Last week, Mark Mobius of Mobius Capital Partners appeared on CNBC, stating that blockchain is not unbreakable, going against much of the consensus. Speaking about cryptocurrencies and their perceived value, Mobius concluded that people’s faith in the underlying technology is what makes them valuable.
“I believe blockchain is a very high-risk situation,“ he said. “A lot of people say, ‘blockchain can’t be broken into.’ No, it can be. Anything that’s created by man can be broken into. And it could create a big crisis.”
While blockchain as a concept can be considered safe, blockchain as a real-world application is less so. MIT’s Stuart Madnick wrote a piece in the Wall Street Journal in June outlining this problem. He is one of the researchers looking into 72 cases of blockchain security breaches, costing firms up to $600 million.
Madnick mentioned the notorious Ethereum hack in 2016, where a hacker noticed a flaw in the open-source code of a smart contract for the DAO project. The transparency of the blockchain programming allowed the attacker to find the bug before anyone else. They were able to exploit the smart contract bug to send funds to their own account, siphoning off over $100 million of Ether.
As a public blockchain, the programming code, along with the ledger of transactions is usually visible to anyone. This means that small coding oversights like the DAO’s could cost the company millions. In that sense, Mobius is right to think it’s “high-risk”.
For example, 51% attacks are on the rise, according to Sia founder David Vorick. These attacks ‘take over’ blockchains by controlling more than 50% of the validating nodes. So, an intruder could validate their fraudulent transactions.
Such attacks can occur when node control is public and based on how much processing power a user contributes, like in Bitcoin. In private permissioned blockchains, this risk is less relevant.
However, attacks don’t just affect the blockchains themselves. Companies running cryptocurrency exchanges or wallets are perhaps the most vulnerable because these ‘crypto hacks’ often have little to do with blockchain. Exchanges tend to look after private keys on behalf of currency owners. But they do so in a centralized manner and hence are vulnerable to hacking.
As we outlined last year, security vulnerabilities in the coding of these wallets or exchanges can lead to successful hacks.
Two weeks ago, a group of researchers published 44 types of security vulnerabilities of Ethereum when used for applications. Most of these are to do with the building of applications and smart contracts.
Programming bugs affect both public and private blockchains. While, say, a private blockchain used in enterprise might seem safe, there is potential for risk. Smart contract flaws still have the potential to cost money, unless all consortium members agree to a fix.
Identity and access are one of the biggest areas of vulnerability for private chains. If a bad actor manages to get access to one of the participant’s credentials they can execute transactions.
The way transactions are notarized for private blockchains tends to be far more centralized compared to public blockchains. The smaller the number of targets to hack, the bigger the risk. Similarly, some current blockchain interoperability solutions use centralized nodes. These nodes become an attractive target for attackers.
Hence, there is a reliance on network security, cryptographic protocols, and sometimes hardware security. These may all have vulnerabilities.
From time to time massive vulnerabilities hit the headlines such as the notorious Heartbleed bug which left OpenSSL’s protocols vulnerable to attack. OpenSSL is used for most online ecommerce and banking transactions. Last year Intel’s secure enclaves were shown to be vulnerable. Secure enclaves are used to separate special data like security keys and are widely used in blockchain applications, as are hardware security modules.
Mark Mobius was probably not thinking about all these security issues when asked if cryptocurrencies have inherent value. But his take, that “[a]nything that’s created by man can be broken into”, is not that far from the truth.