Select your country

Not finding what you are looking for, select your country from our regional selector:

Søk

Blockchain Security: Received idea or established fact?

Smart contracts, tokenization, or even digital asset management, more and more companies are investing in innovative blockchain projects attracted by the promises of the latter. Behind this multiplication of uses of a still new technology, the question of cybersecurity necessarily arises.

If blockchain is often perceived as synonymous with inviolability and foolproof security, the reality behind this image of a digital fortress is much more complex than it seems.

In this context, several questions arise. What are the promises and uses behind blockchain? Is technology really tamper-proof? What are the attack surfaces and how to protect yourself? What are the regulatory considerations? 

Blockchain, a booming technology with real cybersecurity challenges

Based on the principles of decentralization, transparency, and security, blockchain allows the creation of a distributed ledger, where transactions are recorded in an immutable manner that can be verified by everyone. For companies, this capacity for decentralization allows the development of new products and services on the web while limiting the need for intermediaries, as Benjamin Thomas, Security Consultant at Orange Cyberdefense, points out:

It is a technology for storing, sharing information, and running applications. A parallel can be drawn between Blockchain and the Cloud because we can store information there and run applications in the same way. The advantage of using Blockchain is to limit the need for intermediaries and to benefit from the transparency and availability characteristics of this technology. In a world where everything tends to centralize around GAFAM, Blockchain is moving against the tide. We can already find all the traditional Web services there, but without a central authority.

A reduction in the use of a third party that finds its interest in a supply context chain, as the expert explains: “If we consider several companies which each intervene at a given moment in the supply chain, the blockchain will make it possible to have a global infrastructure of all these entities which does not depend on a single company and therefore which is neutral.

A use that is already at work in the food sector where companies like Carrefour are already using blockchain to strengthen the traceability of products in the supply chain and ensure transparency on the origin and quality of food.

The potential of this technology does not stop there with the development of applications such as smart contracts, which automate agreements and transactions in a secure manner. We are observing the emergence of tokenization services such as the Winedex platform which uses blockchain for the tokenization of wine, offering a new form of investment and exchange of digital assets. The Blockchain then acts as a “world computer” on which anyone can deploy or use an application, and where the conditions of execution of this application can be verified by all participants.

Regarding the uses of blockchain relating to digital assets, regulations are evolving. Regulatory bodies such as the Financial Markets Authority (AMF) require companies working with digital assets to register as PSANs (digital asset service providers). At the European level, the MiCA ( Market in Crypto Assets) regulation published in 2023 aims to establish a framework for crypto-assets.

It must be said that the market is booming. According to 21.co, a company specializing in digital asset management, the value of tokenized assets on public blockchains stands at $118.57 billion. For the consulting firm Roland Berger, the tokenization market could reach $10,000 billion in 2030.

Alongside this enthusiasm, a new issue is emerging, that of cybersecurity in blockchain environments. The numbers speak for themselves. According to a report from the company Chainalysis, which specializes in blockchain data analysis, security flaws in the systems led to losses of more than 3.8 billion euros in 2022.

Attack surface and blockchain: a still vague concept

If the concept of attack surface is known in the fields of Information Technology (IT) and Operational Technology (OT), the notion of attack surface in the field of blockchain remains a still vague concept for a majority of professionals.

Vulnerabilities inherent to the blockchain

One of the most well-known vulnerabilities is the commonly known 51% attack. The 51% attack is a theoretical threat in the field of blockchain which concerns systems using the so-called proof of work mechanism, such as Bitcoin and other blockchains. This attack occurs when an individual or group acquires more than 50% of the computing power of the blockchain network. With this majority, the attacker can manipulate the transaction register and thus validate or invalidate it. Blockchain security relies on decentralization. By controlling more than half of the computing power, the attacker centralizes control and can make unilateral decisions regarding transactions.

Although this attack has become less common on public blockchains due to their large computing power and the advent of new consensus algorithms like "Proof of Stake "which now dominate the market, this is not the case. private or permissioned blockchains, for which the transaction validation algorithm is more easily vulnerable to localized intrusions. As Benjamin Thomas points out:

In a private blockchain, only the company or servers authorized by a company can contribute to the security of the network decentralization. By definition, these are much easier targets for cyberattackers since there are only a few stations to compromise to recover the majority of the network's computing power.

Note that blockchains are also vulnerable to denial of service (DDoS) attacks. As the blockchain is hosted on a set of decentralized servers, if some or all of the servers are saturated, the overall capacity of the blockchain will be affected, leading to delays or even unavailability. Furthermore, if a participant in the network, whether public or private, wishes to spam transactions to the point of causing their unavailability, they can theoretically achieve this.

Smart contracts

Like any program, smart contracts are likely to present classic vulnerabilities linked to the programming stage. A common flaw is reentrancy, a defect caused by poor checking or inappropriate placement of conditions in the code.

In practice, this type of vulnerability manifests itself when a smart contract allows a user to perform a function, such as transferring funds, before confirming whether this action is authorized. If the verification is performed after the function is executed, an attacker can abuse this flaw to repeat the action multiple times, thereby fraudulently exfiltrating funds or resources.

The best illustration of this modus operandi is the Fei Protocol incident in April 2022 which allowed its author to divert nearly 80 million dollars in tokens by exploiting a reentrancy vulnerability.

Another common scenario is smart contract compromises involving an absence or poor management of access controls. "In a program, there are different functions, some designed to be performed exclusively by an administrator. However, sometimes developers fail to implement the necessary restriction, thereby allowing these functions to be used by an unauthorized person.", explains Benjamin Thomas.

Finally and as with any development, the programming languages used in blockchain development can be a significant source of vulnerabilities. This was the case with the Curve Finance application, which suffered from a flaw in the Vyper programming language, allowing cybercriminals to embezzle nearly 73 million dollars. This phenomenon largely explained by the recent nature of these languages which are more conducive to the appearance of zero-day flaws.

The interface

Decentralized applications use the same web interface development frameworks (React, Angular, Vue.js) as traditional applications, as Benjamin Thomas points out:

Beyond the back-end infrastructure, the interface is also a point of vulnerability. For example, a cybercriminal can divert website traffic from a decentralized application to redirect it to its own application.

This is notably what happened to the Balancer application, a victim of a DNS hijacking which led to the theft of $238,000 in crypto-currency assets.

Likewise, traditional phishing techniques, such as sending fraudulent emails to obtain user credentials, remain a serious threat. Users could be tricked into entering their information on counterfeit websites or interfaces, leading to the loss of their digital assets.

Data sources

Regarding data sources, the “Oracle Problem” refers to a vulnerability in smart contracts. Smart contracts, by nature, can only interact with other elements within the blockchain. To retrieve information, they must rely on “oracles”, intermediaries who serve as a bridge between the blockchain and the outside world. In this scenario, the danger arises when these oracles are compromised, providing false or manipulated data to smart contracts.

DeFi protocols lost approximately $403.2 million following 41 oracle manipulation attacks, according to Chainalysis. These attacks can directly target oracles by compromising them so that they send erroneous data or exploiting weaknesses in their design, such as a lack of reliability or updating of data. Once this incorrect information is entered into the blockchain, it remains there permanently, potentially affecting all operations that rely on this data. A situation that calls into question the reliability and security of blockchain applications.

Digital wallets

Regarding digital wallets, there are also vulnerabilities linked to private keys. Like a traditional password, a private key allows authentication. Thus the user can carry out transactions in digital assets and justify the possession of their funds.

If this mechanism seems complex, it introduces a major flaw: if a cyberattacker manages to appropriate this key, he could then access all of the digital assets in the wallet. For added protection, businesses can use an HSM (Hardware Security Module) which adds an extra layer of protection. This physical equipment acts as a digital safe and allows private keys to be generated, stored and protected.

Orange Cyberdefense supports you in securing your blockchain project

Security by design approach

Orange Cyberdefense offers a complete range of services to support blockchain projects, emphasizing security from the design phase, this is called " security by design". This step involves close collaboration with clients from the start of their blockchain projects to integrate security milestones into the project development. In addition to design support, Orange Cyberdefense offers auditing services for smart contracts, Blockchain protocols, and private key management to ensure compliance with security requirements and best practices. An expertise that also covers support for compliance with regulations, such as PSAN.

Expertise on topics related to blockchain

Orange Cyberdefense can also intervene in forensic analysis and on-chain analysis. The first is to examine the traces of an attack, determining the path taken by the attacker and the vulnerabilities exploited. Through in-depth analysis, Orange Cyberdefense experts can precisely identify the tactics, techniques, and procedures used by the attacker.

As for on-chain analysis, Orange Cyberdefense uses a vast database containing information from numerous digital asset portfolios associated with cybercriminals or potential attackers. A resource that allows experts to trace and track transactions, helping victimized businesses, including their competitors, locate stolen funds in collaboration with authorities.

Recognized certifications

As a qualified partner, Orange Cyberdefense is one of the only companies that has certifications for supporting blockchain projects with a PASSI qualification (information systems security audit provider) for PSAN compliance. Orange Cyberdefense also has PDIS (security incident detection service provider) and PRIS (security incident response service provider) qualifications.

In essence

The image of blockchain as a tamper-proof technology clashes with a more nuanced and complex reality. Although it offers undeniable advantages in terms of decentralization, transparency, and growth opportunity, security remains a major challenge.

This is why Orange Cyberdefense stands out in the cybersecurity sector with its complete and integrated offering, covering all aspects of blockchain security. A 360-degree approach that goes beyond the simple audit of smart contracts or blockchain technology. Our approach encompasses securing the entire technological ecosystem, ensuring complete protection.

Incident Response Hotline

Står du overfor en cyberhendelse akkurat nå?

 

Kontakt vår globale 24/7/365 tjeneste incident response hotline.