A report commissioned by the Pentagon concluded that the blockchain is not decentralized, is vulnerable to attacks and is running outdated software.
The report, “Are Blockchains Decentralized, Unintended Centralities in Distributed Ledgers”, uncovered that a subset of participants can “exert excessive and centralized control over the entire blockchain system.”
The findings of the report are a cause of concern for a wide range of sectors, but especially serious for security, fintech, big tech and the crypto industries, which continue to grow.
The Pentagon’s research arm, Defense Advanced Research Projects Agency (DARPA), engaged Trail of Bits—a security research organization—to investigate the blockchain. Trail of Bits focused on Bitcoin and Ethereum, the two leading cryptocurrencies in the global market.
Trail of Bits says that it only takes four entities to disrupt Bitcoin and only two to disrupt Ethereum. Additionally, 60% of all Bitcoin traffic moves through just three ISPs. Outdated and unencrypted software and blockchain protocols were also identified by the organization.
The Pentagon’s report surfaced just weeks after the Luna crypto crash. In May 2022, the decentralized stable coin TerraUSD—pegged 1:1 to the U.S. dollar—dropped to 30 cents when an algorithm running on the blockchain collapsed. Financial experts warn that the Luna crash was an important lesson about the risks of the blockchain.
Since the Luna crash, cryptocurrencies have been in full meltdown with billions of dollars being lost and investors cashing out their crypto assets. Cryptocurrencies continue to be affected by the global economy, supply chain problems, federal interest hikes, inflation and a looming recession. The DARPA commissioned report only adds more concerns about the blockchain and affects investors’ perception and confidence.
Furthermore, the crypto world and blockchain operations are now deeply entangled in many industries that have penciled out plans to use cryptocurrencies due to their agility, immediacy, product potential and capacity to provide easier access to financial services to the global population. Security remains a top priority, challenge and concern in this new digital financial era.
“The safety of a blockchain depends on the security of the software and protocols of its off-chain governance or consensus mechanisms,” the Trail of Bits report says. Trail of Bits researchers registered multiple accounts with mining pool sites to study its code when available. Their discoveries are shocking.
According to Trail of Bits, ViaBTC, a leading global mining pool, assigns the password “123” to its accounts. Pooling, another mining organization, does not even validate credentials at all, and Slushpool—which has mined more than 1.2 million Bitcoin since 2010—instructs users to ignore the password field. Combined, these three mining pools account for about 25% of the Bitcoin hash rate, or total computer power.
Trail of Bits warns that nodes used by crypto miners can be easily deployed using an inexpensive cloud server. These can be used to flood the network in what is known as a Sybil attack. Sybil attacks can execute an eclipse attack, where a malicious actor seeks to isolate users by denying access to the nodes.
Trail of Bits presented evidence that a dense subnetwork of public nodes is largely responsible for reaching consensus and communicating with miners. An example of a Sybil attack was linked to a malicious actor believed to be from Russia. The attacker gained control of up to 40% of Tor exit nodes and used them to rewrite Bitcoin traffic.
Additionally, software errors and bugs are also a main security concern in the blockchain. Ideally, all nodes should operate under the same latest version of the software but that is not the case. Software bugs have already caused blockchain errors in Ethereum and 21% of Bitcoin nodes are running an older version of the Bitcoin Core client, known to be vulnerable, Trail of Bits says.
Blockchain software developers and maintainers, and millions of crypto users around the world are also being targeted in attacks, along with mainstream technology sites that are beginning to use the blockchain as a new source of income.