RESEARCH ARTICLE
A survey on blockchain cybersecurity vulnerabilities and possible countermeasures
Huru Hasanova,
Ui-jun Baek,
Mu-gon Shin,
Kyunghee Cho,
Myung-Sup Kim,
Huru Hasanova
Department of Computer and Information Science, Korea University, Sejong, Republic of Korea
Search for more papers by this authorUi-jun Baek
Department of Computer and Information Science, Korea University, Sejong, Republic of Korea
Search for more papers by this authorMu-gon Shin
Department of Computer and Information Science, Korea University, Sejong, Republic of Korea
Search for more papers by this authorKyunghee Cho
Department of Computer and Information Science, Korea University, Sejong, Republic of Korea
Search for more papers by this authorCorresponding Author
Myung-Sup Kim
Department of Computer and Information Science, Korea University, Sejong, Republic of Korea
Correspondence
Myung-Sup Kim, Department of Computer and Information Science, Korea University, Sejong, Republic of Korea.
Email: [email protected]
Search for more papers by this authorHuru Hasanova,
Ui-jun Baek,
Mu-gon Shin,
Kyunghee Cho,
Myung-Sup Kim,
Huru Hasanova
Department of Computer and Information Science, Korea University, Sejong, Republic of Korea
Search for more papers by this authorUi-jun Baek
Department of Computer and Information Science, Korea University, Sejong, Republic of Korea
Search for more papers by this authorMu-gon Shin
Department of Computer and Information Science, Korea University, Sejong, Republic of Korea
Search for more papers by this authorKyunghee Cho
Department of Computer and Information Science, Korea University, Sejong, Republic of Korea
Search for more papers by this authorCorresponding Author
Myung-Sup Kim
Department of Computer and Information Science, Korea University, Sejong, Republic of Korea
Correspondence
Myung-Sup Kim, Department of Computer and Information Science, Korea University, Sejong, Republic of Korea.
Email: [email protected]
Search for more papers by this authorSummary
Blockchain technology has attracted considerable attention owing to its wide range of potential applications. It first appeared as a cryptocurrency, called Bitcoin, but has since been used in many other business and nonbusiness applications. Unlike most existing systems that are based on centralized frameworks, this new technology utilizes peer-to-peer networks and distributed systems which includes blockchain registers to store transactions. Its structure is designed as a digital log file and stored as a series of linked groups, called blocks. Each individual block is locked cryptographically with the previous block. Once a block has been added, it cannot be altered. Many security experts speculate that the inherent cryptographic nature of the blockchain system is sufficient to withstand constant hacking and security threats. However, previous studies on the security and privacy of blockchain technology have shown that many applications have fallen victim to successful cyberattacks. Owing to the increasing demand for cryptocurrency and its current security challenges, previous studies have not focused on blockchain technology cybersecurity vulnerabilities extensively. Here, our study extends upon the previous studies on vulnerabilities and investigates the types of potential attacks. Our study then provides further direction to highlight possible countermeasures against blockchain technology vulnerability to cybersecurity.
REFERENCES
- 1Yli-Huumo J, Ko D, Choi S, Park S, Smolander K. Where is current research on Blockchain technology?—a systematic review. PLoS ONE. 2016; 11(10):e0163477. https://doi.org/10.1371/journal.pone.0163477
- 2Underwood S. Blockchain beyond bitcoin. Communications of the ACM. 2016; 59(11): 15-17.
- 3Brito J, Shadab H, Castillo A. Bitcoin financial regulation: securities, derivatives, prediction markets, and gambling. Colum Sci & Tech L Rev. Apr 2014; 16: 144.
- 4Fanning K, Centers DP. Blockchain and its coming impact on financial services. J Corp Acc Financ. Jun 2016; 27(5): 53-57.
- 5Eyal I., Gencer A. E., Sirer E. G., and Van Renesse R. bitcoin-ng: a scalable blockchain protocol. In NSDI, 2016: 45–59.
