Do you need a blockchain? And if so, what kind?
Trail of Bits has published an operational risk assessment report on blockchain technology. As more enterprises consider the innovative benefits of blockchains and, more generally, distributed ledger technologies (DLT), executives must decide if and how to adopt them. Organizations adopting these systems must understand and mitigate the risks associated with operating a blockchain service organization, managing crypto wallets and keys, relying on external API providers, and many other related topics. This report aims to provide decision-makers with the context needed to assess these risks and plan for their mitigation.
In the report, we cover the current state, use cases, and gaps of blockchains. We examine common pitfalls, failures, and vulnerabilities that we have observed as leaders in the field of blockchain assessment, security tools, and formal verification.
Blockchains have very different constraints, security properties, and resource requirements from traditional data storage alternatives. The diversity of blockchain types and functionalities can make it difficult to decide whether a blockchain is an appropriate technical solution for a given problem, and if so, which type of blockchain to use. To help readers make such decisions, the report contains written and graphical resources, including a decision tree, comparison charts, and a risk/impact matrix.
Goldman Sachs partnered with Trail of Bits in 2018 to create a cryptocurrency risk framework. This report applies and updates some of the results of this study. It also includes information included in a project that Trail of Bits carried out for the Defense Advanced Research Projects Agency (DARPA) to examine the fundamental properties of blockchains and the cybersecurity risks associated with them.
Here are some of the key findings from our research:
- Proof-of-work technology and its risks are relatively well understood compared to newer consensus mechanisms like proof-of-stake, proof-of-authority, and proof-of-burn.
- The main risk is “the storage problem”. It is not the storage of cryptocurrency, but rather the storage of cryptographic private keys that controls ownership of an address (account). Disclosure or even the momentary loss of control of the keys may result in the complete and immediate loss of funds from that address.
- Specialized key storage hardware, whether a hardware security module (HSM) or a hardware wallet, is an effective security control when designed and used correctly, but hardware solutions current ones are far from perfect.
- Fund compartmentalization and multisignature wallets are also effective security controls and complement the use of HSMs.
- Security vulnerabilities or outages at third-party API providers are a secondary riskwhich is best mitigated by contingency planning.
- The centralization of mining power is a systemic risk whose impact is less clear but important to monitor; this represents potential for blockchain manipulation and, therefore, currency manipulation.
- Most blockchain software, although open source, has not been formally evaluated by reputable application security teams. Order regular security reviews to assess traditional blockchain software vulnerabilities. Use network segmentation to prevent blockchain software from being exposed to potentially exploitable vulnerabilities.
We hope this report can be used as a community resource to inform and encourage organizations pursuing blockchain strategies to do so effectively and securely.
This research was conducted by Trail of Bits based on work supported by DARPA under Contract No. HR001120C0084 (Distribution Statement A, Approved for Public Release: Distribution Unlimited). Any opinions, findings, and conclusions or recommendations expressed herein are those of the authors and do not necessarily reflect the views of the United States Government or DARPA.
*** This is a syndicated blog from the Trail of Bits Blog Security Bloggers Network written by Trail of Bits. Read the original post at: https://blog.trailofbits.com/2022/06/24/managing-risk-in-blockchain-deployments/
#Risk #Management #Blockchain #Deployments
Trading2 months ago
Pharma Co. Exec’s wife signs insider trading SEC settlement – Law360
Forex1 month ago
ASJ Forex Global Secured Second Strategic Investment from JPMorgan – Digital Journal
Blockchain3 months ago
Top 20 Cryptocurrencies to invest In 2022 before you regret
Forex2 months ago
3 Israelis arrested for links to Forex fraud, face extradition to Italy
Investment2 months ago
Time Series Data Reveals Insights to Inform Investment Decisions
Blockchain3 days ago
Rising Use of Cryptocurrency Expected to Boost Blockchain in Banking and Financial Services Market