Photo of Terence Eden. He has a beard and is smiling.

Certified Blockchain Professional - Module 15: Security in Blockchain

· 450 words

As previously discussed, I'm doing the Certified Blockchain Professional course. It is self-directed learning, so I'm going through it at my own pace. In order to consolidate my learning, and help organise my thoughts, I'm blogging about my reflections on each module.

These are mostly notes to myself - but I hope if you find something interesting (or incorrect) that you'll leave a comment.

Regulatory frameworks need to be followed by businesses. There is a cost for compliance. Need to ensure that their blockchains are secure and suitable for enterprise use.

Blockchain isn't an application; it is a network.

Contracts and transactions need to be audited.

Can't store personal data on chain. What if transaction data is "leaked" - who is responsible? The whole network?

Do financial institutions want their transactions viewable by a 3rd party?

Having a shared AML / KYC database would reduce costs & duplication. But a single wrong entry would worm its way into all systems.

There are some practical attacks - including double-spending and majority attacks.

Smart Contract security if a difficult problem. Formal verification of the code might be possible. Lots of bugs in smart contracts - often leading to catastrophic results & theft. But code is law, so you're out of luck. There's no court to argue in front of.

Timestamp and block ordering manipulation is possible, as is call stack depth limits.

Reentrancy bugs allow a function to be called before it has finished - which can lead to multiple withdrawals.

And, of course, the standard programming bugs.

End-point security. How do users ensure the security of their private keys?

Privacy - all transactions are public, so possible to build a "social graph" of users and the flow of money. Can be disrupted with "mixing protocols" - because money is fungible (!!) a shared wallet can take in coins from multiple parties and redistribute them.

"Coloured Coins" - attaching metadata to coin which could represent an asset. Allows for the tracking of specific coins. Can be used to record assets like share certificates and voting rights.

Assignment

Read the paper “Securify: Practical Security Analysis of Smart Contracts

Answer the following questions:

  • What is the main challenge required to be addressed in order to build a smart contract security analyser?
    • Smart contracts are Turing Complete.
    • Reports may contain many distracting false alarms.
    • May rely on spotting "common" bugs and fail to catch esoteric ones.
    • May take a long time to analyse code.
    • May take a lot of memory to analyse code.

Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">