Shocking Discoveries about Blockchain Bitcoin and Ethereum Network-Level Vulnerabilities

We live on a planet where new technology seems to be working against the vast majority of humans living on this planet, rather than helping us to live better. This is sometimes called “singularity”, and Tristan Harris, a former Google ethics guru has now joined a public crusade so that tech companies “stop exploiting our weaknesses” and trying to abuse our confidence, and Yuval-Noah Harari says that we are now being hacked.

However for an engineer or for a scientist, this is not business as usual, these problems actually seem solvable. Potentially decentralization and democracy, freedom of speech and quality journalism, liability lawyers, market regulators and consumer rights advocates, law enforcement, benevolent academics and even tech companies themselves trying to make a difference and playing the long game not trying to cheat all the time, can possibly solve these problems. At least we have been trying. We have not run out of options.

Bitcoin and blockchain technologies have been developed precisely because we deeply mistrust our institutions, banks and governments, and we are now experimenting with alternative ways of doing things. This movement is not over. In particular the role of the private sector is increasing: bitcoin is in many ways private money, and a private system belonging to a group of oligarchs. At the same time the blockchain world has been nurturing a dreamer world of building a new economy with a fresh start: where money is created by the people, and where the wisdom of crowds leads to new types of outcomes, which benefits potentially all the people who dare to participate in it.

Sadly, the tech establishment is not helping, in bitcoin and everywhere else. A vast majority of tech developers have no sense whatsoever of social responsibility. They are sometimes not even trying to make things which actually work, or which are fit for purpose, or they fail to do so in spectacular ways. Deeply entrenched in the tech developer oligarchies, and equally bad at universities, and even worse in the mass and also pretty bad at say armed forces or government agencies, is an anarchic business and personal life disruption ideology. The technology is pushed on people who live on this planet in very crude dystopian forms driven by the desire to create a machine economy driven by the desire to influence and abuse the human element.

Not only that our technology as of today fundamentally lacks network neutrality, as much as it a lacks a positive or ethical purpose: it also does not fulfill the basic role of enabling of business or any other activity, it works primarily for the benefit of the sick, the corrupted, the incompetent. All this gets even more ugly when a lot of money is at stake. You are not happy with governments and bankers, here is what you get.

The Sick and The Ugly: Current Blockchain Networks

A new report written on explicit order from US government DARPA agency tells us some inconvenient truths about current Blockchain, Bitcoin and Ethereum world. It is written very much from the perspective of securing a distributed system… which is the main thing these networks are. The discoveries are “shocking”:

In particular we read that:

  • every widely used blockchain has a privileged set of entities […] to potentially change past transactions […]
  • we use […] outdated and unencrypted software and blockchain protocols. […]
  • it only takes four entities to disrupt Bitcoin and only two to disrupt Ethereum.
  • Bitcoin traffic is unencrypted […] any third party on the network route between nodes (e.g., ISPs, Wi-Fi access point operators, or governments) can observe and choose to drop any messages they wish;
  • 60% of all Bitcoin traffic moves through just three ISPs.
  • vast majority of Bitcoin nodes appear to not participate in mining […] and […] do not meaningfully contribute to the health of the network […] node operators face no explicit penalty for dishonesty
  • There is strong evidence that “a dense subnetwork of public nodes is largely responsible for reaching consensus and communicating with miners”.
  • One attacker gained control of up to 40% of Tor exit nodes and used them to rewrite Bitcoin traffic
  • 21% of Bitcoin nodes are running an older version of the Bitcoin Core client, known to be vulnerable
  • nodes have an out-of-date or incorrect view of the network which lowers hashrate necessary to execute a 51% attack.
  • 1 million of miners are being let down by the industry incumbents and are badly exposed:
    • Stratum protocol for mining pools Stratum, is unencrypted and unauthenticated.
    • ViaBTC a major mining pool assigns the password “123” to its accounts, Pooling, another mining organization, does not even check credentials, and Slushpool which has mined more than 1.2 million Bitcoin since 2010 instructs users to ignore the password field. These three combined account for 25% of the Bitcoin hash rate.
    • And they forgot to tell us… how many people ordered miners which were never delivered, or paid for rental of miners they do not control, undermining the very principles of a decentralized cooperative peer to peer network. Then how bitcoin miner abnormal and secretive supply chains with entry barriers have facilitated both a super-centralized network working only for the super rich, and how smaller investors have been locked out, and how all these have facilitated a massive worldwide criminal activity.

About the Authors

Trail of Bits based in NY, have an impressive pedigree: They have tens of academic publications on applied crypto, SW exploits, linux kernel etc. They operate “a center of excellence for blockchain security”. Notable projects include audits of Algorand, Bitcoin SV, Chainlink, Compound, Cosmos, Ethereum 2.0, MakerDAO, Matic, Polkadot, Solana, Uniswap, Web3, and Zcash.

Remark: This is serious work and in many ways, a result of years of work. Very different compared to the letter written by Bruce Schneier and 1500 computer scientists which is full of strong opinions and unsubstantiated claims, but fundamentally there is no technical, crypto or cybersecurity content of any sort, no attempt to study or examine these problems. Shame on you Mr. Schneier! An applied cryptography expert who has given up on… applied cryptography some 20 years ago to become a celebrity.

Leave a Reply

Your email address will not be published.