The need for a blockchain security framework

Since recent hacks question blockchain security – it is a good idea to discuss what blockchain security actually is. This points beyond the normal computer security issues for the server running the blockchain program or the desktop computer running the blockchain wallet.

There are hundreds of altcoins and other blockchains so let’s use Bitcoin and Ethereum as proxies for security for some of the unique blockchain issues.

1) Securing the private key

All blockchains use either tokens (coins) or wallets (Ethereum) to store value – which is what theft is mostly after. (considering blockchains are open source – noone is trying to steal or hack the code…)

There is not much new about securing the private keys except the financial consequences. Blockchain private keys are like passwords or keys to digital certificates. If you lose the key – you lose control of the asset. Whether that is coin, email or server root.

Since the bounty is much higher for stealing private keys (billions between the top 5 altcoins) it is very important to secure the keys.

Apart from a small amount for daily spend (bitcoin) or fuel for daily processing needs (Ethereum) – all value tokens should be in cold storage, offline and secured with tamper proof devices like Trezor, Ledger, etc.

2) Software Code Security

It is well understood that the more sophisticated the programming language available (Bitcoin low vs Ethereum high) the more likely that poorly written code will leave value open to exploit.

3) Consensus security

The highest level security breach in decentralized systems is the subversion of the node network or consensus mechanism. Malicous actors need to accumulate significant financial resources to take over decentralized networks but theoretically it can be done.

4) Fiduciary security

Handing over private keys to a 3rd party like a coin exchange is the same as giving your cash or passwords to strangers. Until laws catch up it is unclear what recourse you have in case of loss or theft by those trusted agents. The security issue at hand is one attempt to mitigate trust – splitting the access key (multisig). Most implementations require 2 out of 3 signatures for transactions to go through and those 2 are held by strangers. Until those parties provide legal protection and recourse – the 2 of 3 security is insufficient.

Leave a Comment