Jean-Philippe Aumasson, Head of Security at Taurus Group SA, gave the keynote lecture at the Balkan Computer Congress (BalCCon) on September 14. In his talk entitled “Blockchain Security!” he elaborated on the question “Are blockchain secure?” by reviewing some of the most critical security issues ever found in blockchain applications, as well as vulnerabilities he discovered as a researcher and while working on Taurus products. Below we summarize the key messages from this talk (Taurus_BalCCon_2018).
- Most attacks aim to make money, be it by stealing seeds or private keys through phishing or exploiting a vulnerability in the system to create tokens out of thin air.
- Bitcoin and Ethereum have a good track record, with no major impactful vulnerability ever found in their core software. This is remarkable given the high level of complexity of these systems.
- Smart contracts are hard, because minor bugs can have dramatic consequences, as observed in the DAO incident. A smart contract is essentially code that runs on top of a blockchain platform (typically Ethereum), and as such can be insecure even if the underlying platform is secure.
- Experimental designs can fail, as demonstrated by, for example, by the address derivation scheme of Lisk or the custom consensus protocol of Verge. Innovating is generally good, but sometimes the technology is clearly not mature enough to be deployed in production systems supporting $100Ms worth of assets.
- Software is often immature, with many critical software components including or depending on fragile and underanalyzed code. The risk is amplified by the high complexity of many blockchain protocols, and by the reuse of certain components across multiple projects.
With more and more blockchain platforms being created, and more code being written for ever more complex protocols, we believe that many bugs are yet to be found. We therefore recommend to all developers of blockchain applications to pay particular attention to the third-party software they use (and their respective dependencies), as well as to the software they write (security audits can help).