The report said that in addition to 51 percent attacks, there is a whole new level of blockchain security weaknesses whose implications researchers are just beginning to explore. Coincidentally, Ethereum Classic—specifically, the story behind its origin—is a good starting point for understanding them, too, it said.
Companies are creating ways to avert hacking threats, the report said. It points to AnChain.ai as one of several recent startups created to address the blockchain hacking. It uses artificial intelligence to monitor transactions and detect suspicious activity, and it can scan smart-contract code for known vulnerabilities.
It also noted that other companies, including Tsankov’s ChainSecurity, are developing auditing services based on an established computer science technique called formal verification. The goal is to prove mathematically that a contract’s code will actually do what its creators intended. These auditing tools, which have begun to emerge in the past year or so, have allowed smart-contract creators to eliminate many of the bugs that had been “low-hanging fruit,” said Tsankov. But the process can be expensive and time consuming.
The report added that it may also be possible to use additional smart contracts to set up blockchain-based “bug bounties.” These would encourage people to report flaws in return for a cryptocurrency reward, noted Philip Daian, a researcher at Cornell University’s Initiative for Cryptocurrencies and Contracts.
But making sure code is clean will only go so far, he said. “A blockchain, after all, is a complex economic system that depends on the unpredictable behavior of humans, and people will always be angling for new ways to game it,’’ Daian said. He and his colleagues have shown how attackers have already figured out how to profit by gaming popular Ethereum smart contracts, for instance.
In short, the report noted that while blockchain technology has been long touted for its security, under certain conditions it can be quite vulnerable. It pointed out that sometimes shoddy execution can be blamed, or unintentional software bugs. Other times it’s more of a gray area—the complicated result of interactions between the code, the economics of the blockchain and human greed. That’s been known in theory since the technology’s beginning, the report said.
But with all the blockchains out there, we are learning what it actually means—often the hard way, the report added.