TheHackerDev/Blockchain security research.md

## Blockchain security research.md

      
    Raw
  

              Blockchain security research.md
            
          
    What is a blockchain?


Distributed ledger system; for tracking the transfer of tokens (currency, data of any type).
A cross between economics, cryptography, and the internet.

Side note- if you ever wanted a financial incentive to get involved in cryptography, this is it.


A blockchain is literally a chain of blocks, where each block contains a list of transactions that everyone agrees have occurred.

Each block builds upon all the ones before it.


The purpose of a block is to confirm transactions in the ledger.

Ledger: historical database, containing all transactions that have ever happened since the blockchain was created.


Why blockchain is important


It is a new technology, similar to the internet of the early 90's. We don't know where it is going to go, but the technology enables a large number of new possibilities in both finance and business.
Provides absolute integrity (one third of the CIA triad), so long as no more than 50% are unified bad actors.

Non-repudiation as well.


Bitcoin


Started with Bitcoin- first implementation of blockchain technology

HashCash and B-Money both have elements of a blockchain in them, and there may be older versions still before those.

A list of work that heavily influenced bitcoin and blockchain's creation as we know them today: http://nakamotoinstitute.org/literature/


Distributed "cryptocurrency". Basically, a pseudonymous (not completely anonymous) currency that no one system or owner controls, and with substantially lower transaction fees.
Satoshi Nakomoto paper that gave an abstract, somewhat technical overview of the proposed system.

Whitepaper (PDF): https://bitcoin.org/bitcoin.pdf


Implementation: https://github.com/bitcoin/bitcoin

Written in C++
MIT License


Original requirements for Bitcoin:

Private
Anonymous
Censorship-resistent
Byzantine attack resilience (Byzantine General's problem: reaching consensus among a group of actors that do not trust one another.)
Decentralized


How Bitcoin works (at a high level)


New transactions are broadcast to all nodes.
Each node collects new transactions into a block.

New blocks are created by hashing (SHA-256) the text of the new transactions, the previous block's hash, and a nonce together.


Each node works on finding a difficult proof-of-work for its block.

Calculate the correct nonce to make the block less than a specific number.

Hash(prev_block_id, transactions, nonce) <= d?
This number (d) is adjusted by the network automatically to make the average mining time about 10 minutes. The difficulty is adjusted every 2016 blocks (~every 2 weeks). Smaller number == more difficult to guess.


"Proof-of-work": essentially trading electricity for consensus on the network.

Proof-of-work essentially makes it deliberately difficult to propose a "correct" block, which gives miners incentive to behave.

"The correct way of thinking about the proof-of-work concept is as a means for a group of self-interested people, none of whom is subordinate to any other, to establish a consensus against a considerable incentive to resist it. Bitcoin could operate perfectly well without proof-of-work, as long as everyone was perfectly honest and altruistic. If they are not, then reaching a consensus is difficult." (http://nakamotoinstitute.org/mempool/the-proof-of-work-concept/)


Uses a LOT of power, and growing. Estimated to be around 343 megawatts globally. Which is enough to power 285,833 US homes (this figure is from May 2015, and has likely increased since then). It is estimated that the global power usage for Bitcoin mining will exceed the power usage of the entire country of Denmark by 2020.

Obviously, this is why people are looking into other types of "proofs" that don't require an electricity trade-off at that scale.


Difficulty: https://en.bitcoin.it/wiki/Difficulty

Current difficulty: https://blockexplorer.com/api/status?q=getDifficulty

Target on April 3, 2017: ~499635929817
Your chance on every hash guess is equivalent to 1/(2^256 - 499635929817)

1/115792089237316195423570985008687907853269984665640564039457584007413493710119


When a node finds a proof-of-work, it broadcasts the block to all nodes.
Nodes accept the block only if all transactions in it are valid and not already spent.
The miner that calculates the correct block is rewarded by being allowed to include additional bitcoins (a set amount that halves every 4 years) from the "coinbase" (the ether where coins are born; coins are pulled from here if not from another transaction. The coinbase only has a set amount of coins- 21 million.)

NOTE: "Miners" are really "bookkeepers". Their job is to maintain the ledger, and they get paid to do so, using bitcoins (generated from the coinbase and from tips).


Nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash.

Nodes always consider the longest chain (more accurately- the one with the most work required; i.e. the most difficult to calculate) to be the correct one and will keep working on extending it. If two nodes broadcast different versions of the next block simultaneously, some nodes may receive one or the other first. In that case, they work on the first one they received, but save the other branch in case it becomes longer. The tie will be broken when the next proof-of-work is found and one branch becomes longer; the nodes that were working on the other branch will then switch to the longer one.


Source: https://en.bitcoin.it/wiki/Controlled_supply
Price of bitcoin


Price of BTC over time: https://blockchain.info/charts/market-price?timespan=all

Other charts: https://blockchain.info/charts
REALLY useful chart on the current value, inflation, and blocks in Bitcoin: http://www.bitcoinblockhalf.com/


Newer implementations


"Colored Coins": coins that represent shares of a company or any other asset.

Built on top of the Bitcoin network


Altcoins


litecoin

requires higher memory (using the Scrypt algorithm instead of SHA-256) to defeat ASICs; however litecoin-specific ASICs have now been developed


dogecoin

Faster block time, using the Scrypt algorithm (memory-hard) in place of SHA-256.
Started as a joke


peercoin

original proof-of-stake blockchain, now uses proof-of-work as well
vulnerable to serious blockchain integrity destruction, due to the ease at which any single miner can calculate hashes for the current active branch, conflict branches, and all past branches. No power requirement, simply a matter of calculating one hash per second for each desired block; made exponentially easier the more coins you have


primecoin

proof is finding special primes for science


darkcoin/dash

11 different hashing algorithms strung together, trying to defeat ASICs


monero

automatic independent mixing in every block; much better for privacy
Also uses ring signatures, which incorporate one public key/wallet with multiple decoy public keys; the owner of the true public key can prove that they own one of the public keys in the set, but they don't have to show which one
Stealth addresses as well- a public address that essentially changes every time, thanks to the addition of a shared secret in the transaction and using Diffie-Hellman key exchange to arrive at a one-time public address


Zcash: Zcash has a public blockchain to show transactions, but hides the amount, sender and recipient addresses from all except those who hold the “view key.” The view key owner (i.e. the owner of the coins) can also allow others to see details associated with that key.

It does this by encrypting the transaction metadata rather than making it publicly available, as Bitcoin does. Full transaction outputs are not retained by Zcash nodes, which only record the ability to spend coins using proofs called “zk-SNARKs.”
One major difference that sets Zcash mining apart is that 10% of the 21m units mined using the Zerocash protocol will go to Zcash’s stakeholders, ie: its founders, employees, investors and advisors. This is called the "Founder’s Reward". The stakeholders will not receive this reward in a linear fashion. In the beginning, the protocol results in the creation of 50 ZEC every 10 minutes, with 20% going to the founders and the remainder going to the miners. Every four years, this mining incentive will be cut in half, but 100% of this reward will go the miners after the first four years.
Huge with ransomware, as it has complete anonymity built-in.


Dead Coins: a curated list of cryptocurrencies forgotten by this world.

http://deadcoins.com/


Ethereum


Ethereum: more than just currency (technology concepts it introduces are also known as "cryptocurrency 2.0")

Decentralized software platform that enables smart contracts, which in-turn enables things like distributed applications (dApps) and decentralized autonomous organizations (DAO).

Vitalik Buterin (creator of Ethereum, from Toronto) defines smart contracts as follows: "a smart contract is a mechanism involving digital assets and two or more parties, where some or all of the parties put assets in and assets are automatically redistributed among those parties according to a formula based on certain data that is not known at the time the contract is initiated."


"World computer" is called the Ethereum Virtual Machine (EVM).
Code can be written in a number of languages that compile down to EVM bytecode.

Solidity

By far the most popular.
A c-like language.


Viper

Python-like
Has overflow-checking, numeric units but without unlimited loops

Designed to be a little more secure by default (hard to shoot yourself in the foot)


Bamboo

Newer
Some influence from Erlang
No loops


"Currency": Ether
Hashing algorithm: Ethash
Much shorter block time (14-15 seconds vs. 10 minutes with bitcoin)
Block rewards remain the same each year ad infinitum (whereas bitcoin halves the rewards every 4 years)
Currently using proof of work, but looking to move to a new protocol called "proof of stake".