- 6Antonopoulos AM. Mastering Bitcoin: Unlocking Digital Cryptocurrencies. O'Reilly Media, Inc; 2014.
- 7Bradbury D. The problem with bitcoin. Comput Fraud Secur. 2013; 2013(11): 5-8.
10.1016/S1361-3723(13)70101-5 Google Scholar
- 8Singh S, Singh N. Blockchain: future of financial and cyber security. In: Contemporary Computing and Informatics (IC3I), 2016 2nd International Conference on. IEEE; Dec 2016: 463-467.
10.1109/IC3I.2016.7918009 Google Scholar
- 9Nakamoto S. Bitcoin: a peer-to-peer electronic cash system, https://bitcoin.org/bitcoin.pdf, retrieved on 28/04/2018
- 10Crosby M, Pattanayak P, Verma S, Kalyanaraman V. Blockchain technology: beyond bitcoin. Appl Innov. 2016; 2: 6-10.
- 11Swan M. Blockchain: Blueprint for a New Economy. O'Reilly Media, Inc; 2015.
- 12Zheng Z, Xie S, Dai H, Chen X, Wang H. An overview of blockchain technology: architecture, consensus, and future trends. In: Big data (BigData congress), 2017 IEEE international congress on. IEEE; 2017: 557-564.
10.1109/BigDataCongress.2017.85 Google Scholar
- 13Sinha SR, Park Y. Dealing with security, privacy, access control, and compliance. In: Building an Effective IoT Ecosystem for Your Business. Cham: Springer; 2017: 155-176.
10.1007/978-3-319-57391-5_10 Google Scholar
- 14Tschorsch F, Scheuermann B. Bitcoin and beyond: a technical survey on decentralized digital currencies. IEEE Commun Surv Tutorials. 2016; 18: .
- 15Conti M, Lal C, Ruj S. A survey on security and privacy issues of bitcoin. IEEE Commun Surv Tutorials https://doi.org/10.1109/COMST.2018.2842460. 20(4): 3416-3452.
- 16Atzei N, Bartoletti M, Cimoli T. A survey of attacks on ethereum smart contracts (sok). In: International Conference on Principles of Security and Trust. Springer; 2017: 164-186.
10.1007/978-3-662-54455-6_8 Google Scholar
- 17King S, Nadal S. Ppcoin: Peer-to-peer crypto-currency with proof-of-stake. self-published paper; 2012.
- 18Baliga A. Understanding blockchain consensus models. Tech. Rep., persistent systems ltd. Tech Rep. 2017 .
- 19[Online]. Ethereum on Github. Available: https://github.com/ethereum/wiki/wiki/Proof-of-Stake-FAQ
- 20 Proof of Stake versus Proof of Work: White Paper https://bitfury.com/content/downloads/pos-vs-pow-1.0.2.pdf
- 21Vasin P. Blackcoin's proof-of-stake protocol v2. URL: https://blackcoin.co/blackcoin-pos-protocol-v2-whitepaper.pdf. 2014
- 22Xu JJ. Are blockchains immune to all malicious attacks? Financ Innov. Dec 2016; 2(1): 25.
- 23Karame G, Androulaki E, Capkun S. Two bitcoins at the price of one? Double-spending attacks on fast payments in bitcoin. IACR Cryptology ePrint Archive. 2012; 248: 2012.
- 24Ren L. Proof of Stake Velocity: Building the Social Currency of the Digital Age. Self-published white paper; 2014.
- 25Extance A. The future of cryptocurrencies: Bitcoin and beyond. Nature News. 2015; 526(7571): 21.
- 26Scaife N, Carter H, Traynor P, Butler KR. Cryptolock (and drop it): stopping ransomware attacks on user data. In: Distributed Computing Systems (ICDCS), 2016. IEEE 36th International Conference on. IEEE; 2016: 303-312.
10.1109/ICDCS.2016.46 Google Scholar
- 27Johnson D, Menezes A, Vanstone S. The elliptic curve digital signature algorithm (ECDSA). Int J Inf Secur. 2001; 1(1): 36-63.
