Blockchains Vulnerable to Centralised Control, DARPA Report Finds

Blockchains Vulnerable to Centralised Control, DARPA Report Finds
Photo: Dan Kitwood, Getty Images

Researchers at the gonzo Pentagon research agency responsible for introducing the world to stealth bombers, insect-sized surveillance drones, and the internet itself have some reservations about the blockchain technology underpinning Web3.

A newly released report commissioned by the Defence Advanced Research Project (DARPA) titled “Are Blockchains Decentralized?” found key vulnerabilities potentially capable of jeopardizing blockchain tech’s supposed “decentralized” ethos.

The report, conducted in partnership with the research firm Trail of Bits, specifically points to a handful of, “unintended centralities,” that the authors argue can potentially concentrate blockchain power in the hands of a few select individuals or groups. Those unintended centralities range from powerful new cryptocurrency miners and outdated computers vulnerable to attacks, to a select cohort of internet service providers responsible for handling Bitcoin traffic.

The authors notably don’t discover exploits or weaknesses of blockchain’s lauded cryptography (those are actually described as “quite robust” — at least until quantum computing becomes a great reality). Instead, they dig up issues by “subverting the properties of a blockchain’s implementations.”

“We believe the risks inherent in blockchains and cryptocurrencies have been poorly described and are often ignored — or even mocked — by those seeking to cash in on this decade’s gold rush,” the authors said in a statement.

DARPA reportedly engaged Trail of Bits over the course of the past year and asked the firm to examine the fundamental properties in blockchains and potential security risks associated with them. The timing of the report’s release comes amid a historic haemorrhaging of value in Bitcoin and other cryptocurrencies that’s left many in the space rattled.

Nearly two-thirds (60%) of all Bitcoin traffic travelled through just three ISPs over at least the past five years, according to the report. Additionally, around half of all Bitcoin, traffic was reportedly routed through Tor. If so inclined, Trail of Bits CEO Dan Guido said in an interview with NPR, those providers could potentially possess the ability to “rewrite history” by restricting certain transactions and preventing Bitcoin from changing hands altogether.

“Let’s say somebody with great top-down control of the internet in their country starts to interfere with that network,” Guido said. “By slowing down or stopping legitimate blockchain traffic, an attacker could become the ‘majority’ voice in the consensus of what’s written to a blockchain at that moment.”

Then there’s the issue of outdated software. According to the report, around 21% of Bitcoin nodes are running an old version of a Bitcoin core client that’s vulnerable to attacks. Trail of Bits says “overt software changes” can actually modify the state of a blockchain which in turn makes the developers of blockchain software a centralised point of trust in the system uniquely vulnerable to attacks.

“This choice is not simply about the convenience of delegating management to a third party; it is about whether one trusts a centralised third party versus one’s own security hygiene and the developers of one’s non-custodial wallet,” the authors write.

The DARPA-commissioned report’s warnings around unintended crypto centralization partly echoes recent claims voiced by prominent Web3 naysayers. Possibly the biggest name in the “Web3 isn’t what you think it is” crowd is Block CEO and former Twitter king Jack Dorsey. Dorsey has spoken critically of venture capitalists’ involvement in Web3 companies even going as far as to call the supposed new era of the internet, “ultimately a centralised entity with a different label.”

Signal founder Moxie Marlinspike has similarly spoken out against what he sees as weaknesses in Web3 infrastructure that are in effect acting to centralize a supposedly decentralized system.

“Once a distributed ecosystem centralizes around a platform for convenience, it becomes the worst of both worlds: centralised control, but still distributed enough to become mired in time,” Marlinspike wrote in a widely circulated essay earlier this year. “I can build my own NFT marketplace, but it doesn’t offer any additional control if OpenSea mediates the view of all NFTs in the wallets people use (and every other app in the ecosystem).” For his part, Dorsey’s actually already moving on to what he views as a more decentralized “Web5,” era, somehow skipping the Web4 jargon altogether

Still, Web3 believers like Swan co-founder Yan Pritzker aren’t necessarily sold on the criticisms outlined in the recent DARPA-backed report. Speaking with NPR, Pritzker saw the possibility of attacks laid out in the report as mostly “theoretical” and called into question the report’s backing by a major, inherently centralised, government agency.

“They’re basically doing endgame research,” Pritzker told NPR “Their game is, ‘how do we get better control of the currency,’ and ‘how do we build better systems for our control of the currency’.” Of course, even a theoretical strategy for a government to control cryptocurrency would undermine the promise of blockchain tech that proponents have spent years pushing.