So security is in the blockchain DNA. The rest is in the hands of the army of talented developers working tirelessly to build the best possible blockchain protocols and platforms.