Protocol still not complete, code named "CASPER" (after the friendly ghost). Solves the "nothing at stake" problem by- "Whenever a validator produces a block that is considered “invalid” by Casper, his/her security deposit will be forfeited as well as the privilege to participate in the network’s consensus."
How it works:

Security deposits: stakeholders are required to make security deposits behind blocks. Whenever a security deposit is placed behind a block, it can introduced as a transaction that is part of an incompatible block aiming at destroying the security deposit of a validator. A block can be only marked as “finalized” when a large number of the network’s validators place security deposits behind it.
Consensus by bet: Philosophically, the security deposit concept is extended to become a concept of “bets”. Within a PoS system, a bet is a transaction which, according to the consensus incentivization rules, will reward you with X coins along every chain that includes a block that you have bet on, in exchange for taking Y coins from you for every chain that doesn’t include that block. A proper scoring rule should be used to set the values for X and Y. CASPER is based on the principle that validators bet according to the bets of other validators and rational play represents a loop of positive feedback that accelerates consensus. “Finality” is determined by 2/3 of validators willing to bet on a block that is large enough so that Y would be equal to their overall deposits.
By-block consensus: it is a yes/no vote casted separately on each block height. The inclusion of a block doesn’t simply denote inclusion of any block at any given previous heights.


"Gas": because miners are essentially lending computing power to other people's applications and programs (smart contracts) on the ethereum blockchain, they need to be compensated for that. Gas is the metering fee or cost for the computation and storage use of a smart contract.

Miners setup a minimum gas price they will accept to execute a transaction (miners will calculate this based on how much it actually costs them in electricity, and manually set this in their client. There is a default of 0.02 ETH per 1 gas), which is the amount of Ether used to interact with a component of that contract.

When sending a transaction to a smart contract, you can set what gas price you want to use. If you use a higher gas price, you are more likely to be accepted quickly by miners.


Each action (ADD, STORE, MULTIPLY, etc.) costs a certain number of gas.
The end result is that if you want your smart contract to run, you need to provide it with enough gas needed to complete the operations required. The total cost goes back to the minor in ETH, and the unused gas is refunded.
If not enough gas is provided to fuel the smart contract, then the originator pays the miner for all computation performed, and the transaction is reverted (but record of it is still stored in a block).
Gas cost by action (spreadsheet): https://docs.google.com/spreadsheets/d/1m89CVujrQe5LAFJ8-YAUCcNK950dUzMQPMJBxRtGCqs/edit
Certain operations (clearing a contract = -24,000, clearing storage = -15,000) results in a gas refund back to the originator. However, to avoid having miners not execute transactions with negative gas operations, the originator can only receive at most half of the gas of the overall transaction back. The minor will get the other half (or more) back.

Example: if a transaction used 60,000 gas and cleared 2 contracts for a refund of 48,000 (24,000 each above), the originator would still pay the miner for 30,000 gas, while receiving only 30,000 gas back (half of the overall amount spent for the transaction, but not the full amount of 48,000 for the refund operations).


To request a smart contract to be invoked, you provide a fee as well, which is given to the miner (on top of the gas cost) as additional incentive to complete the transaction earlier.
Create a smart contract in your browser and run on the test network: https://ethereum.github.io/browser-solidity/


Different consensus algorithms


Multichain: private blockchain platform, with a customized consensus instead of proof-of-work (e.g. 3/5 signatures from trusted sources needed for each block).

http://www.multichain.com
Popular option with banks and other FIs that are looking into blockchain implementations.


Tendermint: proof-of-stake algorithm that works with validators, over the course of many rounds of concensus.

Miners deposit currency/tokens to become "validators", and are then able to compete in the block consensus process.
If a validator does something wrong, they lose their deposit, and are no longer able to be a validator.
Each new block starts with a randomly selected validator proposing a block of transactions. Then, all validators will vote on whether that block is valid. They will keep voting on new block proposals until 2/3 of the validators agree on one block, at which point they will submit a final commit vote saying that they both approve the new block, and they witnessed that 2/3 of validators approved the block. This process then repeats to continue building the blockchain.


