Blockchain has created new economies based on cheaper and faster transaction record keeping. But can it survive the audit of cybersecurity folk?
Back in 2009, the first generation of blockchain technology promised value via its use as a ledger for cryptocurrency transactions. The usual work allotted to bankers and payment processors in incumbent financial systems to maintain ledgers and process transactions – along with their fees – shifted into the hands of a wider group of peers within blockchain.
Anyone with enough computer resources to add transactions to the ledger of a blockchain in a process called cryptomining could be a miner. These miners, just like payment processors, got their cut – but in cryptocurrency. As long as the fees provide enough revenue to compensate miners for their costs, transactions keep on being processed.
Ultimately, the economic value derived from blockchain is made possible because of how it harnesses computer processing power along with a transparent and trustworthy design for the blockchain ledger in order to make transactions cheaper, faster and just as trusted as those handled by incumbent financial systems. People have been buying and selling in these new, digital economies ever since.
In 2015, one blockchain, Ethereum, popularized a new way of creating economic value – smart contracts. The idea was simple. Write a computer program – a smart contract – that can record transactions into a ledger and automatically trigger other transactions when predefined conditions have been fulfilled.
With smart contracts, the advantages of cheaper and faster transactions became available for a broader range of applications. Transactions were no longer just for the buying and selling of cryptocurrencies, but also for the recording of supply chain events, invoicing and payments. Captivated by the prospect of better efficiencies and cost savings, enterprises joined blockchain consortia and kicked off pilots that experimented with smart contracts.
Enterprise blockchain creating new value via smart contracts
A few years on, in 2020, giants in the retail and grocery industries like Walmart Canada have deployed blockchain-based solutions. With the help of DLT Labs, a Canadian financial technology startup, Walmart Canada now shares with carrier partners a blockchain ledger that promises to cut down on invoice disputes with carriers. So far, the share of issue-ridden invoices has been slashed from up to 70% to less than 2% – a game changer for speeding up invoice and payments processing.
In the oil and gas industry, two ongoing blockchain projects are VAKT and Komgo. VAKT aims to lower administrative costs and speed up processes involved in trading by using Quorum blockchain technology. Energy firms BP, Shell and Equinor, and trading companies Gunvor and Mercuria, are the first participants. Similarly, the crude oil trading company SOCAR Trading turned to Komgo’s blockchain platform, which is also built on Quorum.
The spectrum of interesting blockchain projects includes those aiming to offer better rates for invoice factoring, speeding up the filing of bills of lading, cutting the cost and time to process cross-border payments, and improving the processing of (re)insurance contracts.
Hacking blockchain’s trust?
The trust offered by blockchain technology lies in its guarantee that, for all members in the network, the record of transactions is the indisputable source of truth. Since there is no possibility for changing transactions once they are entered into the ledger, how a blockchain verifies transactions before they get permanently recorded becomes the crucial piece for security.
One way of breaking that trust would be when one participant or group increases its share of power – mining power or otherwise – in the network beyond a pre-agreed threshold. For blockchains like Bitcoin that threshold is 50%, or for Tangle 33%. A group that exceeds a certain share of power can gain a monopoly on truth and break the trust built into the system.
Another danger – as for all computer systems – is cybercriminals stealing the private keys of participants in the blockchain in order to impersonate them and make unauthorized transactions. Private keys are normally stored in digital wallets. The dangers are the same for a personal wallet, a company wallet, or a trade exchange’s wallet, and attention should be paid to best security practice for all parties handling one.
While cheap and fast transactions make blockchain more valuable as a tool, they should not be pursued at the expense of security and trust.
Hacking smart contracts?
Perhaps the most infamous hack happened in 2016 when the Decentralized Autonomous Organization (DAO) lost nearly 3.7 million Ethereum tokens ($250 million USD) from a wallet connected to a smart contract built on the Ethereum blockchain. A hacker exploited a bad piece of logic within the smart contract that allowed repeatedly interrupting one withdrawal request with another without subtracting the initially requested amount. Effectively, this allowed repeated withdrawals of the same funds.
The majority of the community participating in Ethereum voted to “rewrite” the ledger and return the lost funds – creating a hard fork of the blockchain to do so. Those who opposed the hard fork and preferred to stay with the original timeline in which the DAO hack happened are now part of the renamed “Ethereum Classic.”
Other known smart contract hacks exploited vulnerabilities in shared libraries that were used by smart contracts or that had integer underflow coding flaws.
Recommendations for secure smart contract development
Clearly, the design of smart contracts remains a critical security point, as blockchain pilots continue to explore enterprise-scale applications that aim to enhance supply chains, payments, and documents processing. Here are some recommendations to improve smart contract security:
- Hire a third party to conduct a comprehensive blockchain application security audit. Having fresh pairs of eyes to review code or strenuously test new applications can detect oversights.
- Consider using smart contract code analysis tools to discover vulnerabilities.
- Use active monitoring and defense tools that work in real time to search smart contract transaction logs or receipts for suspicious behavior.
- Make sure encryption is properly implemented in applications so that sensitive data like login credentials are not exposed.
- Properly authenticate any parties that are participating in smart contracts or conducting transactions in a blockchain.
- Implement a multifactor authentication solution like the ESET Secure Authentication software development kit (SDK) to further protect the private keys of blockchain participants.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.