Skip to content

Pentagon paper warns of major vulnerabilities in the Bitcoin blockchain

Pentagon paper warns of major vulnerabilities in the Bitcoin blockchain

As the cryptocurrency industry continues to expand and becomes an increasingly attractive target to hackers, the Pentagon has commissioned a study that has discovered some concerning vulnerabilities, detailed in an accompanying report.

Indeed, the report, published on June 21 and titled “Are Blockchains Decentralized? Unintended Centralities in Distributed Ledgers,” has discovered that “a subset of participants can garner excessive, centralized control over the entire system.”

The study, which focuses on Bitcoin (BTC) and Ethereum (ETH), was carried out by the security research firm Trail of Bits under the direction of the Pentagon’s Defense Advanced Research Projects Agency (DARPA).

According to the report:

“The number of entities sufficient to disrupt a blockchain is relatively low: four for Bitcoin, two for Ethereum, and less than a dozen for most PoS networks.” 

60% of Bitcoin traffic goes through just 3 ISPs

Moreover, the report said that “of all Bitcoin traffic, 60% traverses just three ISPs,” referring to internet service providers. On top of that, “the vast majority of Bitcoin nodes appear to not participate in mining and node operators face no explicit penalty for dishonesty.”

As the analysts warn, “deploying a new node requires only one inexpensive cloud server instance – no specialized mining hardware is necessary.” This allows for the possibility of flooding a blockchain’s consensus network with new, malicious nodes controlled by a single party in what is called a Sybil attack.

Further problems include out-of-date and unencrypted protocols and software, all of which expose the network to attacks. As the report explains:

“The safety of a blockchain depends on the security of the software and protocols of its off-chain governance or consensus mechanisms.”

Careless mining pools

The report also discovered that all the mining pools its analysts tested “either assign a hard-coded password for all accounts or simply do not validate the password provided during authentication.”

As an example, the report used the practice of the global cryptocurrency mining pool ViaBTC of seemingly assigning the password ‘123’ to all of its accounts. Another mining firm, Poolin, “seems not to validate authentication credentials at all,” whereas Slushpool “explicitly instructs its users to ignore the password field.”

According to the available data, these three mining pools account for about 25% of the Bitcoin hashrate.

Cybersecurity researchers often warn of potential crypto-related weaknesses that can lead to incidents such as the one that Finbold reported in mid-April, in which an attacker managed to steal a person’s entire collection of cryptos and non-fungible tokens (NFTs) worth over $650,000 from their MetaMask crypto wallet.

Best Crypto Exchange for Intermediate Traders and Investors

  • Invest in cryptocurrencies and 3,000+ other assets including stocks and precious metals.

  • 0% commission on stocks - buy in bulk or just a fraction from as little as $10. Other fees apply. For more information, visit etoro.com/trading/fees.

  • Copy top-performing traders in real time, automatically.

  • eToro USA is registered with FINRA for securities trading.

30+ million Users
Securities trading offered by eToro USA Securities, Inc. (“the BD”), member of FINRA and SIPC. Cryptocurrency offered by eToro USA LLC (“the MSB”) (NMLS: 1769299) and is not FDIC or SIPC insured. Investing involves risk, and content is provided for educational purposes only, does not imply a recommendation, and is not a guarantee of future performance. Finbold.com is not an affiliate and may be compensated if you access certain products or services offered by the MSB and/or the BD

Read Next:

Finance Digest

By subscribing you agree with Finbold T&C’s & Privacy Policy

Related posts

Sign Up

or

By submitting my information, I agree to the Privacy Policy and Terms of Service.

Already have an account?

Services

IMPORTANT NOTICE

Finbold is a news and information website. This Site may contain sponsored content, advertisements, and third-party materials, for which Finbold expressly disclaims any liability.

RISK WARNING: Cryptocurrencies are high-risk investments and you should not expect to be protected if something goes wrong. Don’t invest unless you’re prepared to lose all the money you invest. (Click here to learn more about cryptocurrency risks.)

By accessing this Site, you acknowledge that you understand these risks and that Finbold bears no responsibility for any losses, damages, or consequences resulting from your use of the Site or reliance on its content. Click here to learn more.