10.1007/s102070100002 Google Scholar
- 28Van Dam W, Shparlinski IE. Classical and quantum algorithms for exponential congruence's. In: Workshop on Quantum Computation, Communication, and Cryptography. Berlin, Heidelberg: Springer; 2008: 1-10.
10.1007/978-3-540-89304-2_1 Google Scholar
- 29Vedral V, Morikoshi F. Schrödinger's cat meets Einstein's twins: a superposition of different clock times. Int J Theor Phys. 2008; 47(8): 2126-2129.
- 30Shor PW. Algorithms for quantum computation: discrete logarithms and factoring. In: Foundations of Computer Science, 1994 Proceedings., 35th Annual Symposium on. Ieee; 1994: 124-134.
10.1109/SFCS.1994.365700 Google Scholar
- 31Lakshmanan T, Madheswaran M. Security and robustness enhancement of existing Hash algorithm. In: 2009 International Conference on Signal Processing Systems. IEEE; 2009: 253-257.
10.1109/ICSPS.2009.49 Google Scholar
- 32Kiayias A., Konstantinou I., Russell A., David B., and Oliynykov R. A provably secure proof-of-stake blockchain protocol. IACR Cryptology ePrint Archive, 2016
- 33Eyal I, Sirer EG. Majority is not enough: Bitcoin mining is vulnerable. In: International conference on financial cryptography and data security. Berlin, Heidelberg: Springer; 2014: 436-454.
10.1007/978-3-662-45472-5_28 Google Scholar
- 34Bonneau J. Why buy when you can rent? In: International Conference on Financial Cryptography and Data Security. Berlin, Heidelberg: Springer; 2016: 19-26.
10.1007/978-3-662-53357-4_2 Google Scholar
- 35Feder A, Gandal N, Hamrick JT, Moore T. The impact of DDoS and other security shocks on bitcoin currency exchanges: evidence from Mt. Gox J Cybersecurity. 2018; 3(2): 137-144.
- 36Vasek M, Thornton M, Moore T. Empirical analysis of denial-of-service attacks in the bitcoin ecosystem. In: International conference on financial cryptography and data security 2014 Mar 3. Berlin, Heidelberg: Springer; : 57-71.
- 37Johnson B, Laszka A, Grossklags J, Vasek M, Moore T. Game-theoretic analysis of DDoS attacks against Bitcoin mining pools. In: In International Conference on Financial Cryptography and Data Security. Berlin, Heidelberg: Springer; 2014: 72-86.
10.1007/978-3-662-44774-1_6 Google Scholar
- 38Douceur JR. The sybil attack. In: International workshop on peer-to-peer systems. Berlin, Heidelberg: Springer; 2014: 251-260.
- 39Heilman E, Kendler A, Zohar A, Goldberg S. Eclipse attacks on Bitcoin's peer-to-peer network. In: USENIX Security Symposium; 2015: 129-144.
- 40Kermarrec AM, Van Steen M. Gossiping in distributed systems. ACM SIGOPS Operating Systems Review. 2007; 41(5): 2-7.
10.1145/1317379.1317381 Google Scholar
- 41Marcus Y., Heilman E., and Goldberg S. Low-resource eclipse attacks on Ethereum's peer-to-peer network. Report 2018/236, 2018.
- 42Stock B., Göbel J., Engelberth M., Freiling F. C., and Holz T. Walowdac-analysis of a peer-to-peer botnet. In Computer Network Defense (EC2ND), 2009 European conference on IEEE; 2009: 13–20.
10.1109/EC2ND.2009.10 Google Scholar
- 43Andrychowicz M, Dziembowski S, Malinowski D, Mazurek Ł. On the malleability of bitcoin transactions. In: International Conference on Financial Cryptography and Data Security. Berlin, Heidelberg: Springer; 2015: 1-18.
