Blockchain-security are two complex term coined together, a careful observation and dynamic analysis are required to get indebt understand of these words an how it relates to Proof-of-Work (PoW) in the Crypto-space.
BLOCKCHAIN: this divergent term could be traced to the early 80,s when the Cryptographer by name David Chaum , first proposed a blockchain-like protocol treatise "Computer Systems Established, Maintained, and Trusted by Mutually Suspicious Groups. In the early 90s, Stuart Haber and W. Scott Stornetta , both scientist worked on Documents timestamp security. In 1992 Haber, Stornetta, and Dave Bayer incorporated Merkle trees to the design, which improved its efficiency by allowing several document certificates to be collected into one block.
Modern day blockchain history: Modern Blockchain could be traced to a group of individuals called called Satoshi Nakamoto , in 2008. Nakamoto improved the design in a Very unque way, using a Hashcash-like method to timestamp blocks, without requiring them to be signed by a trusted party. He also introducing a difficulty parameter to stabilize rate with which blocks are added to the chain.
Nakamoto could be seen as the Genesis of Bitcoin. With mass adoption from 2014 to 2020 the bitcoin blockchain file size, containing records of all transactions that have occurred on the network exceeded 200 GB.
The Literal term Security could be said to be the state of being free from danger or threat. Just as all other process of life Treat and Security are key.
Blockchain security is about understanding blockchain network risks and managing them. According to Kurt Seifried, Chief Blockchain Officer, Director of Special Projects, CSA, Weakness are Introduced in a software by developer, Wich result in Vulnerability of this software, attackers explore these Vulnerability to gain access to their advantage.
there is no comprehensive public list of Blockchain weaknesses, but most organization has ventured into it the US Government Department of Homeland Security actually sponsors one such effort, the Common Weakness Enumeration database , database and there is a Solidity focuse On Smart Contract Weakness Classification and Test Cases available from the SWC .
Why is it important to list out the Weakness of Blockchain?: According to the popular crypto quote "If you attack and compromise a database you need to take that data and then sell it to monetize your attack. If you compromise a web server you need to install some malware to harvest credit card details, and then monetize that data by selling it. But if you steal crypto currency? That’s literally money in the attackers wallet" Attacks rely on a vulnerability being present so that they can exploit it. These vulnerabilities are implemented in software (web services, smart contracts, the underlying blockchain system, etc.) and can be any number of weaknesses such as logic bugs, reentrancy issues, integer overflows and so on. The good news: law enforcement is getting better at tracing these transactions and following the money, the bad news: the blockchain industry is not very mature when it comes to identifying vulnerabilities and weaknesses.
- Helping crypto developer to build on exiting framework in crypto development.
- helping developers with choices of either given the using a public database or building your own data set most security scanning tools use the CWE database as their baselines for security flaws that they try to detect and offer guidance on remediating.
- helping to understudy existing problems for better development.
Despite no much account of Blockchain weakness, Cloud Security Alliance CSA is a community that claims to be researching on this issue, with a current rough list of almost 200 weaknesses that apply to Blockchain and smart contracts, and about half of which are not in any other public database of weaknesses.
According to the community, The goal is to make the list of weaknesses more detailed and comprehensive, and encourage other public databases (such as CWE or SWC Registry) to include then so that ultimately automated tools will include support for them, making it easier for developers and end users to find, understand and fix vulnerabilities because attackers find and exploit them. Some of the listed Blockchain Weakness includes:
|Name of Weakness||Alternative||Discription|
|Account Hijacking||RPC API Exposure If an API is improperly exposed an attacker can attack it||Artificial Difficulty Increases Balance Attack Bitcoin lightning - Eclipse Attack Time Dilation Bitcoin lightning - flood and loot Bitcoin lightning - pinning Bitcoin lightning - spamming payment.|
|micropayments Block Forger DoS Block Mining Finney Attack Block Mining Race Attack A variation on the Finney attack Block Mining Timejack Attack By isolating a node the time signal can be manipulated getting the victim out of synchronization Block||Reordering Attack Certain cryptographic operations (such as using CBC or ECB incorrectly) allow blocks to be re-ordered and the results will still decrypt properly||Blockchain Ingestion Blockchain Network Lacks Hash Capacity The Blockchain/DLT network lacks hashing capacity, an attacker can rent sufficient hashing power to execute a 51% Attack|
|Blockchain Network Partitioning Attack Partition Routing Attack Blockchain Peer flooding Attack Unlimited node creation By creating a large number of fake peers in a network (peer to peer or otherwise) an attacker can cause real nodes to slow down or become non responsive as they attempt to connect to the newly announced peers.||Blockchain Peer flooding Attack Slowloris variant By creating a large number of slow peers (real systems that respond very slowly to network requests) in a network an attacker can cause real nodes to slow down or become non responsive as they attempt to connect to the newly announced peers. Unlike fake peers that do not exist these slowloris peers are real but communicate slowly enough to hold sockets and resources open for minutes or hours.||Blockchain reorganization attack Alternative history attack, history rewrite attack Also referred to as an alternative history attack|
