As the cryptocurrency industry continues to expand and becomes an increasingly attractive target to hackers, the Pentagon has commissioned a study that has discovered some concerning vulnerabilities, detailed in an accompanying report.
Indeed, the report, published on June 21 and titled “Are Blockchains Decentralized? Unintended Centralities in Distributed Ledgers,” has discovered that “a subset of participants can garner excessive, centralized control over the entire system.”
The study, which focuses on Bitcoin (BTC) and Ethereum (ETH), was carried out by the security research firm Trail of Bits under the direction of the Pentagon’s Defense Advanced Research Projects Agency (DARPA).
According to the report:
“The number of entities sufficient to disrupt a blockchain is relatively low: four for Bitcoin, two for Ethereum, and less than a dozen for most PoS networks.”
Moreover, the report said that “of all Bitcoin traffic, 60% traverses just three ISPs,” referring to internet service providers. On top of that, “the vast majority of Bitcoin nodes appear to not participate in mining and node operators face no explicit penalty for dishonesty.”
As the analysts warn, “deploying a new node requires only one inexpensive cloud server instance – no specialized mining hardware is necessary.” This allows for the possibility of flooding a blockchain’s consensus network with new, malicious nodes controlled by a single party in what is called a Sybil attack.
Further problems include out-of-date and unencrypted protocols and software, all of which expose the network to attacks. As the report explains:
“The safety of a blockchain depends on the security of the software and protocols of its off-chain governance or consensus mechanisms.”
The report also discovered that all the mining pools its analysts tested “either assign a hard-coded password for all accounts or simply do not validate the password provided during authentication.”
As an example, the report used the practice of the global cryptocurrency mining pool ViaBTC of seemingly assigning the password ‘123’ to all of its accounts. Another mining firm, Poolin, “seems not to validate authentication credentials at all,” whereas Slushpool “explicitly instructs its users to ignore the password field.”
According to the available data, these three mining pools account for about 25% of the Bitcoin hashrate.
Cybersecurity researchers often warn of potential crypto-related weaknesses that can lead to incidents such as the one that Finbold reported in mid-April, in which an attacker managed to steal a person’s entire collection of cryptos and non-fungible tokens (NFTs) worth over $650,000 from their MetaMask crypto wallet.