It is crucial that before being implemented these applications are checked and audited several times so as to guarantee that they will not have unexpected behaviour or contain any flaws.
What are the blockchain’s security risks?
M.H. It must first be stressed that concerning the exchange protocol itself, the blockchain is extremely secure. Especially on Bitcoin and on Ethereum, because the mining system means that it is very difficult to go back on data that has been written into the blockchain. Indeed, it is necessary to use a very high computing power to do this, and the cost of this is high. So, there is no risk concerning the security of data anchored or saved in the blockchain, they are unalterable. What’s more, as miners are paid to validate transactions and thus make the blockchain work correctly, they are the guardians of its integrity. This being said, there are risks; the main ones are on two levels: at the application level and at the user level.
What are the application risks?
M.H. They are linked to the automatic execution of smart contracts. Once rolled out on the blockchain, according to the principal of inalterability of the code, they can no longer be modified. It is therefore crucial that before being implemented, these applications are checked and audited several times by independent experts or by organising “bug bounty” campaigns (programmes asking developers from across the world to bug test before the implementation of applications), so as to guarantee that they will not have unexpected behaviour or contain any flaws.
What’s it all about?
M.H. In May 2016, investment fund The DAO (Decentralized Autonomous Organisation), whose rules were governed by smart contracts, raised 150 million dollars from Ethereum users, who could vote on projects to award them financing or not. One month later, a hacker exploited a “reentrancy” flaw in one of the smart contracts that the organisation was using. The hacker siphoned off 3 million Ethers (50 million dollars) outside of the organisation to inject them into another smart contract over which they had control. Contradicting the main rules of blockchains, the organisation’s developers decided to correct the consequences of the piracy by creating a “fork” (duplication with creation of a new chain) of the blockchain. This major catastrophic event brought to the attention of the entire community the need to secure the computer code of smart contracts.
What are the risks linked to users?
M.H. These risks are linked to cryptocurrency leaks or theft. Some users create portfolios on non-secure exchange platforms from where their private keys can be retrieved. The pirates then take over ownership of the accounts and issue cryptocurrencies in an uncontrolled and unauthorised manner. To avoid these risks, it is thus necessary to store the tokens on secure sites and to generate private keys from computers that are not connected to the internet, and from standard libraries.
Are there other kinds of risk?
M.H. There is another application risk that falls within piracy: the 51% attack. It is a hack of the blockchain by a member who takes over 51% of the mining hashrate and creates a parallel chain. This chain having a higher computing power than the original chain, the owners of the remaining 49% join it. In this way the pirate can perform transactions in order to credit himself with tokens on both chains, this is called “double spending”. However, on Bitcoin and Ethereum, it is nearly impossible to carry out this type of attack as it requires high computing power and is therefore very costly to implement. The less miners the pirate has, the less computing power there is, and the higher the risk is of a 51% attacked being able to take place.
What are the upcoming evolutions in terms of blockchain security?
M.H. On the one hand, with experience, the members of developer communities will develop smart contracts that resist flaws better and better. And on the other hand, when businesses recognise all the benefits of deploying public blockchains, they may no longer wish to risk losing millions as in the case of The DAO; they will then make the rules and practices more flexible, in particular that of the inalterability of the data.
