March 23rd, 2021
The blockchain ecosystem is tightly intertwined with the web. Many blockchain-related applications (such as cryptocurrency exchanges, DApps, etc.) have websites, and attacks against these sites are often reported as blockchain hacks and proof that the blockchain is not as secure as many claim.
However, blockchain security is not the same as web security. Understanding the line between the blockchain and the web (and their relative security protections) is essential to understanding and evaluating blockchain-based applications.
Blockchain and the web are very similar. In fact, all but one of the current OWASP top ten list of web application vulnerabilities also apply to the blockchain.
However, the blockchain and the web differ in several significant ways. These differences have a dramatic impact on their security.
Blockchain-based solutions and smart contracts are hosted on very different infrastructure than websites. All data hosted on the blockchain is stored on the distributed and decentralized digital ledger. Websites, on the other hand, are hosted on centralized webservers.
These infrastructure differences make blockchain and web security very different. On the one hand, the design of the blockchain provides it with the advantages of anti-censorship and resiliency. On the other, the web’s centralization makes it easier to correct and update to patch a vulnerability or remediate a website cyberattack.
The blockchain and the web approach user authentication and access control in different ways.
One of the most common types of blockchain-related websites, online wallets, is designed to replace blockchain’s authentication mechanism with a web-based one.
On the blockchain, all authentication and access control is performed via public key cryptography. A user has a private key that they use to authorize transactions, and the corresponding public key is used to verify them. As long as the private key remains secure, only the legitimate owner of an account can perform transactions using it.
Websites can use a variety of different authentication mechanisms, but the most common is a password potentially backed up with two-factor authentication (2FA). Password security is notoriously poor, and the security of 2FA depends on the particular implementation. SMS-based 2FA – the most commonly used type – can be defeated via SMS interception, SIM swapping, phishing, and other attacks.
The decision to hand over private keys to websites is the most common source of hacks in the blockchain ecosystem. Website authentication is much more breakable, and attackers take advantage of this to gain access to the blockchain users that have entrusted their account security to these sites.
The World Wide Web was invented in 1989. The first blockchain (Bitcoin) was launched in 2009, and smart contract platforms came along even more recently.
The difference in age between the web and the blockchain has a significant impact on their relative security. Web developers are more familiar with their languages and the infrastructure than blockchain developers, and the web has received more security inspection than many blockchain platforms. As a result, when working on the blockchain, developers are much more likely to make mistakes that undermine the security of their systems and put users at risk.
The security of the blockchain and the web can be very different. However, they are both part of the blockchain ecosystem, and an effective blockchain security strategy should include both of them.
When designing or evaluating a blockchain-based solution, it is important to go further than a smart contract audit. Halborn offers in-depth, comprehensive security audits of blockchain-based solutions. Reach out to us at firstname.lastname@example.org for a consultation.