Photo of the Pentagon.
Image: Pentagon via DHR Virginia.

A report commissioned by the Pentagon concluded that the blockchain is not decentralized, is vulnerable to attacks and is running outdated software. The report, “Are Blockchains Decentralized, Unintended Centralities in Distributed Ledgers”, uncovered that a subset of participants can “exert excessive and centralized control over the entire blockchain system.”

The findings of the report are a cause of concern for a wide range of sectors, but especially serious for security, fintech, big tech and the crypto industries, which continue to grow.

The Pentagon’s research arm, Defense Advanced Research Projects Agency (DARPA), engaged Trail of Bits—a security research organization—to investigate the blockchain. Trail of Bits focused on Bitcoin and Ethereum, the two leading cryptocurrencies in the global market.

Trail of Bits says that it only takes four entities to disrupt Bitcoin and only two to disrupt Ethereum. Additionally, 60% of all Bitcoin traffic moves through just three ISPs. Outdated and unencrypted software and blockchain protocols were also identified by the organization.

Cryptocurrencies and the new era of digital finance

The Pentagon’s report surfaced just weeks after the Luna crypto crash. In May 2022, the decentralized stable coin TerraUSD—pegged 1:1 to the U.S. dollar—dropped to 30 cents when an algorithm running on the blockchain collapsed. Financial experts warn that the Luna crash was an important lesson about the risks of the blockchain.

Since the Luna crash, cryptocurrencies have been in full meltdown with billions of dollars being lost and investors cashing out their crypto assets. Cryptocurrencies continue to be affected by the global economy, supply chain problems, federal interest hikes, inflation and a looming recession. The DARPA commissioned report only adds more concerns about the blockchain and affects investors’ perception and confidence.

Furthermore, the crypto world and blockchain operations are now deeply entangled in many industries that have penciled out plans to use cryptocurrencies due to their agility, immediacy, product potential and capacity to provide easier access to financial services to the global population. Security remains a top priority, challenge and concern in this new digital financial era.

SEE: Mobile device security policy (TechRepublic Premium)

The blockchain security challenges

“The safety of a blockchain depends on the security of the software and protocols of its off-chain governance or consensus mechanisms,” the Trail of Bits report says. Trail of Bits researchers registered multiple accounts with mining pool sites to study its code when available. Their discoveries are shocking.

According to Trail of Bits, ViaBTC, a leading global mining pool, assigns the password “123” to its accounts. Pooling, another mining organization, does not even validate credentials at all, and Slushpool—which has mined more than 1.2 million Bitcoin since 2010—instructs users to ignore the password field. Combined, these three mining pools account for about 25% of the Bitcoin hash rate, or total computer power.

Trail of Bits warns that nodes used by crypto miners can be easily deployed using an inexpensive cloud server. These can be used to flood the network in what is known as a Sybil attack. Sybil attacks can execute an eclipse attack, where a malicious actor seeks to isolate users by denying access to the nodes.

Trail of Bits presented evidence that a dense subnetwork of public nodes is largely responsible for reaching consensus and communicating with miners. An example of a Sybil attack was linked to a malicious actor believed to be from Russia. The attacker gained control of up to 40% of Tor exit nodes and used them to rewrite Bitcoin traffic.

Additionally, software errors and bugs are also a main security concern in the blockchain. Ideally, all nodes should operate under the same latest version of the software but that is not the case. Software bugs have already caused blockchain errors in Ethereum and 21% of Bitcoin nodes are running an older version of the Bitcoin Core client, known to be vulnerable, Trail of Bits says.

Blockchain software developers and maintainers, and millions of crypto users around the world are also being targeted in attacks, along with mainstream technology sites that are beginning to use the blockchain as a new source of income.

Big Tech and the Web3 marketing revolution

The new DARPA report finds big tech in a critical moment, with many top companies already heavily investing in blockchain technology. For decades, big tech’s main source of revenue has been online advertising. However, the global trend driven by users’ privacy concerns, is bringing the third-party era to an end, significantly affecting online advertising revenues.

All big tech companies—Meta Platforms, Spotify, Paypal, Twitter, Google, Apple, Alibaba, Microsoft and others—are pivoting to Web3 and blockchain in search of new sources of income.

Microsoft for example, in 2016, developed Project Bletchley, a blockchain as a service (BaaS) project. Since then the company has continued to explore crypto opportunities. In 2021, Microsoft was also awarded a U.S. patent for blockchain software that would create crypto tokens. On May 31, 2022, Microsoft announced it will be allowing advertising for cryptocurrency exchanges in the U.S., limited to the Microsoft Advertising Search Network.

While Microsoft focuses on technical solutions, other companies like Meta Platforms or Twitter, direct their investments into mainstream use of blockchain. On November 10, 2021, Twitter formally launched Twitter Crypto—a specialized crypto team—to build its blockchain and Web3 services. Crypto expert Tess Rinearson, working with cryptocurrency since 2015, was called to lead the team. Twitter has been exploring and developing crypto payments, crypto tips, creator monetization, NFTs and decentralizing social media.

In similar ways, other big tech companies are looking into the future of the blockchain.In November 2021, Apple’s CEO Tim Cook said during the NYT Dealbook Conference that the company is looking into cryptocurrencies. While Cook did not reveal exactly what Apple is working on, he hinted to NFTs and accepting crypto on Apple Pay.

The new Trail of Bits report warns big tech, as they develop their future. “The report demonstrates the continued need for careful review when assessing new technologies, such as blockchains, as they proliferate in our society and economy,” said Joshua Baron, DARPA program manager overseeing the study.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

The rise of the crypto market, risks and opportunities

Cryptocurrencies saw massive adoption during the pandemic years, which drove a global digital transformation and acceleration. In 2021, Bitcoin achieved, after 12 years, a milestone that took companies like Amazon, Apple or Microsoft from 21 to 44 years to achieve: A $1 trillion market valuation. As the popularity of cryptos rose, governments and banks stepped up to keep ahead of the curve, often testing the waters to regulate the sector, unsuccessfully.

One of the biggest challenges of the blockchain is its global expanding dimensions and rich diversity. The “Global Cryptocurrency Market” report of Skyquest, valued the crypto market at $1.85 billion in 2021 and expects it to reach $32.5 billion by 2028. Not only are millions of users turning to cryptos but thousands of new and old companies are now working on the blockchain.

Roland Berger says there are about 12,000 crypto projects and companies operating by January 2022. The number of Crypto Unicorn companies—valued at over $1 billion—increased by an incredible 491% in 2021.

A vulnerable blockchain environment—as described by the Trail of Bits report—puts these companies, their investments, years of work and hundreds of thousands of jobs at risk.

These companies are developing finance services, asset tokenization, the metaverse, NFTs, supply chain management solutions, capital markets and insurance products, and crypto mining and staking, among others. They are poised to disrupt and affect all industries. But is the world ready for a blockchain shift?

“We should not take any promise of security on face value and anyone using blockchains for matters of high importance must think through the associated vulnerabilities,” Baron from DARPA concludes.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday