Cryptocurrency tech's security weaknesses could compromise how it runs: DARPA A new analysis commissioned by DARPA quantifies how the decentralized tech that runs the currency system could be compromised.

Cryptocurrency tech is vulnerable to tampering, a DARPA analysis finds

  • Download
  • <iframe src="https://www.npr.org/player/embed/1105815143/1106320942" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

LEILA FADEL, HOST:

Cryptocurrencies are having a bad year. The price of Bitcoin has slid almost 70% since its peak last November, while some of the more innovative versions of virtual money have tanked altogether. Now there's a new reason for worry. A government commissioned report comes out today which raises questions about the technology behind cryptocurrencies and how secure it is from tampering. NPR's Martin Kaste reports.

MARTIN KASTE, BYLINE: Cryptocurrency is more than just an investment, it's an ideology. It's the belief that nobody should be in charge of how money works, no company, no central bank, no government. Here's the emcee warming up the crowd at the Bitcoin 2022 conference in Miami back in April.

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED PERSON: One, two, three, freedom. Again, freedom. One more time, freedom.

KASTE: This freedom is built on decentralization. You see, what you need to understand about cryptocurrencies is that the transactions - who bought a Bitcoin, who sold one - all of that is tracked on blockchains. And those are just ledgers, publicly visible lists of transactions replicated on computers around the world, too decentralized for anybody to tamper with in theory.

DAN GUIDO: It's been taken for granted that blockchains are immutable and decentralized because the community says so.

KASTE: That's Dan Guido, CEO of Trail of Bits, a software security research and development firm that just released a new report about this. The paper asks a fundamental question.

GUIDO: Are there certain parties that control overwhelming percentages of the network? And the answer is, overwhelmingly, yes.

KASTE: The report focuses on places on these blockchain networks where the traffic has become concentrated, like traffic bottlenecked on a freeway. And it shows how someone could use those bottlenecks to take over the blockchain process, say, to stop someone from getting paid or just to make an asset disappear. This is usually called a 51% attack because you're trying to take over most of the network. But Guido's team has found that you'd really need only 49%, and because of those bottlenecks, sometimes even less.

GUIDO: Let's say somebody with great top-down control of the internet in their country starts to interfere with that network, we can actually start bringing that 49% down to 40%, to 35%. And these sorts of margins of safety get whittled away.

KASTE: You could see a scenario in which, say, Russia used this approach to block crypto donations to Ukraine. And that's where you start to see the strategic importance of all this and why this report was commissioned by the Defense Advanced Research Projects Agency - known as DARPA.

JOSH BARON: So one of the missions for DARPA is preventing technological surprise.

KASTE: Josh Baron is a program manager with the agency. He says the report gathers in one place existing research into the vulnerabilities. And he says some of the details are, quote, "eyebrow-raising."

BARON: So for example, the idea that 21% of Bitcoin nodes are running an old version of the Bitcoin core client that's known to be vulnerable.

KASTE: Just to explain that for a second, what he's talking about there is that 21% of those Bitcoin nodes are running software with a known flaw. So they could all be hacked the same way.

BARON: So like, you're already worried about 51%. And now I'm telling you that 21% are just out there for the taking, as it were, right? That's not great.

KASTE: He sees this report as a guide for fixing vulnerabilities as blockchain networks become more important. But the government isn't going to impose those fixes because it can't. Crypto is decentralized. You need a consensus in that loose community of people who help to run these networks. And right now, this centralization doesn't seem to be much of a concern. Big crypto companies such as Coinbase are more focused right now on the volatility of prices. They declined to comment about the report to NPR. But at a smaller Bitcoin services company called swan.com, co-founder Yan Pritzker called these dangers theoretical.

YAN PRITZKER: If this kind of attack is possible, why hasn't it happened, right? So I think the proof is in the pudding a little bit. In real-world conditions, these things don't happen.

KASTE: Pritzker agrees with the report on one point. There is more centralization in some of the newer forms of cryptocurrency, especially those that use a different kind of blockchain system called proof-of-stake, which uses less power. He's confident in the older, more energy-intensive system used by Bitcoin.

PRITZKER: Whatever you do in the short run to damage Bitcoin - like, let's say you were actually able to stop Bitcoin from producing blocks for even, like, a day. If you end that attack, the coin will go back to normal. And then all you've done is you've just proven that it's impossible to attack.

KASTE: This comes down to a debate over whether people investing, say, their retirement funds should consider cryptocurrencies to be a proven technology. At Trail of Bits, Dan Guido says he's not anti-blockchain. He thinks they have a lot of promise. But to him, this kind of virtual money is still a prototype.

GUIDO: Everybody needs to know kind of what they're buying, what they're buying into, what they're going to trust. And there's a lot here that you should not trust, at least not today.

KASTE: Martin Kaste, NPR News.

Copyright © 2022 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.