Cryptocurrency tech is vulnerable to tampering, a DARPA analysis finds
Whether prices are up or down, for many investors in cryptocurrency, the real appeal is that there’s nobody in charge.
As the crowd chanted at the recent Bitcoin 2022 conference in Miami, it’s all about “Freedom!” By design, the system is meant to be from interference by banks, companies and governments.
But a new report finds that the decentralized system might not be working as well as many crypto enthusiasts assume.
The report was commissioned by the Defense Advanced Research Projects Agency, or DARPA, and the work was done by the software security research company Trail of Bits.
Trail of Bits CEO Dan Guido says blockchain — the public ledgers that keep track of cryptocurrencies, which are replicated on computers around the world — isn’t the egalitarian tech its advocates claim.
“It’s been taken for granted that the blockchain is immutable and decentralized, because the community says so,” says Guido.
But in practice, he says, these networks have evolved in ways that concentrate power in the hands of certain people or companies, including the large pools of “miners” whose computers earn virtual currency by maintaining the blockchains.
Guido’s team calls these potential situations “unintended centralities” — situations in which someone gains leverage over the decentralized system, creating opportunities for tampering with the record of who owns what.
Another example in the report of this kind of concentration is the fact that 60% of Bitcoin traffic is handled by just three internet service providers.
“Let’s say somebody with great top-down control of the internet in their country starts to interfere with that network,” Guido says. By slowing down or stopping legitimate blockchain traffic, an attacker could become the “majority” voice in the consensus of what’s written to a blockchain at that moment.
“They can rewrite history. They can censor transactions. They can make it so that you can’t spend your Bitcoin,” says Guido. “It’s definitely something people would want to do if they want to ‘grief’ the network.”
The notion of this kind of attack isn’t new, but what the Trail of Bits report does is compile research into different kinds of “unintended centralities” to better understand the technology’s overall vulnerability.
Some of the findings are “eyebrow-raising,” says Josh Baron, project manager of the unit at DARPA that commissioned the report.
“For example, the idea that 21 percent of Bitcoin nodes are running an old version of the Bitcoin core client that’s known to be vulnerable,” Baron says, referring to the basic software running that blockchain. That means all those computer are open to the same kind of hack — a big first step for an attacker trying to dominate a blockchain network, sometimes called a “51 percent attack.”
“You’re already worried about 51 percent, and now I’m telling you that 21 percent are just out there for the taking, as it were. That’s that’s not great,” Baron says.
So far, the risks outlined in the report don’t seem to be a major concern for the cryptocurrency business. NPR approached some of the larger companies, such as Coinbase, for a response, but they declined.
Yan Pritzker, co-founder of a smaller Bitcoin services company called Swan, told NPR he sees the risks as “theoretical.”
“If this kind of attack is possible, why hasn’t it happened?” Pritzer asks. “I think the proof is in the pudding a little bit. In real-world conditions, these things don’t happen.”
Pritzker agrees with the report on this point: There is more centralization in some of the newer forms of cryptocurrency, especially those that rely on a system called “proof of stake,” which uses less computing power. He’s more confident in the resilience of Bitcoin, because its energy-intensive “proof of work” blockchain would take much more computing energy to corrupt.
Pritzker also points out that this research was commissioned by a government agency.
“They’re basically doing endgame research,” he says of reports like this. “Their game is, ‘how do we get better control of the currency,’ and ‘how do we build better systems for our control of the currency’.”
Christian Catalini, founder of the MIT Cryptoeconomics Lab, sees the report as useful, but not too worrying.
“Some of the concerns I think are valid, but maybe the danger to the broader ecosystem is a little overstated,” he says, noting that it’s important to keep in mind that cryptocurrency systems aren’t completely autonomous. Loose associations of humans — volunteers and “core developers” — are working constantly to maintain and improve them.
“You could imagine some of the issues [in the report] being exploited, eventually — and I think it will happen potentially for some of these,” Catalini says. “[But] the community can always coordinate, respond and, I think over time, will get better at developing the right solutions.”
Because cryptocurrencies are decentralized, with no oversight by governments or central banks, those solutions will require the attention and consensus of the participants in those networks.
At Trail of Bits, Dan Guido says he thinks cryptocurrencies and blockchain have a promise, but anybody investing in them should consider them to be still in the “prototype” stage.
“Everybody needs to know kind of what they’re buying, what they’re buying into — what they’re going to trust,” Guido says. “And there’s a lot here that you should not trust. At least, not today.”