|Blockchain Weak Sources of Randomness Consensus 34% Attack 34% Attack against BFT network, a specific instance of Consensus Majority Attack Consensus 51% Attack 51% Attack against DLT network, a specific instance of Consensus Majority Attack Consensus Attacks against the consensus protocol and system in use can take many forms and are not limited to gaining control of the consensus mechanism but can also be used to slow down consensus for example Consensus Attack against PoS Consensus Attack against PoW Consensus Delay Attack||Consensus Delay Attacks can allow malicious miners to gain time in order to execute other attacks Consensus Majority Attackers can try to gain a consensus majority in order to control the contents of the Blockchain Credential Stuffing Attackers use spilled or otherwise leaked credentials and account names to try name/password combinations with a higher likelihood of success against services requiring authentication||Cryptomining Cryptojacking Cryptomining (also known as Cryptojacking) involves an attacker using a victims compute resources to mine crypto currencies, this can range from using malware to stolen credentials to gain access to systems Cryptomining Malware Cryptojacking Malware Data corruption|
|Dictionary Attack Attackers use dictionaries of known passwords, a subset of brute force attacks, this can be used against services requiring login, or against cryptographically protected data requiring a password or passphrase to access it such as a wallet||Distributed-Denial-of-Service Attack DDoS Attack DNS Attacks DoS against Ethereum 2.0 validator to trigger penalty for being offline Double Spending Attack||Download of Data Without Integrity Check Dusting attack Eclipse Attack EOS RAM Vulnerability|
|ERC20 token transfer to self token address (and possibly other tokens) "When sending ERC-20 (and possibly other types) tokens to a contract it is possible to send them to the contract itself resulting in the tokens becoming ""stuck"". Two defenses to rpevent this are possible 1) add a check to prevent this, which costs gas, 2) Have wallets/other software check for and prevent this, 3) set the token balance of the contract to infinity so an integer overflow occurs if it tries to transfer tokens to itself (please note this may have other unintended consequences)"||Ethereum Solidity prior to 0.5.0 view promise not enforced Ethereum Solidity prior to 0.5.0 did not enforce the view promise Evil Maid attack The evil maid attack is generally accepted as a situation where someone has temporary access to your hardware (e.g. a hotel maid) for several minutes or hours, and does not want to leave evidence of tampering if possible.||Failure to Update Failure to update software with known security vulnerabilities can result in known vulnerabilities being present and exploited Consensus Termination Flash Loans Flash Loan Attacks Flawed Blockchain Network Design Fork-after-withhold Attack.|
FOR MORE DETAILS KINDLY CLICK HERE .
All information was gotten from collective research.
PROOF OF WORK PoW
Proof of work (PoW) is a form of cryptographic zero-knowledge proof in which one party (the prover) proves to others (the verifiers) that a certain amount of a specific computational effort has been expended. Verifiers can subsequently confirm this expenditure with minimal effort on their part.
The proof of work (PoW) consensus mechanism is the widest
deployed consensus mechanism in existing blockchains. PoW was introduced by Bitcoin  and assumes that each peer votes with
his “computing power” by solving proof of work instances and constructing the appropriate blocks. currently account for
more than 90% of the total market capitalization of existing digital
currencies. Proof-of-Work is designed to remove the profit from spam. Just like as it was adopted in prevent mail spamming Proof-of-Work comprises a set of proposals. Different proposals require that email senders make fungible payments, perform a resource-intensive computation, perform a series of memory operations, or post a bond before sending each message.
The concept was Propounded by Cynthia Dwork and Moni Naor in the early 90,s as a way to deter denial-of-service attacks and other service abuses such as spam on a network by requiring some work from a service requester, usually meaning processing time by a computer.
Advantage of Proof of Work PoW
The advantage cuts across:
- Proof of work models make blockchain networks more difficult and costly to attack.
- Proof of work models reward miners with both a block reward and a share of transaction fees.
- Proof of work models often result in more decentralized networks.
Disadvantage of proof of work
- Proof of work models require access to significant (and increasing) computational power, much of which is wasted each time an equation is solved.
- Proof of work models demand excessive energy consumption, leading to increased costs and environmental impacts.
- Proof of work models result in long-term disincentives to mining as newly minted cryptocurrencies near the cap.
Proof of Work (PoW) powered blockchains currently account for more than 90% of the total market capitalization of existing digital currencies. In relation to blockchain security, the checks and routine rigors requires for implementing the process makes it virtually impossible to trick the system, giving individual the opportunity to grow on the ground of involvement, specialization and Commitment.