10.1007/978-3-662-48051-9_1 Google Scholar
- 44 Empty Accounts and the Ethereum State https://www.ethnews.com/vitalik-buterin-on-empty-accounts-and-the-ethereum-state retrieved on 24/07/2018
- 45 [Online]. Delegated Proof-of-Stake Consensus http://docs.bitshares.org/bitshares/dpos.html retrieved 10.02.2018
- 46 [Online]. Notes on Blockchain. Governance https://vitalik.ca/general/2017/12/17/voting.html retrieved 10.02.2018
- 47 EOS.IO Technical White Paper v2, Available on: https://github.com/EOSIO/Documentation/blob/master/TechnicalWhitePaper.md retrieved 10.02.2018
- 48 [Online]. Dan Larimer's DPOS Consensus Algorithm - The Missing White Paper https://steemit.com/dpos/@dantheman/dpos-consensus-algorithm-this-missing-white-paper retrieved 10.02.2018
- 49 [Online]. Governance, Part 2: Plutocracy Is Still Bad https://vitalik.ca/general/2018/03/28/plutocracy.html retrieved 10.02.2018
- 50[Online]. Attacks on the network https://forums.eosgo.io/discussion/71/attacks-on-the-network retrieved 10.02.2018
- 51Myles S., Kyle S., and Tushar J., Delegated proof of stake: features & tradeoffs. 2018.
- 52 [Online]. Response to Cosmos white paper's claims on DPOS security. https://steemit.com/steem/@dantheman/response-to-cosmos-white-paper-s-claims-on-dpos-security retrieved 10.02.2018
- 53Chen T, Li X, Luo X, Zhang X. Under-optimized smart contracts devour your money. In: Software Analysis, Evolution and Reengineering (SANER), 2017 IEEE 24th International Conference on. IEEE; Feb 2017: 442-446.
10.1109/SANER.2017.7884650 Google Scholar
- 54Luu L., Chu D. H., Olickel H., Saxena P., and Hobor A. Making smart contracts smarter. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. ACM; 2016: 254–269.
10.1145/2976749.2978309 Google Scholar
- 55 [Online]. Thinking smart contract security. Available: https://blog.ethereum.org/2016/06/19/thinking-smart-contract-security retrieved on 15/07/2018
- 56 Rodrigues, Usha, Law and the Blockchain. Iowa Law Review, Vol. 104, 2018, Forthcoming; University of Georgia School of Law Legal Studies Research Paper No. 2018-07. Feb 2018. Available at SSRN: https://ssrn.com/abstract=3127782
- 57 [Online]. CRITICAL UPDATE Re: DAO Vulnerability https://blog.ethereum.org/2016/06/17/critical-update-re-dao-vulnerability/: Retrieved on 06/07/2018.
- 58[Online]. Available: https://paritytech.io/blog/
- 59[Online]. Available: https://github.com/paritytech/parity/blob/4d08e7b0aec46443bf26547b17d10cb302672835/js/src/contracts/snippets/enhanced-wallet.sol#L424
- 60[Online]. Available: https://blog.zeppelin.solutions/on-the-parity-wallet-multisig-hack-405a8c12e8f7
- 61[Online]. Available: https://gist.github.com/ethanbennett/7396bf3f61dd985d3426f2ee184d8822#parity-multisig-wallet
- 62 [Online]. Quorum whitepaper https://github.com/jpmorganchase/quorum-docs/blob/master/Quorum%20Whitepaper%20v0.1.pdf
- 63 [Online]. Corda security model. https://docs.corda.net/releases/release-M10.1/key-concepts-security-model.html
- 64 [Online]. Hyperledger. Available: https://www.hyperledger.org/ retrieved on 06/07/2018
- 65 [Online]. Hyperledger Fabric. Available: https://hyperledger-fabric.readthedocs.io/en/release-1.1/ retrieved on 06/07/2018
- 66Tien D., Ji W., Gang Ch., Rui L., Beng Ch., Kian-Lee T., BLOCKBENCH: A Framework for Analyzing Private Blockchains. arXiv: 1703.04057v1 [cs. DB]. 2017.
