- A report from Pentagon’s research arm DAPRA shows the concentration of Bitcoin nodes and traffic in hands of few.
- It also shows how mining pools control a huge part of BTC hashrate and have very few security measures at their end.
Pentagon, the headquarter of the United States Department of Defense, has shared some glaring details about the vulnerabilities of blockchain decentralization. A recent report commissioned by them shows that blockchain is not only decentralized by vulnerable to external attacks as it runs on outdated software.
Pentagon published the report “Are Blockchains Decentralized, Unintended Centralities in Distributed Ledgers” earlier this week. The report states that only a subset of participants can exert excessive and centralized control over the blockchain network. These findings could be a major reason for concern for multiple sectors including fintech, security, crypto industries, and big tech.
Pentagon’s native research arm, Defense Advanced Research Projects Agency (DARPA), conducted this blockchain investigation along with security research organization Trails of Bits. These organizations specifically focused on the top two cryptocurrencies Bitcoin (BTC) and Ethereum (ETH).
Trails of Bits shares some concerning and eye-popping details about the two crypto blockchain. It said that it would take only four entities to disrupt the Bitcoin network and two in the case of Ethereum. Furthermore, it added that 60 percent of all Bitcoin traffic moves through just three ISPs. Besides, the organization also identified some outdated and unencrypted software and blockchain protocols.
The DAPRA report adds more concern to the already depressed crypto market. Investors have to come out of the Terra ecosystem collapse and several insolvencies in the market.
The underlying blockchain security and challenges
In the report, Trails of Bits explains some of the underlying blockchain security challenges. It adds: “The safety of a blockchain depends on the security of the software and protocols of its off-chain governance or consensus mechanisms”.
Researchers at Trails and Bits explored multiple accounts with mining pools to study their codes. They further found some shocking details with respect to their operations. A stark revelation is that the global mining pool ViaBTC assigns password “123” to its accounts. Another pooling organization Pooling doesn’t even validate credentials at all. Slushpool which has mined over 1 million Bitcoin over the last decade asks users to ignore passwords. Now, these three mining pools together contribute 25 percent of the hash power which is a concerning factor.
Trails of Bits further warns that nodes deployed by crypto miners could be easily deployed on an inexpensive cloud server. This could potentially lead to a Sybil attack by flooding the network. It could further lead to an eclipse attack wherein bad actors can deny other users access to the nodes by isolating them.
Trail of Bits also presented evidence of a Sybil attack linking to a malicious actor likely from Russia. This attacker gained access to 40 percent of the Tor exit nodes and used them to rewrite Bitcoin traffic.
Furthermore, it adds that all nodes should operate under the latest software version. However, that’s not the case. Trails of Bits says 21 percent of the Bitcoin nodes are running on the older version of the Bitcoin Core client.
Warning to big tech amid the Web3 revolution
Several mainstream technology sites have been tapping into blockchain as a new income source. Even some of the Big Tech companies Google, Amazon, Microsoft, and Alphabet, are heavily investing in blockchain, notes the DARPA report.
Related: Google’s Cloud unit forms a new Web 3 team to capitalize on growing crypto space
On the other hand, there’s a growing craze for the Web 3.0 revolution. As the Big Tech companies continue with their blockchain development, Joshua Baron, DARPA program manager warns:
The report demonstrates the continued need for careful review when assessing new technologies, such as blockchains, as they proliferate in our society and economy. We should not take any promise of security on face value and anyone using blockchains for matters of high importance must think through the associated vulnerabilities.