How blockchain technology is being used


HUGE- smart contracts

Code that is stored on the blockchain, and executed on every system in the blockchain when a certain condition is met.

More of a "smart agent" than a "smart contract". They can themselves hold balances of cryptocurrency, or even control other smart contract programs. They run completely autonomously.


Ethereum is leading this effort (the primary purpose of its platform). Every program or application being run on the Ethereum blockchain was built using their smart contract code.

A list of distributed apps (dApps): http://dapps.ethercasts.com/


Using tokens to signify share ownership of a company

A whole new concept called an ICO (initial coin offering) allows companies to be funded on the Ethereum blockchain. Companies can use smart contracts to programmatically deliver shares of the company upon successful funding, or release funds back to investors if the terms of the contract are not reached (i.e. the company does not reach its funding targets). Think Kickstarter, but with no fees and an absolute money-back guarantee upon unsuccessful funding (or other conditions listed).


Voting

Everyone gets one token for each vote, can only be spent once (remember- most blockchain implementation solves the double spend problem), votes are tracked in an indisputable ledger.


Tracking art and other digital assets.

Useful to track ownership of a particular asset, such as music by tracking a fingerprint of that digital asset.


Tracking shipments and other physical goods.
A token to signify ownership of real-world physical goods and commodities.

Digix (https://dgx.io): one token = 1g gold (stored in a vault in Singapore). Built on Ethereum's blockchain and EVM.
Tether (https://tether.to): one token = $1 USD (stored in a bank account in Hong Kong).

NuBits (https://nubits.com/): same as above, except they regulate the price between BTC and USD by either printing more tokens or buying back tokens.
BitUSD & Maker DAO: both use smart contracts with built-in collateral (buyer puts up more BTC than is actually needed), and in the event of a BTC market crash, the smart contracts automatically pull the money out at the right time, so that there is still a valid price link between BTC and USD on their platforms. Maker DAO also provides insurance for "black swan" crashes, using their own money as collateral.

These allow for margin trading (gains and losses are magnified because the collateral causes the smart contract to essentially be worth more, allowing for the price of the tokens to be worth more on the market. Thus, if someone trades their token for BTC when BTC is on par, but then if BTC price goes up, they can buy back a token and have BTC left over; works inversely when BTC price goes down).


"Pegged sidechains": allowing currency to move between blockchains (e.g. BTC to the Ethereum blockchain, and vice-versa; OR BTC to other service on another blockchain!). This works simply by trusting that a token holds an explicit value, and locking away the primary currency/token.

The primary cryptocurrency is stored away while transactions happen on the side chain (the other blockchain). Only when the initial cryptocurrency is requested to be pulled out by trading back for the token is that cryptocurrency value "unlocked".


Paid LinkedIn-like messaging for high-profile individuals.

https://21.co
There is the option for the individual to automatically donate the funds to a charity.


Distributed storage

https://storj.io: get paid to host hard drive space, store your files across distributed systems (encrypted before storage).
https://ipfs.io: aims to replace HTTP and distribute web content across a blockchain network.

Has now become Filecoin: https://filecoin.io/


Many more implementations and uses that we haven't even thought of yet (it's an incredibly exciting time!)

Who is using blockchain right now


RBC: http://www.coindesk.com/royal-bank-of-canada-expands-blockchain-testing-beyond-loyalty/

Using to back loyalty/consumer rewards program


UK Banking giant Barclays:http://www.coindesk.com/barclays-smart-contracts-templates-demo-r3-corda/

Creating legal smart contract templates


IBM/JP Morgan Chase, and more: https://www.ibm.com/blockchain/hyperledger.html

Hyperledger Fabric is an effort to create a standardized blockchain implementation that allows for permissioned (vs. "permissionless") and confidential networks, as well as public networks.


Big banks (UBS, JP Morgan Chase, Deutsche Bank, Santander): http://www.coindesk.com/ubs-clearmatics-bny-icap-deutsche-liberalize-central-banks-settlement-coin/

Settlement Coin will be a new digital currency used to settle financial market trades on a blockchain. Being pitched to central banks as the token used to settle trades across institutions and markets.


