Connect with us


Risk Management in Blockchain Deployments

Do you need a blockchain? And if so, what kind?

Trail of Bits has published an operational risk assessment report on blockchain technology. As more enterprises consider the innovative benefits of blockchains and, more generally, distributed ledger technologies (DLT), executives must decide if and how to adopt them. Organizations adopting these systems must understand and mitigate the risks associated with operating a blockchain service organization, managing crypto wallets and keys, relying on external API providers, and many other related topics. This report aims to provide decision-makers with the context needed to assess these risks and plan for their mitigation.

DevOps Connect: DevSecOps @ RSAC 2022

In the report, we cover the current state, use cases, and gaps of blockchains. We examine common pitfalls, failures, and vulnerabilities that we have observed as leaders in the field of blockchain assessment, security tools, and formal verification.

Blockchains have very different constraints, security properties, and resource requirements from traditional data storage alternatives. The diversity of blockchain types and functionalities can make it difficult to decide whether a blockchain is an appropriate technical solution for a given problem, and if so, which type of blockchain to use. To help readers make such decisions, the report contains written and graphical resources, including a decision tree, comparison charts, and a risk/impact matrix.

A decision tree of the Trail of Bits operational risk assessment on blockchains

Goldman Sachs partnered with Trail of Bits in 2018 to create a cryptocurrency risk framework. This report applies and updates some of the results of this study. It also includes information included in a project that Trail of Bits carried out for the Defense Advanced Research Projects Agency (DARPA) to examine the fundamental properties of blockchains and the cybersecurity risks associated with them.

key ideas

Here are some of the key findings from our research:

  • Proof-of-work technology and its risks are relatively well understood compared to newer consensus mechanisms like proof-of-stake, proof-of-authority, and proof-of-burn.
  • The main risk is “the storage problem”. It is not the storage of cryptocurrency, but rather the storage of cryptographic private keys that controls ownership of an address (account). Disclosure or even the momentary loss of control of the keys may result in the complete and immediate loss of funds from that address.
    • Specialized key storage hardware, whether a hardware security module (HSM) or a hardware wallet, is an effective security control when designed and used correctly, but hardware solutions current ones are far from perfect.
    • Fund compartmentalization and multisignature wallets are also effective security controls and complement the use of HSMs.
  • Security vulnerabilities or outages at third-party API providers are a secondary riskwhich is best mitigated by contingency planning.
  • The centralization of mining power is a systemic risk whose impact is less clear but important to monitor; this represents potential for blockchain manipulation and, therefore, currency manipulation.
  • Most blockchain software, although open source, has not been formally evaluated by reputable application security teams. Order regular security reviews to assess traditional blockchain software vulnerabilities. Use network segmentation to prevent blockchain software from being exposed to potentially exploitable vulnerabilities.

We hope this report can be used as a community resource to inform and encourage organizations pursuing blockchain strategies to do so effectively and securely.

This research was conducted by Trail of Bits based on work supported by DARPA under Contract No. HR001120C0084 (Distribution Statement A, Approved for Public Release: Distribution Unlimited). Any opinions, findings, and conclusions or recommendations expressed herein are those of the authors and do not necessarily reflect the views of the United States Government or DARPA.

*** This is a syndicated blog from the Trail of Bits Blog Security Bloggers Network written by Trail of Bits. Read the original post at:

#Risk #Management #Blockchain #Deployments

Click to comment

Leave a Reply

Your email address will not be published.