Skip to content

Pentagon paper warns of major vulnerabilities in the Bitcoin blockchain

Pentagon paper warns of major vulnerabilities in the Bitcoin blockchain

As the cryptocurrency industry continues to expand and becomes an increasingly attractive target to hackers, the Pentagon has commissioned a study that has discovered some concerning vulnerabilities, detailed in an accompanying report.

Indeed, the report, published on June 21 and titled “Are Blockchains Decentralized? Unintended Centralities in Distributed Ledgers,” has discovered that “a subset of participants can garner excessive, centralized control over the entire system.”

The study, which focuses on Bitcoin (BTC) and Ethereum (ETH), was carried out by the security research firm Trail of Bits under the direction of the Pentagon’s Defense Advanced Research Projects Agency (DARPA).

According to the report:

“The number of entities sufficient to disrupt a blockchain is relatively low: four for Bitcoin, two for Ethereum, and less than a dozen for most PoS networks.” 

60% of Bitcoin traffic goes through just 3 ISPs

Moreover, the report said that “of all Bitcoin traffic, 60% traverses just three ISPs,” referring to internet service providers. On top of that, “the vast majority of Bitcoin nodes appear to not participate in mining and node operators face no explicit penalty for dishonesty.”

As the analysts warn, “deploying a new node requires only one inexpensive cloud server instance – no specialized mining hardware is necessary.” This allows for the possibility of flooding a blockchain’s consensus network with new, malicious nodes controlled by a single party in what is called a Sybil attack.

Further problems include out-of-date and unencrypted protocols and software, all of which expose the network to attacks. As the report explains:

“The safety of a blockchain depends on the security of the software and protocols of its off-chain governance or consensus mechanisms.”

Careless mining pools

The report also discovered that all the mining pools its analysts tested “either assign a hard-coded password for all accounts or simply do not validate the password provided during authentication.”

As an example, the report used the practice of the global cryptocurrency mining pool ViaBTC of seemingly assigning the password ‘123’ to all of its accounts. Another mining firm, Poolin, “seems not to validate authentication credentials at all,” whereas Slushpool “explicitly instructs its users to ignore the password field.”

According to the available data, these three mining pools account for about 25% of the Bitcoin hashrate.

Cybersecurity researchers often warn of potential crypto-related weaknesses that can lead to incidents such as the one that Finbold reported in mid-April, in which an attacker managed to steal a person’s entire collection of cryptos and non-fungible tokens (NFTs) worth over $650,000 from their MetaMask crypto wallet.

Best Crypto Exchange for Intermediate Traders and Investors

  • Invest in 70+ cryptocurrencies and 3,000+ other assets including stocks and precious metals.

  • 0% commission on stocks - buy in bulk or just a fraction from as little as $10. Other fees apply. For more information, visit

  • Copy top-performing traders in real time, automatically.

  • eToro USA is registered with FINRA for securities trading.

30+ million Users
eToro is a multi-asset investment platform. The value of your investments may go up or down. Your capital is at risk. eToro USA LLC does not offer CFDs, only real Crypto assets available. Don’t invest unless you’re prepared to lose all the money you invest.

Read Next:

Weekly Finance Digest

By subscribing you agree with Finbold T&C’s & Privacy Policy

Related posts

Disclaimer: The information on this website is for general informational and educational purposes only and does not constitute financial, legal, tax, or investment advice. This site does not make any financial promotions, and all content is strictly informational. By using this site, you agree to our full disclaimer and terms of use. For more information, please read our complete Global Disclaimer.