R3 Consortium: http://www.r3cev.com/

A firm that works with an incredibly large number of financial institutions around the world (most major banks) to develop blockchain tech focused on financial services.
Corda: a distributed ledger (blockchain) for recording financial agreements.

Each transaction has a configurable level of visibility.


Blockchain companies in Ontario


BitAccess: offers bitcoin ATMs ("BTMs").

https://bitaccess.co/


Paycase: universal money transfer platform (currently in private beta)

https://www.paycase.com/


Coinkite: hardware solutions around accepting and trading with bitcoins.

https://coinkite.com/


Coinsquare: Buy and sell cryptocurrencies AND precious metals online. Also allows for funding with cash in their downtown Toronto office.

https://coinsquare.io/


Cryptiv: Enterprise wallets, with multi-key systems.

https://cryptiv.com/


BitRush: Created their own cryptocurrency called "ANOON" (hoping that people adopt it), ad brokering on their blockchain, incorporates ANOON into online gaming payments.

http://bitrush.co/


ConsenSys Systems: Building decentralized apps (dApps), likely on the Ethereum network.

https://consensys.net/


Rubix by Deloitte: consulting around blockchain, and building blockchain applications for enterprises and governments.

http://rubixbydeloitte.com/


Nuco: Blockchain IAaS

https://nuco.io/


SecureKey: Authentication using a blockchain backend. Currently in use for many government tax services, allowing you to login using your bank login information.

http://securekey.com/


Security

Known flaws & vulnerabilities

Majority ledger


Majority ledger: 51% of processing power owned by one user.

Able to modify the blockchain and continue to generate the next hashes faster than the rest of the network, thereby allowing them to modify past blocks.
Reason why an attacker would not exploit this, from Nakomoto paper: "If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. He ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth."


Double spend


Double spend: essentially creating money out of thin air by creating two different transactions using the same inputs.

This is why you should wait for 6 block confirmations after a transaction block where you received money to ensure that it is securely on the longest chain (and thus, valid and not going away).
The way to do this is often through increasing the transfer fee (the "tip" to the miner for including your transaction in their block)


Private key brute-force (collision)


Brute-force private keys to steal that person's money.

This is being done by the "Large Bitcoin Collider" (LBC) project: https://motherboard.vice.com/en_us/article/nzpv8m/the-large-bitcoin-collider-is-generating-trillions-of-keys-and-breaking-into-wallets

Plot twist- the LBC software has a backdoor. https://motherboard.vice.com/en_us/article/3d9bv8/the-large-bitcoin-collider-is-a-security-nightmare


Bitcoin addresses are 160-bit hashes of the public portion of a public/private ECDSA keypair (uses the "RIPEMD-160" hashing algorithm). Thus, the odds of collision are 1/2^160 (~1/1461501637330902918203684832716283019655932542976; that's 49 decimal digits).

It would currently take 2^107 times longer to generate a colliding Bitcoin address than to generate a block.


Wallet correlation


Wallet correlation: linking multiple wallets back to a single entity.

Wallets can be linked to one person by looking at the "scriptSig" (digital signature) in inputs for a transaction. If multiple inputs are provided in a transaction (usually the case), and they are all validly signed, that means the sender has the private key associated with the wallet (public key) storing those transactions. This means that once a transaction is used to send bitcoins, unless they use the exact amount needed (only one input; rare), multiple wallets get linked together.

By tracing back through the input's own transaction history, if other wallets were used as outputs in those same transactions, then they likely belong to the same person as well.


OpSec

Since Bitcoin is P2P, anyone can identify other IPs that are using Bitcoin. Simply listen to traffic on your network and log all nodes that connect to yours.

You also broadcast all your transactions to neighbouring nodes in the clear (bitcoin traffic is unencrypted). If those neighbouring nodes are logging IPs, they can tie it back.


If you ever use a bitcoin wallet to purchase something on a website with shipped data, an exchange, or anywhere else where your identity is revealed, it can be tied back to your bitcoin wallets.
If a user has used an exchange to buy, sell, and trade bitcoin, their IP address and their PII (due to "KYC"- know your customer laws) can be linked to that wallet.

