Recently I was introduced to the world of BlockChain by a friend at work @ecryptolee (Co-Author). I’m now about 3 months into studying the topic and one thing continuously remains true. This truth is that many people have dubbed this technology useless. However one simple trend existed amongst almost every single one of the individuals that made these accusations. They had done very little research into the topic and possessed hardly even a surface level understanding of the technology.
Before I start let’s make it clear that the explosion of crypto currencies that has come out of this space is alarming and in my personal opinion completely unnecessary. In the world of crypto currencies I’m heavily focused on the coins that from my own research I see potential for future realized value. The 4 I like currently are Bitcoin, Ethereum, Litecoin, and Monero. More specifically I’m primarily looking into securing the coins, wallets, and exchanges.
I’ve accumulated resources while on this journey which I can assure you is a bit tricky when almost anything you lookup returns pages of crypto currency OMG articles. My challenge to you is to at least do a bit of research before completely hating this technology. I would like to have at least one argument with someone where they have a sound technical reason why they think BlockChain sucks so much.
Just the core idea of what a BlockChain is obviously confuses people because the explanations I hear are downright awful and misinformed. If you are going to tell me how much you hate BlockChain I at least expect you to have a basic understanding. Let’s start by helping you gain a fundamental understanding of BlockChain:
If you are interested in jumping right into the development of BlockChain a few resources gave me insight into how the code was structured. Most BlockChains can have cores built in multiples languages. If you want to learn the technical break downs of how it works read these so you can argue with me about the deeper elements of BlockChain:
Bitcoin was the first decentralized use of BlockChain. Understanding the fundamentals behind it is the first step towards understanding what it is. First thing you’re going to want to do is get a baseline understanding of the technology. After you complete this you will have all the knowledge necessary to argue with all the Bitcoin lovers and let them know how you feel.
A great place to start is with the following book:
After you get the fundamentals down it’s a good idea to catch up on everything that has happened. Most coins have websites with additional information. They are also open source so you can freely review the code. I can guarantee you not one person I have argued with has done this. Most of them even have full white papers which break down the initial reason for creation and other technical details.
You can use the following resources to get a baseline understanding of Bitcoin:
To jump into the development of Bitcoin here are some resources that helped me understand its core implementation:
So my first question was is Bitcoin secure? It’s holding value how do we know the code is secure. People ask questions about the code base frequently and thankfully Dan Guido has done some research in this space:
- Bitcoin Fuzzers – These fuzzers hav been added to the Bitcoin repo
The Bitcoin Github also provides a test harness for fuzz testing which can be used with AFL:
Litecoin is a fork of Bitcoin which was created because they believed they could make a faster version of the coin. Thus far they have succeeded to some degree at this and will release LitePay in the near future. This is a company that will use the Litecoin network to transfer funds.
You can use the following resources to get a baseline understanding of Litecoin:
Ethereum took a different approach to all of this and decided to make a network that would run decentralized applications called Smart Contracts. Ethereum has had their share of security issues. I will discuss those issues in the Smart Contracts section.
You can use the following resources to get a baseline understanding of Ethereum:
I thought that I should at least mention one privacy coin. The idea behind a privacy coin is that the transactions on the BlockChain are private. Privacy coins hope to solve some of the issues associated with completely public BlockChains.
You can use the following resources to get a baseline understanding of Monero:
Smart Contracts put simply is the idea that you can write a piece of code with rules baked into it that will make decisions. The purpose being that once compiled and deployed to the network it cannot be changed. All outcomes are based on the code that runs. This is both innovative and scary because a lot of security issues have been discovered around Smart Contracts.
When digging deeper into BlockChain security I found the following research and tool development:
- Oyente – An Analysis Tool for Smart Contracts – Melon Project
- A Brief History of Smart Contracts – Trail of Bits
- Automated Bug Finding for Block Chain – Trail of Bits
- Echidna Smart Fuzzer for Ethereum – Trail of Bits
- Mythril – Security analysis tool for Ethereum smart contracts – ConsenSys
- Porosity A Decompiler For Blockchain Based Smart Contracts Bytecode – Matt Suiche
- Ethereum $53M DAO HACK – Bad Code Explained – Programmer explains – Ivan on Tech
I was happy to find out that many of the exchanges had bug bounty programs. This was a strong indicator that they took security very serious as you should when handling high volumes of money, bank account info, and a storage of value.
When exploring this bug bounty program I found a protocol called FIX that I’m definitely going to invest some time into researching. It is a widely used by many crypto currency exchanges as well as normal stock exchanges. SecForce has done research in this space and created a fuzzer for this protocol:
Wallets are used to store the private keys necessary to prove you are the owner of a crypto asset. There are both hardware and software wallets. For the purpose of storing private keys most would agree hardware wallets add a layer of security. Paper wallets can also be created completely offline and stored safely. Securely storing your crypto assets is a topic that without a doubt needs more security awareness surrounding it. These are just my initial thoughts and resources.
To get a core understanding of how wallets work you can review these resources:
The first hardware wallets to catch my attention due to their popularity was Trezor and Ledger Nano S. I will probably do a whole write up on the comparison of these 2 in regards to security in the future. Currently I believe from my research that the Ledger Nano S is more secure.
here is my preliminary review of the 2 most popular hardware wallets:
- STM32F205 [A common ARM Cortex M3]
- Not considered a secure MCU and carries no common criteria certification
- Security Page [Features, Bug Bounty, Incident]
- Security Threats FAQ
- Fixing physical memory access issue:
- Glitching device to gain access to private keys:
- Possible key extraction with oscilloscope:
Hardware: Ledger Nano S
- STM32F042K [Main controller]
- ST31H320 [Secondary secure controller]
- Bank grade secure enclave for private key storage
- EAL5+ common criteria certified
- Stores device key to protect the software from being tampered
- Even if memory was dumped from the Ledger this would not affect the secure storage
- Ledger Bug Bounty Program
- MITM attack risk
- Second Hand purchases
- Breaking the Ledger Security Model
- Ledger 2018 CTF(Capture the Flag)
Mining is using either a CPU or GPU to run a computation to discover a piece of the next Block in the chain which proves that you solved it. In some cases like Bitcoin to make significant progress you need proprietary hardware called ASIC miners. This results in issuing the crypto currency available in that next block to the person who submitted the solve. This is put extremely simply just for an initial introduction but most of these verifications are either Proof of Work or Proof of Stake.
To learn more about how mining works you can review the project below:
BlockChain != Crypto Currency
I just wanted to make one additional note that BlockChain technologies are not exclusively used for crypto. There are a wide variety of use cases including supply chain management, identity management, and tracking of documents and other transactions.
Here is a list a few projects that use BlockChain for other things other than crypto:
The first thing I learned from this research is that the technologies used to implement BlockChain, run exchanges, and create wallets was not that obscure. Research quickly led me into familiar territory. My goal is simply to start educating people so that they can make informed decision about BlockChain and the surrounding technologies. With a little more information at least you can have a more educated argument with people around you. Or worse case scenarios you get sucked in like me and might actually like this stuff. However you will never know if you let somebody else tell you how much to hate it.