Cryptocurrency technology vulnerabilities could compromise how it runs: DARPA: NPR
Whether prices are up or down, for many investors in cryptocurrency, the real appeal is that no one is in charge.
While the crowd sang at the recent Bitcoin 2022 conference in Miami, it’s all about “Freedom!” By design, the system is intended to be from interference from banks, companies and authorities.
But a new report finds that the decentralized system may not work as well as many crypto enthusiasts assume.
The report was commissioned by the Defense Advanced Research Projects Agency, or DARPA, and the work was carried out by the software security research company Trail of Bits.
Trail of Bits CEO Dan Guido says blockchain – the public ledger that monitors cryptocurrencies replicated on computers around the world – is not the egalitarian technology that their spokesmen claim.
“It has been taken for granted that the blockchain is immutable and decentralized, because society says so,” says Guido.
But in practice, he says, these networks have evolved in ways that concentrate power in the hands of certain individuals or companies, including the large pools of “miners” whose computers earn virtual currency by maintaining blockchains.
Guido’s team calls these potential situations “unintentional centralities” – situations where someone gains influence over the decentralized system, and creates opportunities to tamper with the overview of who owns what.
Another example in the report of this type of concentration is the fact that 60% of Bitcoin traffic is handled by only three ISPs.
“Let’s say that someone with good top-down control over the internet in their country is starting to disrupt the network,” says Guido. By slowing down or stopping legitimate blockchain traffic, an attacker can become the “majority” vote in consensus of what is written to a blockchain at that moment.
“They can write about history. They can censor transactions. They can do it so you can not use your Bitcoin,” says Guido. “It’s definitely something people want to do if they want to ‘grieve’ the network.”
The notion of this type of attack is not new, but what the Trail of Bits report does is gather research on different types of “unintentional centrality” to better understand the technology’s general vulnerability.
Some of the findings are “eyebrow-raising”, says Josh Baron, project manager for the unit at DARPA, which commissioned the report.
“For example, the idea that 21 percent of Bitcoin nodes run an old version of the Bitcoin core client that is known to be vulnerable,” says Baron, referring to the basic software that runs that blockchain. This means that all of these computers are open to the same type of hack – a major first step for an attacker trying to dominate a blockchain network, sometimes called a “51 percent attack.”
“You’re already worried about 51 percent, and now I’m telling you that 21 percent is just out there, so to speak. That’s not good,” Baron said.
So far, the risks outlined in the report do not appear to be a major concern for the cryptocurrency business. NPR approached some of the larger companies, such as Coinbase, for answers, but they declined.
Yan Pritzker, co-founder of a smaller Bitcoin service company called Swan, told NPR that he sees the risk as “theoretical”.
“If this type of attack is possible, why has it not happened?” asks Pritzer. “I think the evidence is a bit in the pudding. Under real conditions, these things do not happen.”
Pritzker agrees with the report on this point: There is more centralization in some of the newer forms of cryptocurrency, especially those that rely on a system called “proof of stake”, which uses less computing power. He is more confident in the resilience of Bitcoin, because its energy-intensive “proof of work” blockchain will require much more data energy to corrupt.
Pritzker also points out that this research was commissioned by a government agency.
“They basically do playoff research,” he says of reports like this. “Their game is, ‘how do we get better control over the currency’ and ‘how do we build better systems for our control over the currency’.”
Christian Catalini, founder of MIT Cryptoeconomics Lab, sees the report as useful, but not too worrying.
“I think some of the concerns are valid, but perhaps the danger to the wider ecosystem is a bit exaggerated,” he says, pointing out that it is important to keep in mind that cryptocurrency systems are not completely autonomous. Loose associations of people – volunteers and “core developers” – are constantly working to maintain and improve them.
“You can imagine some of the problems [in the report] will be exploited, in the end – and I think it will potentially happen for some of these, says Catalini.[But] The community can always coordinate, respond and, I think over time, will be better at developing the right solutions. “
Because cryptocurrencies are decentralized, without the supervision of governments or central banks, these solutions will require the attention and consensus of the participants in these networks.
On the Trail of Bits, Dan Guido says he believes cryptocurrencies and blockchains have a promise, but anyone who invests in them should consider that they are still in the “prototype” stage.
“Everyone needs to know what they are buying, what they are buying into – what they are going to trust,” says Guido. “And there’s a lot here you should not trust. At least not today.”