Security is the future of Blockchain

By | February 26, 2018

Imagine that you are a cryptocurrency expert and knows pretty much about the blockchain ecosystem. A man who does his transactions through a bank asks you about Bitcoin and Ether. You are fascinated to tell the benefits of using it like there are no taxations, because the technology is not owned by a state. It is easy to use and also quite secure. You also tell that he also needs a crypto wallet for this whole process, which stores his private and public keys for the transactions. Then he asks these questions: “Is my wallet safe?”, “Is it unreachable for others?”, “Is it possible to steal the keys from my wallet?”, “What happens if it is?”. Here comes the issue. The answer is for safety, well, it depends.

For giving explanations probably the best is to remind the reader of some recently happened wallet freezing in connection with Ethereum, Parity. In July this year hackers stole $31M of Ether. They found a bug in the developer code, so they could set themselves as the owners of the wallets. The loss was “only” $31M, because a group of so called white-hats found about the cheeky theft and basically hacked the other affected wallets and then restored the money for the owners after the breach. Unbelievable story, right? But we could say this was a human mistake and not a security standard that was not fulfilled by the cryptographic methods or the used technology. A few months later another thing happened.

At this time our company, CCLab, which is an accredited Common Criteria evaluation laboratory heavily considered the opportunity of somehow recommending security standards or best practices to the applications connected to blockchain and also the apps providing access to the cryptographic keys for the users. Then articles came out: 151 wallets were frozen and also the founder of Ether couldn’t even suggest a proper solution. He was shocked so as others.According to certain sources the frozen value of money is more than $150M. This is incredibly more than the loss in July. So what happened?

After the breach in July, Parity deployed new version of the wallets, but they left other vulnerabilities in it. The hack happened only with these restored wallets. The hacker found a library which contained smart-contract from several Ether users. He somehow found out that the library could be initialized as a wallet and he claimed owner rights for it. He tried to withdraw the funds and then disappear with his loot. That is why the wallets are being frozen, but what is extremely shocking is that another 573 wallets are affected with the breach. The users of course are worried now about the security measures was taken by Parity team. To be honest, it is understandable. Regarding the solution hard-forking seems to be the only way currently. But not everybody is convinced that it is the best way, as an earlier done a bigger damage in the Ethereum ecosystem by separating it into two networks.

So, back to our man’s question: “Is my wallet safe and unreachable for others?”. Probably now you would say “no” instead of “it depends”. Actually when I browsed the internet for some basic information about crypto wallets I found a page that explains it to laics pretty well too. It raises attention that no matter what kind of wallet type you use, desktop or online taking plus security measures and being cautious can save your assets. Really good point! We need extra security measures. That is the statement I wanted to reach. The extra security.

However, I kept the most acute problem until this. What happens after the loss? What happens when a third party exploited your wallet and you could not do anything, it could not be restored. What is next? Well, probably nothing. Most of the wallets operate free of any charge. This is the case with Ether’s Parity wallet too. The developers of this multi-signature wallet indicates that this is free of charge on an open source basis. This means that the code is public, so you can create your own wallet too, but Parity offers safer and more organized use and coordination of Ether and your transactions too.

Of course, another loss aroused. After the hard-forking and freezing of several wallets a bug left in the smart contract. A developer accidentally got access to several wallets through this mistake and while he tried to restore them to the original owners he deleted the contents of the wallets.So $300M disappeared. Any compensation that comes from the developers, because of the bug? No, nothing. As I mentioned, they are free of charges. So what could a user do? What could anybody do to compensate the loss at least to some extent?

Well in the U.S. there is kind of a guarantee, but not by the developers of the cryptocurrency wallets. It is by the state! The U.S. recognized Bitcoin as a legal opportunity and way to pay and make transactions. But it is not handled as a real currency. It is a property and it is taxed after transactions according to agreed terms and value. By taxing the cryptocurrency the state offers an opportunity to restore a percentage of the loss in some cases (e.g. gross negligence, willful misconduct, fraud etc.). But this system is not perfect as well. It does not offer the compensation that is needed. Although, this is at least a partial solution to the problem.

Several other problems comes to our mind reading these rows of mine. What happens if a cryptocurrency user have a huge loss and his/her government does not guarantee any kind of help or compensation. This is actually a common thing, because cryptocurrency transactions are widespread but they are not recognized as legal possibility in transactions. However, even if they are recognized, the state needs to tax it to provide any kind of financial base to cover emerging losses in the future. But how much does this will take? Can we wait until most legal systems of the countries will recognize cryptocurrencies this way? Probably not. This is my last reason to prove that some kind of international regulation is needed to cope with this situation changing in incredible speed day after day.

All in all, we can conclude that blockchain has the power to resettle the IT world. The technology is developing in a very large scale. Vulnerability breaches already happened and in the future the best strategy is to prevent these attacks. Not the blockchain technology which has weaknesses but the systems through developers and users deal with it. Open source code itself is not the solutions for the security challenges. A responsible wallet developer invests into the security of its clients and the security of its business. Using security by design techniques and third party vulnerability and penetration testing are good investments. Well, at least this is what CCLab considered to do.

Nikolett Szabó
Customer Success Manager at CCLab Kft.
[email protected]

CCLab Ltd. Common Criteria laboratory

References:

Qureshi, H. (2017. July 16.) A hacker stole $31M of Ether — how it happened, and what it means for Ethereum [Article] Retrieved link

Cointelegraph, (2017 November 13.) Parity Multisig Wallet Hacked, or How Come? [Article] Retrieved link

Mix, (2017 November 8.) Ethereum founder remains silent on wallet bug that froze $250+ million of Ether [Article] Retrieved link

O’Leary, R., (2017 November 8.) Ethereum Security Lead: Hard Fork Required to Release Frozen Parity Funds [Article] Retrieved link

Rosic, A., (2017 January) Cryptocurrency Wallet Guide: A Step-By-Step Tutorial [Blog post] Retrieved link

Hern, A., (2018 November 8.) ‘$300m in cryptocurrency’ accidentally lost forever due to bug [Article] Retrieved link

Choy W. and Teng P., ( 2017 December 22.) When Smart Contracts are Outsmarted: The Parity Wallet “Freeze” and Software Liability in the Internet of Value [Article] Retrieved link

Bergman A., (2018 January 3.) What You Should Know About Taxation Of Cryptocurrencies [Article] Retrieved link

Krimminger M., (2017 May 26.) Bitcoin, Blockchain & the Regulatory Dynamic [Paper]

Deloitte Team: Piscini E. – Dalton D. – Kehoe L., (2017) Blockchain & Cyber Security. Let’s Discuss [Whitepaper]

I. and Liao T., (2017 January 12.) A Survey of Blockchain Security Issues and Challenges [Paper]