Securing Your Blockchain
Let’s begin with what a blockchain is. A blockchain is a distributed ledger technology that consists of growing lists of blocks that are securely linked together using encryptions. Blockchain has made it possible for Bitcoin and other decentralized finance (Defi) tools, Decentralized Autonomous Organizations (DAOs) and Non-Fungible Tokens (NFTs) to work. One of the key selling points of a blockchain is that the data on the blockchain is decentralized, immutable and secured with cryptography. These points help prevent tampering and fraud, however, blockchains are still not 100% secure.
What are some Security risks in Blockchains?
Since 2009, blockchains have become a mainstream topic. Many use cases for blockchains were studied and developed. The main use case for blockchains seems to be in Decentralized Finance. This has made blockchain a target for many hackers and has led to loss in the billions of dollars.
Here are some ways blockchains have been attacked in the past:
1. Code Exploitation
The smart contract is a computer program or transaction protocol that is intended to automatically execute, control or document events on the blockchain. A smart contract is difficult to change on the blockchain once it is coded, therefore applications that use smart contracts need to be developed with a different approach than normal applications. Think of an aerospace engineer and an airplane. It is important to ensure that everything is safe or the consequences can be catastrophic.
In the first quarter of 2022 the Defi industry lost over $1.6 Billion due to code exploits. One DAO was robbed out of more than $60 million worth of Ether due to code exploits. Many of these exploits were done on simple coding errors, incorrect calculations or inefficient contract logic.
2. Stolen Keys
When we’re talking about keys, we mean your public and private keys. Your public key can be shared with another user for receiving funds and shows the address of your wallet. Your private key serves as your password to access your own information on the blockchain. This key should not be shared, hence the word private. If anyone gets your private key, they can drain everything you have.
Over $73 Million worth of bitcoin was stolen from the crypto exchange Bitfinex, likely due to stolen private keys. Private keys can be stolen by use of hacks, phishing scams or even embezzled by corrupt custodians.
3. Cyber-attacks on individual nodes
Centralized exchanges are crypto exchange platforms that act as intermediaries between buyers and sellers of digital assets. In order to do this work, they need to hire employees. Employees means work spaces. A hacker needs to infiltrate only one node of that crypto exchanges network in order to cause damage.
The crypto exchange Bithumb, was hacked, had 30,000 of its user’s data compromised and got $870,000 worth of bitcoin stolen through the use of one employee’s computer.
This all shows that best cyber security practices need to be employed at all times, even on an inherently ‘safe’ system.
When determining the security of a blockchain, it is important to consider the type of blockchain we are looking at. There are four types of blockchains that can determine the privileges of participants and the type of data that can be accessed. The privileges and data are key factors in any blockchain attack. We have already done an article on the types of blockchains you may come across, which you can check out for more context.
Here are some best practices for securing your blockchain:
1. Adopt best practices when developing smart contracts
Smart contracts are one of the cores of the blockchain system. When designing a smart contract, it is important to use best coding practices, think out your logic carefully and double check your calculations. Doing this at the beginning ensures that changes aren’t necessary. Once a smart contract is created, it is difficult to rework it as it is coded to the blockchain.
2. Define and enforce appropriate endorsement policies
The endorsement policy specifies a set of peers on the channel that must execute chaincode and endorse the execution results in order for a transaction to be valid. These policies should be scoped at two levels: the smart contract level and for every single entry. The endorsement policy should also be encoded into a smart contract for added security.
3. Adopt identity and access controls
Ensuring that the right individuals have appropriate access is important for security. Methods should be in place for on-boarding individuals so that they can be identified throughout their tenure. Equally, proper off-boarding policies should be enforced to prevent malicious intent such as data leaking. Audits and logs can also be used to track individual operations and help identify malicious intent. Authentication, verification and authorization of individuals can be vetted through the use of OAUTH, OIDC, and SAML2 tokens.
4. Communicate over secure networks
The network used to access the blockchain should be secure and properly configured to prevent unauthorized access. This includes using firewalls to block potential threats, enabling secure protocols such as SSL/TLS, and regularly updating the network to fix any vulnerabilities. It is also a good idea to use a virtual private network (VPN) when accessing the blockchain from a public or unsecured network, as this can help protect your data from being intercepted by hackers.
5. Mandate Multifactor Authentication
Two-factor authentication requires users to provide a second form of authentication, such as a one-time code sent to their phone, in addition to their password. This makes it much harder for hackers to gain access to the blockchain, even if they manage to guess or steal a password. Two-factor authentication adds an extra layer of security. There are various methods of 2FA available, such as SMS, email, and authenticator apps, which offer different levels of security. It is a good idea to choose a 2FA method that is convenient for you but also provides a high level of security.
6. Use strong cryptographic key/certificate management
Use a strong and reliable key management solution to manage the number of keys used in the blockchain solution, including blockchain identity keys, internal TLS certificates, external TLS certificates, and domain certificates.
7. Perform full-scope penetration testing and vulnerability assessment
Be sure to perform full-scope penetration testing at every phase of solution deployment. It’s important to perform vulnerability assessments at the individual organization component level and for the overall system in order to ensure all issues are addressed.
8. Use hardware wallets
Hardware wallets, such as a USB drive, can be used to store private keys offline and away from potential hackers. Private keys are used to sign and verify transactions on the blockchain, and it is important to keep them secure to prevent unauthorized access to the blockchain. Hardware wallets offer a high level of security, as they are not connected to the internet.
It is important for users of blockchains to be aware of the security risks around and exploits of many blockchains. This can help them understand what are the best practices they can employ when navigating the space. Securing your sensitive information like your private key, employing multi factor authentication and using secure networks are some of the basic rules of cyber security. As more possibilities with blockchain technology are uncovered, so will new vulnerabilities and security practices will be updated accordingly.
Looking to launch a new product? Unpluggd Digital provides services in SaaS and Blockchain development and we LOVE building awesome ideas.
Reach out to set up a chat so we can get to work on your next project.