Digital Risks in Permissioned Blockchains

Published in

UX Collective

9 min readJun 9, 2022

A few weeks ago news spread claiming that the LV group had hacked into a blockchain connected to Brazil’s Central Bank. The supposed target of the data leak was a decentralized identity solution created by CPqD and chosen by the Central Bank to become part of its forthcoming CBDC, the Real Digital.

Screenshot of the leak announcement on LV Blog — Screenshot of the leak announcement — source: LV Blog

A note published on May 02 on CPqD’s page stated that in reality no client solution had been compromised. Still according to the note:

“the blockchain-based decentralized digital identity solution developed [by CPqD] […] places the control of personal data in the hands of the users themselves, precisely to avoid situations of leakage or access to sensitive information by unauthorized persons”

Regardless of the details of this particular attack, the interest created by the news provides a good opportunity to explore the types of risks and vulnerabilities affecting permissioned blockchains such as the one soon to be used by Brazil’s Central Bank for its decentralized identity solution. To understand these risks, we first need to define some concepts and make some important distinctions between types of blockchains.

Permissionless and permissioned blockchains

In its most general sense, “blockchain” refers to a set of blocks of information concatenated in a series or chain (hence the name). There are different ways to categorize blockchains, but a first important division is between permissionless and permissioned blockchains:

Permissionless blockchains allow any user to pseudonymously join as a “node” of the network with unrestricted rights.
Permissioned blockchains, on the other hand, restrict access only to vetted users and can also restrict the rights of each node within the network. In addition, the identities of the users in a permissioned blockchain are generally known to the other users of that blockchain.

Permissionless blockchains tend to be more secure than permissioned ones, since there are a large number of nodes validating transactions, making it harder for bad actors to collude on the network. But the cost of security is the long transaction processing times. Permissioned blockchains, on the other hand, tend to be more efficient, but centralization makes the system more prone to vulnerabilities.

As a rule, the fewer nodes there are on a blockchain, the easier it is for bad actors to collude. Therefore, permissioned blockchain administrators should ensure that nodes that add and verify blocks are highly trustworthy.

Public Blockchains

Public blockchains are paradigmatic cases of permissionless blockchains.

Being decentralized, public blockchains allow any (natural or legal) person to become a node of the network with equal rights of access, creation and validation of data blocks. These blocks constitute a ledger distributed among all peers in the network, which can be accessed by anyone with internet access.

Well-known examples of public blockchains are the Bitcoin and Ethereum networks.

For a record to be added to a block in a public blockchain it must be validated through a cryptographic procedure that ensures data integrity. And for a new block to be added to the chain, the public blockchain protocol requires additional proof, called a consensus mechanism.

The best-known consensus mechanism is the proof-of-work, in which nodes called miners compete to solve a mathematical puzzle that requires great computing power in exchange for a reward. Once the block has been mined this information is transmitted and verified by all other nodes in the network, and only after this whole process is finished the block is added to the chain, changing the state of the blockchain.

Illustration of the path for a transaction to get into the public blockchain — How does a transaction get into the public blockchain — source: Euromoney Learning

Given this intricate mechanism for creating and adding blocks, it is extremely difficult (although not impossible) to alter the information contained in the ledger of a public blockchain. This is why it tends to be more secure, especially if it has a large number of nodes operating.

(I have described in much more detail the operation and security risks affecting public blockchains in the ebook Digital Risks in Blockchain and Web3, which is available for free download here.)

Private Blockchains

Private blockchains, on the other hand, are permissioned blockchains controlled by a single organization that restricts participation in the network.

The access mechanism to a private blockchain may vary depending on the implementation, but usually there is a central authority responsible for issuing licenses to participate in the network. This authority may or may not grant equal rights to participating nodes, but in any case only authorized entities will have access to the records contained in the ledger.

As private blockchains usually have a restricted number of participants, and as the consensus mechanism is more centralized, they are able to process a larger number of transactions in less time compared to a public blockchain.

However, since records cannot be independently verified, their integrity will depend solely on the credibility of the participants — meaning that they need to trust each other.

Furthermore, unlike records in public blockchains (which are for all practical purposes immutable), the operator of a private blockchain has the right to undo, edit, or delete entries in the ledger at any time.

An example of private blockchain is the network used by Walmart (based on Hyperledger Fabric) to track the provenance of its products.

Consortium blockchains

Also known as “federated blockchains”, these are permissioned blockchains governed by a group of organizations, rather than by a single entity, as in the case of a private blockchain.

Because they enjoy more decentralization than private blockchains, consortium blockchains can achieve higher levels of security.

Consortium blockchains are particularly appropriate for corporate environments where a set of companies need to share information, but without necessarily having unrestricted trust between participants.

Banks and financial institutions are among the top users of consortium blockchains, as these can offer faster and more scalable solutions, as well as more privacy for transactions, when compared to public blockchains.

One consortium blockchain solution that is quite popular in the financial services industry is Corda, developed by enterprise software company R3.

FinID — the decentralized digital identity system selected by Brazil’s Central Bank for its CBDC project — is a solution created by CPqD in partnership with R3. This solution will use electronic credentials issued by different participating agents in a permissioned blockchain integrated to the Corda platform, allowing customers to have control over their data and facilitating access to contracting financial services.

