In the last months, we witnessed a true blockchain boom, that has reached the biggest companies. Supporters of this technology make big prophecies; some go as far as saying that the blockchain can change the world. The advantages are obvious: for instance, it can be used to store data more securely. And with some added cryptography, users can establish encrypted connections to said data, and also exchange them among each other. In this post, we explain how a best practice can facilitate the use of the blockchain in everyday mainstream applications, and what challenges you should expect.
As you already know the blockchain is already in use as the foundation of the exchange of cryptocurrencies, such as Bitcoin or Ethereum. But do you know how the blockchain technology can be used apart from the payment exchange? It is easy: almost everywhere, be it in the real estate market, for public administration, or for supply chains in different industry sectors.
The blockchain is a chain of hashes. A hash consists of a set of numbers and letters, that can be computed from any possible text or data through a one-way function. To make things easier to understand, you may look at the following graphic, that shows an example of how the Bitcoin blockchain is made. Each block consists of two hashes: the hash of the previous block's header, and the hash of the transaction to which it refers (Proof of Work). A block's header contains meta-information such as the time of its creation. A chain of blocks, connected in this way, is then the blockchain.
The generated hashes are not stored in a central system. Instead, every involved system holds a copy of all blocks. If a hash is generated on a system, it has to be stored on all systems, before any system can generate a new hash. If anyone tries to change or manipulate a hash, must not only change all following hashes on one system, but also on all other systems. This is one of the cornerstones of the blockchain security.
The blockchain technology finds its use also on other platforms. An example is the Ethereum platform, in which decentralised programmes can be used to manage all sorts of transactions. Those programmes are called "smart contracts".
Smart contracts allow the execution of transactions and its condition for which one normally needs a contract. All sorts of goods and services are already exchanged on the basis of smart contracts: for instance gold, jobs, insurances etc. In 2017, the City of Zug has started a project for the identification of persons based on smart contracts. Residents use a digital ID connected to the Ethereum blockchain.
One of the greatest challenges is that once an information has been loaded into the blockchain, it cannot be removed anymore. Since the smart contract technology is still very young, it is very likely that development mistakes are made. An example: functions that access private data may be unwittingly declared as public with disastrous consequences in specific cases.
Mistakes have already been made in smart contracts functions that deployed transactions in coins and they have been gladly used by criminals to steal Bitcoins or other cryptocurrencies. Programming errors or in general bad quality of the code are not only a problem for security. It can happen that a smart contract cannot be fully executed on the Ethereum platform. Depending on the use case, one can lose cryptocurrency. And there is no doubt that such problems will be used for attacks.
Furthermore, it is important that a clear modular structure is used in smart contracts. You should limit yourself to implementing only relevant operations or using functions that have already been tested. Regular reviews and tests help for an optimal execution of smart contracts.
Cryptocurrencies are a preferential target for cybercriminals. It happens ever more often, that attacks on systems and infrastructures have been performed for the sole purpose of accessing the Ethereum platform. Typical targets are web applications which the user is using for managing access to wallets or performing transactions.
Purposeful penetration tests can help to find vulnerabilities in your systems. It also improves your cyber security by checking components of your IT-architecture (web server, APIs, servers, network, data storage etc.) and the application for managing the processes. Consider also that in recent times phishing attacks have been used increasingly for stealing cryptocurrencies.
We at InfoGuard know what risks and challenges are carried by the blockchain. Our experience in software testing and the analysis of source code can help you improve the quality of your source code and the maturity level of your security. Our penetration testers have the same competence as cybercriminals but they work on behalf and in the interest of our clients. They identify all vulnerabilities that hackers might find as well. In addition, our security awareness campaigns have shown that there is much to do in developing sensitivity against cyber attacks. But no worries! It is not too late yet.
Call us and we help you improving the cyber security of your infrastructure and your systems and also the quality of your smart contracts!