Risk management in blockchain implementations

Risk management in blockchain implementations

Do you need a blockchain? And if so, what kind?

Trail of Bits has released a blockchain technology operational risk assessment report. As more companies consider the innovative advantages of blockchain and distributed ledger technologies (DLT) in general, executives must decide whether and how to adopt them. Organizations adopting these systems must understand and mitigate the risks associated with operating a blockchain services organization, managing crypto wallets and keys, reliance on third-party API providers, and many other related issues. This report is intended to provide decision makers with the necessary context to assess these risks and plan to mitigate them.

DevOps Connection: DevSecOps @ RSAC 2022

In the report, we cover the current state, use cases, and shortcomings of blockchains. We examine common pitfalls, flaws, and vulnerabilities that we have observed as leaders in the field of blockchain evaluation, security tools, and formal verification.

Blockchains have significantly different restrictions, security properties, and resource requirements than traditional data storage alternatives. The diversity of blockchain types and characteristics can make it difficult to decide whether a blockchain is an appropriate technical solution to a given problem and, if so, which type of blockchain to use. To help readers make such decisions, the report contains written and graphical resources, including a decision tree, comparison tables, and a risk/impact matrix.

Should you use a blockchain?

A decision tree of the evaluation of operational risks of Trail of Bits in blockchains

Goldman Sachs partnered with Trail of Bits in 2018 to create a cryptocurrency risk framework. This report applies and updates some of the results of that study. It also includes information included in a project Trail of Bits completed for the Defense Advanced Research Projects Agency (DARPA) to examine the fundamental properties of blockchains and the cybersecurity risks associated with them.

Key ideas

Here are some of the key insights from our research:

  • Proof-of-work technology and its risks are relatively well understood compared to newer consensus mechanisms such as proof-of-stake, proof-of-authority, and proof-of-burn.
  • The main risk is “the storage problem”. It is not the storage of cryptocurrencies, but the storage of cryptographic private keys that control the ownership of an address (account). Disclosure of, or even momentary loss of control over keys, may result in complete and immediate loss of funds from that address.
    • Specialized key storage hardware, whether it’s a hardware security module (HSM) or a hardware wallet, is an effective security control when designed and used correctly, but current hardware solutions are less than perfect.
    • The compartmentalization of funds and multisignature wallets are also effective security controls and complement the use of HSM.
  • Security breaches or outages in third-party API providers are a secondary riskwhich is best mitigated through contingency planning.
  • Centralization of mining power is a systemic risk whose impact is less clear but important to monitor; represents a potential for blockchain manipulation and thus currency manipulation.
  • Most blockchain software, while open source, has not been formally evaluated by reputable application security teams. Commission regular security reviews to assess blockchain software for traditional vulnerabilities. Use network segmentation to prevent blockchain software from being exposed to potentially exploitable vulnerabilities.

We hope that this report can be used as a community resource to inform and encourage organizations seeking blockchain strategies to do so effectively and safely.

This research was conducted by Trail of Bits based on work supported by DARPA under Contract No. HR001120C0084 (Distribution Statement A, Approved for Publication: Unlimited Distribution). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Government or DARPA.

*** This is a syndicated Security Bloggers Network blog from BitTrack Blog written by Trail of Bits. Read the original post at: https://blog.trailofbits.com/2022/06/24/managing-risk-in-blockchain-deployments/

Leave a Comment