- 67Elli A., Artem B., Vita B., Christian C., Konstantinos Ch., Angelo D., David E., Christopher F., Gennady L., Yacov M., Srinivasan M., Chet M., and Binh N., Hyperledger fabric: a distributed operating system for permissioned blockchains. EuroSys'18. Apr 2018, Porto, Portugal
- 68[Online]. Available: https://fabric-sdk-node.github.io/
- 69[Online]. Available: https://nodejs.org/en/blog/vulnerability/oct-2017-dos/
- 70[Online]. Available: https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
- 71Graham Sh. Security, Hyperledger Fabric version: 1.1 Assessment Technical Report. 2017.
- 72 [Online]. Docker security. Available: https://docs.docker.com/engine/security/security/#kernel-namespaces retrieved on 12/07/2018
- 73Mouat A. UsingDocker. Developing and Deploying Software with Containers. 2015.
- 74[Online]. Stuart P., Confidentiality in Private Blockchain., http://kadena.io/docs/Kadena-ConfidentialityWhitepaper-Aug2016.pdf
- 75 [Online]. Membership Service Providers (MSP) https://hyperledger-fabric.readthedocs.io/en/release-1.2/msp.html
- 76 [Online]. Rust programming language https://www.rust-lang.org/en-US/
- 77 Punitive-proof-of-stake-algorithm https://blog.ethereum.org/2014/01/15/slasher-a-punitive-proof-of-stake-algorithm/ retrieved on 08/07/2018
- 78Vitalik B. and Virgil G. Casper the Friendly Finality Gadget, white paper, arXiv:1710.09437v2 [cs.CR]. Nov 2017
- 79Jae K. Tendermint: Consensus without Mining. URL. https://tendermint.com/static/docs/tendermint.pdf retrieved on 08/07/2018
- 80Loi L., Yaron V., Jason T., and Prateek S., SMARTPOOL: Practical Decentralized Pooled Mining, SEC'17 Proceedings of the 26th USENIX Conference on Security Symposium, 2017: 1409–1426.
- 81[Online]. Available: https://en. Bitcoin.it/wiki/Protocol_documentation#BlockTransactions
- 82Muhammad S., My T., Aziz M. POSTER: deterring DDoS attacks on blockchain based cryptocurrencies through mempool optimization. Proceeding ASIACCS '18 Proceedings of the 2018 pp 809–811. https://doi.org/10.1145/3196494.3201584. 2018
- 83Ting Ch., Xiaoqi L., Ying W., Jiachi C., Zihao L., Xiapu L., Man H., and Xiaosong Z. An Adaptive Gas Cost Mechanism for Ethereum to Defend Against Under-Priced DoS Attacks.13th International Conference, ISPEC 2017
- 84Petar T., Andrei D., Drachsler C., Arthur G., Florian B. Securify: Practical Security Analysis of Smart Contracts. arXiv:1806.01143v1 [cs.CR]. 2018
- 85Sergei T., Ekaterina V., Ivan I., Ramil T., Evgeny M., Yaroslav A. SmartCheck: Static Analysis of Ethereum Smart Contracts. 2017
- 86Ahmed K, Andrew M, Elaine S, Zikai W, Charalampos P. Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts. Proc. IEEE Symp. Secur. Privacy (SP). 2016; : 839-858.
- 87Fan Z, Ethan C, Kyle C, Ari J, Elaine S. Town crier: An authenticated data feed for smart contracts. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS '16. ACM; 2016: 270-282.
- 88 [Online]. Vector76. The vector76 attack. Available onhttps://bitcointalk.org/index.php?topic=36788.msg463391#msg463391, retrieved on 28/04/2018.
- 89 [Online]. Solidity. Available: http://solidity.readthedocs.io/en/develop/, retrieved on 02/08/2018
- 90 [Online]. Known Attacks. Available: https://consensys.github.io/smart-contract-best-practices/known_attacks/ retrieved on 02/08/2018
- 91 The Finney Attack, Available from https://bitcoincoreacademy.com/the-finney-attack, retrieved on 28/04/2018