Hybrid blockchains

Hybrid blockchains are controlled by a single organization, but with an additional layer of oversight enabled by a public blockchain, which is required to perform certain transaction validations.

One example of a hybrid blockchain is IBM Food Trust, developed to improve efficiency across the food supply chain.

Diagram distinguishing 3 types of blockchains: Permissionless, Permissioned and Hybrid — Types of blockchains — source: Foley & Lardner LLP

Risks of permissioned blockchains

With fewer participants and more centralization, the risks increase that a cybercriminal can take control of a blockchain by manipulating its records or corrupting the system. This makes permissioned blockchains more vulnerable targets for attacks that take advantage of the fact that we administrators can be single points of failure.

This type of failure can occur either due to configuration problems caused inadvertently by administrators or by intentional manipulation of these settings for personal gain, either by authorized users of the system or by attackers who obtain the necessary credentials.

In addition, permissioned blockchains usually rely on external systems that can also be compromised — in particular the database systems used to store the state of the blockchain.

Following a classification proposed by Pavithran and Angeles (2021), we can divide attacks on permissioned blockchains into four types: physical attacks, blockchain layer attacks, network attacks, and malware attacks.

Physical attacks

Physical attacks are those that target hardware, software, network, and data through physical actions and events.

For example, if a malicious attacker gains access to the network, they can inject a fake device that can perform transactions and flood the network, or participate in the consensus process. Attackers can also enter the network by spoofing the identity of legitimate devices, such as MAC or IP addresses, or by obtaining the private keys of authorized users.

Attacks on the blockchain layer

Even if the nodes participating in the consensus are predetermined in permissioned blockchains, because multiple entities are involved in the process, there is a chance that some of them could become malicious. A poorly designed consensus mechanism or one with vulnerabilities can allow fake transactions to be accepted and stored in the blockchain. Examples of such attacks include the following:

Eclipse attacks: In this attack, attackers isolate nodes on a blockchain network, preventing them from communicating with other peers. This also enables adversary nodes to join and attack the network.
Block discard attack: In this attack, a malicious node discards the block generated by the winning mining node and propagates a fake block to the blockchain.
Block retention attack: In this attack, the winning mining node is prevented from publishing a block, causing the transactions contained in it to be discarded. Another form of this attack occurs when two mining pools intentionally try to fork the blockchain to create a network partition.

Attacks on the network

Network attacks are the unauthorized access to digital assets on a network of interconnected devices.

DDoS attack: A distributed denial-of-service attack on nodes participating in the consensus process can disrupt it and slow the system down. Mempool flooding is a form of DDoS attack where the attacker floods the memory pool with unconfirmed transactions.
Transaction privacy leakage: Because user behavior on blockchains is traceable, measures must be taken to ensure transaction privacy. However, potential leakage of sensitive information, such as cryptographic keys, can still occur.
Border Gateway Protocol (BGP) hijacking: BGP is used to share routing information within a network, specifying how IP packets are forwarded to their destinations. An attacker can intercept the blockchain network by manipulating BGP, changing the routing data in their favor.
DNS attacks: When a node joins the network, the DNS system will be used to discover active peers. If a malicious attacker is identified and is able to poison the DNS cache, a fake network can be created.

Malware attacks

Malware is malicious software designed to secretly access or damage an information system without prior consent.

Some of the possible malware attacks on blockchains would involve injecting malicious code into transaction blocks, or exploiting vulnerabilities in smart contracts, allowing the attacker to gain access to the network or to create fake transactions.

In addition to these attacks, users of permissioned blockchains can also fall victim to credential stealers and clippers, which can now collect private keys to wallets with access to the network. If one of these keys is tied to a privileged account, the network is compromised.

Conclusion

Permissioned blockchains offer flexible and efficient solutions especially in corporate environments, in which there is not necessarily total trust between network participants, requiring greater access and participation controls. But as with any application, the security of the system depends on a number of conditions related to the broader deployment environment. Compared to consolidated public blockchains, the greater centralization and limited number of nodes in permissioned blockchains makes them more vulnerable targets to attacks that exploit single points of failure. In this sense, security measures involving user access and blockchain interfaces should be doubled in order to prevent malicious users or attackers from injecting malicious code, executing transactions, or interfering with consensus mechanisms.

References

A. Davenport, S. Shetty and X. Liang, “Attack Surface Analysis of Permissioned Blockchain Platforms for Smart Cities,” 2018 IEEE International Smart Cities Conference (ISC2), 2018, pp. 1–6, doi: 10.1109/ISC2.2018.8656983.
B. Putz and G. Pernul, “Detecting Blockchain Security Threats,” 2020 IEEE International Conference on Blockchain (Blockchain), 2020, pp. 313–320, doi: 10.1109/Blockchain50366.2020.00046.
D. Pavithran, E. Angeles, C. Shibu and M. Shaikh, “Attacks on Permissioned Blockchain for IoT,” 2021 4th International Conference on Signal Processing and Information Security (ICSPIS), 2021, pp. 25–28, doi: 10.1109/ICSPIS53734.2021.9652429.
LIFT Challenge Real Digital seleciona 9 projetos
Types of Blockchain: Public, Private, or Something in Between | Blogs | Manufacturing Industry Advisor