Is blockchain 100 percent safe? Can the bitcoin transaction be trustful?

[FuninUSA]

Some people say, blockchain technology ensures the safer way of transaction and may, at last, replace the current bank systems. Their opinions are based on the idea that, blockchain assigns transactions or smart contracts to an immutable ledger, verifiable by multiple parties.

However, recently, several Chinese students published a paper calling out some vulnerabilities that may subject blockchain entries to inefficiencies, hacking and other criminal activity. I'm worried that the immature blockchain technology will negatively influence my invest in bitcoin. 

The key known risk factors are listed below:

-Blockchain efficiency: For starters, the efficiency of blockchains themselves may become overloaded with complex consensus mechanisms and invalid data. Most popular consensus mechanism used in blockchain is Proof of Work, which the researchers call a "waste of computing resources.” In addition, blockchains will produce a lot of data -- block information, transaction data, contract bytecode -- that may be outdated and useless. Thus, An efficient data cleanup and detection mechanism is desired to improve the execution efficiency of blockchain systems.

-Private key security: The user's private key is regarded as the identity and security credential when using blockchain. It’s generated and maintained by the user instead of third-party agencies. An attacker could "recover the user's private key because it does not generate enough randomness during the signature process. Since the blockchain is not dependent on any centralized third-party trusted institutions, if the user's private key is stolen, it is difficult to track the criminal's behaviors and recover the modified blockchain information.

- Frequent criminal activities with Bitcoin include ransomware, underground markets and money laundering. Through some third-party trading platforms that support Bitcoin, users can buy or sell any product.Since this process is anonymous, it is hard to track user behaviors, let alone subject to legal sanctions.

-Transaction privacy leakage: Unfortunately, the privacy protection measures in blockchain are not very robust. Criminal smart contracts can facilitate the leakage of confidential information, theft of cryptographic keys, and various real-world crimes (e.g.,murder, arson, terrorism, etc.)

These are all important factors which should be included when considering to join the blockchain and cryptocurrency investment. ( the full 9 risk factors can be seen in FuninUSA)

The technology of blockchain is still very immature at this moment. I wonder, if these problems could finally be solved. Will bitcoin gradually accepted by the majority of people and be used as a method of payment? Also, once the blockchain technology is mature enough, will the bitcoin disappear? Hoping to hear your idea! 

[ps:students are Xiaoqi Li, Peng Jiang and Xiapu Luo (all with Hong Kong Polytechnic University), Ting Chen (University of Electronic Science and Technology of China), and Qiaoyan Wen (Beijing University)]

[1714106121]

1714106121

[1714106121]

1714106121

[1714106121]

1714106121

[1714106121]

1714106121

[1714106121]

1714106121

[1714106121]

1714106121

[akes2090]

To answer your question: blockchains are safe - but not 100% safe.

Examples to substantiate this are:
1. A poorly coded smart contract that is not audited.
2. Consensus algorithms (PoS, PoE, BZF etc...) which have the potential of being manipulated.
3. The current battle between DLT security v.s. quantum computing.

Everything that is made by man can be broken by man (given sufficient time and resources).
Having made such an assertion though - I would also say that based on the advanced foundation of cryptography, it does eliminate a large percentage of hackers who do not have sufficient knowledge.

[buwaytress]

To answer your question: blockchains are safe - but not 100% safe.

Examples to substantiate this are:
1. A poorly coded smart contract that is not audited.
2. Consensus algorithms (PoS, PoE, BZF etc...) which have the potential of being manipulated.
3. The current battle between DLT security v.s. quantum computing.

Everything that is made by man can be broken by man (given sufficient time and resources).
Having made such an assertion though - I would also say that based on the advanced foundation of cryptography, it does eliminate a large percentage of hackers who do not have sufficient knowledge.

I like that quote, not sure who said it, but yes, given sufficient time and resources, I believe that any task can be completed, any solution found. Asimov's "The Last Question" illustrates that perfectly, I think.

And it is this belief that means nothing is 100% safe. But it is also this belief that means that for the current and foreseaable time, Bitcoin is virtually safe to use, as no one will have or want to spend the time and resources to "break Bitcoin". It's not impossible, just thoroughly unfeasible.

[chocolaty]

Everything that is made by man can be broken by man (given sufficient time and resources).
Having made such an assertion though - I would also say that based on the advanced foundation of cryptography, it does eliminate a large percentage of hackers who do not have sufficient knowledge.

I definitely agree to this. Blockchain is man-made. Human cannot make anything 100% perfect, with no errors and undestructible. Blockchain only helps in reducing the number of mediocre hackers which leaves the veteran hackers. They are the one that can suffice the hacking of blockchains.

[AdolfinWolf]

Blockchain only helps in reducing the number of mediocre hackers which leaves the veteran hackers. They are the one that can suffice the hacking of blockchains.

*sigh*, how exactly would you hack a distributed/decentralized ledger?