Many exchanges are using the "on and off ramps" like these to help with regulation of bitcoin. This is where the tracking often comes in.


Only way to be fully anonymous on the Bitcoin network is to mine the wallet yourself, through a VPN (or multiple VPNs), and never tie those bitcoins to your real life identity in any way.

This is practically impossible now. Close second would be to use something like localbitcoins.com to buy bitcoins locally, rather than trying to mine them.


Really good guide on how to use Bitcoin as anonymously as possible: https://99bitcoins.com/know-more-using-bitcoin-anonymously/


Contract loopholes/abuse (AppSec)


If there is a loophole in the contract's logic, then it may be possible to exploit it for money, because the contract is seen as the single source of truth, and followed to the letter.
Example of this: "The DAOsaster"

"The DAO" is a distributed autonomous organization (DAO) on the Ethereum blockchain. It operated as a hedge fund where investors in the initial round of investment (which reached a total of USD $150 million in 21 days- the largest crowdfund in history) received a token that signified part ownership in The DAO. Investors/stakeholders would then be able to vote on investments in companies (investments proposed by "contractors").
Through a set of what were essentially business logic vulnerabilities in the way The DAO was programmed, an attacker was able to siphon around $50 million of Ether, which was legitimate according to the smart contract parameters.
The attack was a "recursive send" vulnerability. Basically, The DAO contract allowed token holders to split from The DAO and withdraw their funds. Wallet contracts can have a default function. The code in the DAO contract called this default function in the time between the funds being pulled from the DAO's pool of funds and the time that the total funds in the user's DAO account was updated (essentially a TOCTOU vulnerability). By setting the default function to split from the DAO again, it essentially pulled more money from the pool, while the DAO still thought there was money left in the account.

The icing on the cake is that the DAO contract only thinks it has lost the original amount that was in the user's account (could be very little), rather than the full amount that was siphoned in each recursive call. This is because the balance update function happens with the assumption that only the original amount was withdrawn. Thus leaving The DAO to think it has way more money than it actually did.


After this, the Ethereum organization decided to manually fix the loophole in The DAO's smart contract and fork the blockchain to accomplish this. This was called a "hard fork", and left a lot of people upset, obviously. The old chain continued on as "Ethereum classic", but its value has not kept pace with the new Ethereum blockchain.


Essentially: business logic vulnerabilities.

Cryptocurrency-related breaches


Instances of cryptocurrency-related security breaches: https://magoo.github.io/Blockchain-Graveyard/

Some were due to issues with the cryptocurrency, however most breaches were attributed to traditional security issues (server breach, account takeover, application vulnerability, etc.).


Auditing cryptocurrencies


Cryptocurrency Security Standard: https://cryptoconsortium.github.io/CCSS/

2 domains, covering 10 aspects

Cryptographic Asset Management

Key/seed generation
Wallet creation
Key storage
Key usage
Key compromise protocol
Keyholder grant/revoke policies & procedures


Operations

Security audits/pentests
Data sanitization policy
Proof of reserve
Audit logs


Example Cryptocurrency Security Standard scorecard
Smart contract analysis tools


Porosity

Decompiles EVM bytecode into readable Solidity-syntax contracts.
Also has a disassembler.
https://github.com/comaeio/porosity


evmdis

EVM disassembler.
https://github.com/arachnid/evmdis


Securify

Automatic analysis tool for EVM bytecode and Solidity source code.
Can point it to a smart contract address for automatic analysis as well.
Still in beta, but will likely be a commercial product.
http://securify.ch/


Oyente

Source code analysis for Solidity smart contracts.
https://github.com/melonproject/oyente


Dr. Y's Ethereum Contract Analyzer

High-level analysis of remote smart contracts (bytecode)
http://dry.yoichihirai.com/


Other resources


Global Cryptocurrency Benchmarking Study 2017 (PDF): https://www.jbs.cam.ac.uk/fileadmin/user_upload/research/centres/alternative-finance/downloads/2017-global-cryptocurrency-benchmarking-study.pdf