The best you can probably do is either try to crack people's private keys, ( which is currently, unless you have some sort of quantum computer, impossible), or you could "stop" the blockchain from functioning correctly with a 51% attack, which costs alot of money rather than "hacking" skills.

I'm curious, In what way could the current chain be "hacked"?

[iram1011]

-Private key security: The user's private key is regarded as the identity and security credential when using blockchain. It’s generated and maintained by the user instead of third-party agencies. An attacker could "recover the user's private key because it does not generate enough randomness during the signature process. Since the blockchain is not dependent on any centralized third-party trusted institutions, if the user's private key is stolen, it is difficult to track the criminal's behaviors and recover the modified blockchain information.

Many security experts wonder if SHA-256, which contains the same mathematical weaknesses as its shorter, very much related SHA-1 precedent, is a concern for bitcoin and blockchain (both usually use SHA-256). The answer is not right now. SHA-256 is strong enough for the foreseeable future. More importantly, since most of the world’s financial transactions and HTTPS transactions are protected by SHA-256, when someone breaks it, we’ll have far bigger things to worry about than just bitcoin and blockchains.

[bob123]

-Private key security: The user's private key is regarded as the identity and security credential when using blockchain. It’s generated and maintained by the user instead of third-party agencies. An attacker could "recover the user's private key because it does not generate enough randomness during the signature process. Since the blockchain is not dependent on any centralized third-party trusted institutions, if the user's private key is stolen, it is difficult to track the criminal's behaviors and recover the modified blockchain information.

Many security experts wonder if SHA-256, which contains the same mathematical weaknesses as its shorter, very much related SHA-1 precedent, is a concern for bitcoin and blockchain (both usually use SHA-256). The answer is not right now. SHA-256 is strong enough for the foreseeable future. More importantly, since most of the world’s financial transactions and HTTPS transactions are protected by SHA-256, when someone breaks it, we’ll have far bigger things to worry about than just bitcoin and blockchains.

The 'security' of private keys is not only dependent on the hash function used.
The algorithm used to generate the public key from the private key is the ECDSA [1].

Nonetheless both, SHA-256 and ECDSA, are regarded as safe to use.

Up to today there hasn't been found a single SHA-256 collision.


[1] https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm

[detector]

Japanese exchange got hack eventhough they are using advance security.

How about blockchain ?
If there is an opportunity for hacker to hack the blockchain, it may happen so prepare for not just keep your all crypto asset in 1 place !

[AdolfinWolf]

Japanese exchange got hack eventhough they are using advance security.

How about blockchain ?
If there is an opportunity for hacker to hack the blockchain, it may happen so prepare for not just keep your all crypto asset in 1 place !

An exchange ( which is usually a centralized asset/entity) is really not comparable to the "bitcoin" blockchain as a whole.

If there is an opportunity for hacker to hack the blockchain, it may happen so prepare for not just keep your all crypto asset in 1 place !

I don't see how an exchange having problems with their own security is a threat to the blockchain as a whole, you either don't understand the cryptographical proof ( or lack thereof) bitcoin private keys have,  or you haven't read what this thread is about at all..

[akes2090]

I think we are running off at a tangent here.

Whilst I agree that the DLT itself cannot be "hacked" we have to understand that it can be exploited:

1) Most major blockchains are open source and are developed using open source software/libraries. So although the DLT itself may be considered "secure", a vulnerability exposed by one or more of its core open source dependencies can infer that it is exploitable. A good example of this is the Heartbleed bug.

2) Possibly, the most significant are social engineering methods. We see it every day here: Someone's P.C gets infected by malware and suddenly the wallet.dat disappears or perhaps background monitoring malware replacing  payment addresses, MITM attacks etc...     

[buwaytress]

I think we are running off at a tangent here.

Whilst I agree that the DLT itself cannot be "hacked" we have to understand that it can be exploited:

1) Most major blockchains are open source and are developed using open source software/libraries. So although the DLT itself may be considered "secure", a vulnerability exposed by one or more of its core open source dependencies can infer that it is exploitable. A good example of this is the Heartbleed bug.

2) Possibly, the most significant are social engineering methods. We see it every day here: Someone's P.C gets infected by malware and suddenly the wallet.dat disappears or perhaps background monitoring malware replacing  payment addresses, MITM attacks etc...     

Not sure it's off tangent, if you take the entire question at face value, all responses have been relevant. 100% does not exist. Trust in an entity is not even in the equation so yes, in that sense, you can trust the math behind Bitcoin.

Social engineering is still the most efficient way to hack any security system, that much I'd agree. But even all the instances you mentioned don't expose any engineering flaw of the technology... no code was exploited, only humans were.

[akes2090]

I think we are running off at a tangent here.

Whilst I agree that the DLT itself cannot be "hacked" we have to understand that it can be exploited:

1) Most major blockchains are open source and are developed using open source software/libraries. So although the DLT itself may be considered "secure", a vulnerability exposed by one or more of its core open source dependencies can infer that it is exploitable. A good example of this is the Heartbleed bug.

2) Possibly, the most significant are social engineering methods. We see it every day here: Someone's P.C gets infected by malware and suddenly the wallet.dat disappears or perhaps background monitoring malware replacing  payment addresses, MITM attacks etc...     

Not sure it's off tangent, if you take the entire question at face value, all responses have been relevant. 100% does not exist. Trust in an entity is not even in the equation so yes, in that sense, you can trust the math behind Bitcoin.

Social engineering is still the most efficient way to hack any security system, that much I'd agree. But even all the instances you mentioned don't expose any engineering flaw of the technology... no code was exploited, only humans were.

The converse applies also: humans can only be exploited if the technology allows such to occur. Of course no system is perfect.

In any case it's irrelevant now as I see the OP has changed his/her/their subject to read "...Can the bitcoin transaction be trustful?"

[Ray55]

No online  transactions are 100% safe. It's only up to you how to maintain your  account.

[bob123]

No online  transactions are 100% safe. It's only up to you how to maintain your  account.

Did you even read the thread/OP?

Bitcoin doesn't have anything like 'accounts'.
There are private-/public keypairs with UTXO's.

The whole sense of bitcoin is to generate a trustless (financial) system.
After a certain amount of confirmation a transaction can safely be considered as approved and therefore.
Theoretically, of course, there is no 100% security/safety. But a transaction with 60 confirmations does have a chance of 0.18% to being 'reversed' with an attacker controlling 40%(!) of the networks hashrate.

The bitcoin whitepaper includes calculations on how safe those transactions are. There is a formula and even an implemented version in C:

Code:

#include <math.h>
double AttackerSuccessProbability(double q, int z)
{
    double p = 1.0 - q;
    double lambda = z * (q / p);
    double sum = 1.0;
    int i, k;
    for (k = 0; k <= z; k++)
    {
        double poisson = exp(-lambda);
        for (i = 1; i <= k; i++)
            poisson *= lambda / i;
        sum -= poisson * (1 - pow(q / p, z - k));
    }
    return sum;
}

with q = hashrate of attacker in %
and z = amount of confirmations

Source: https://bitcoin.org/bitcoin.pdf (S. 7)

You can even calculate the probability here: https://people.xiph.org/~greg/attack_success.html

[HeRetiK]

-Blockchain efficiency: For starters, the efficiency of blockchains themselves may become overloaded with complex consensus mechanisms and invalid data. Most popular consensus mechanism used in blockchain is Proof of Work, which the researchers call a "waste of computing resources.” In addition, blockchains will produce a lot of data -- block information, transaction data, contract bytecode -- that may be outdated and useless. Thus, An efficient data cleanup and detection mechanism is desired to improve the execution efficiency of blockchain systems.

What they call a "waste of computing resources" is what makes blockchains secure in the first place. You want the data to be hard to compute, otherwise it would be easy to manipulate.

You see something similar when hashing user passwords for your database -- using "wasteful", ie. slow hashing algorithms is part of a proper security model, since you don't want an adversary to brute force through your user's passwords all that easily in case of a data breach.

-Private key security: The user's private key is regarded as the identity and security credential when using blockchain. It’s generated and maintained by the user instead of third-party agencies. An attacker could "recover the user's private key because it does not generate enough randomness during the signature process. Since the blockchain is not dependent on any centralized third-party trusted institutions, if the user's private key is stolen, it is difficult to track the criminal's behaviors and recover the modified blockchain information.

This reads like they are trying to make a case for private key generation through third party agencies. While bad RNGs have proven problematic in the past, you have no guarantuee that a third party would fare any better.

If anything, leaving private key handling and signatures to "trusted institutions" has proven to be a systemic risk time and time again:

http://wiki.cacert.org/Risk/History

- Frequent criminal activities with Bitcoin include ransomware, underground markets and money laundering. Through some third-party trading platforms that support Bitcoin, users can buy or sell any product.Since this process is anonymous, it is hard to track user behaviors, let alone subject to legal sanctions.

That one has nothing to do with blockchain security.

-Transaction privacy leakage: Unfortunately, the privacy protection measures in blockchain are not very robust. Criminal smart contracts can facilitate the leakage of confidential information, theft of cryptographic keys, and various real-world crimes (e.g.,murder, arson, terrorism, etc.)

Both the privacy aspect and the security of smart contracts is cryptocurrency dependent and can't be generalized.

And which criminal smart contracts are facilitating murder, arson and terrorism? Has the IS been running an ICO that I missed?

This point also seems weirdly at odds with the prior statement. Either "it is hard to track user behaviours" or "the privacy protection measures [...] are not very robust". It can't be both.


Got a link to the paper? I assume there is more depth to their line of argument. Right now it seems rather shallow.