BLOCKCHAIN TECHNOLOGY
Blockchain is a distributed, append-only ledger that records transactions across many computers (nodes) so that records are:
- Decentralized – no single owner
- Immutable – very hard to alter
- Transparent – verifiable by participants
- Cryptographically secured
Each block contains:
- Transaction data
- A timestamp
- A cryptographic hash of the previous block
This chaining makes tampering extremely difficult. Blockchain was introduced to solve trust problems in digital transactions. Blockchain technology is transforming finance and creating new digital assets, and quantum computing is on the horizon.
Key drivers:
- Lack of trust in centralized systems
- Banks and intermediaries controlled transactions.
- Double-spending problem
- Preventing the same digital asset from being spent twice.
- 2008 Financial Crisis
- Led to interest in trustless, transparent financial systems.
Origin:
- Bitcoin (2008)
Created by Satoshi Nakamoto as a peer-to-peer electronic cash system without a central authority.
Some Public Blockchain Platforms
· Bitcoin (BTC) – peer-to-peer electronic cash system
· Ethereum (ETH) – used for complex decentralized applications(DApps)
· Solana (SOL) – fast and scalable, used for high-throughput applications
· Litecoin (LTC) – an early alternative to Bitcoin, often used for faster, cheaper transactions
Key Characteristics of Public Blockchains
· Transparent – All transactions are publicly visible
· Decentralized – No single entity controls the network, relying on consensus mechanisms like proof of Work or Proof of Stake.
Some Private Blockchain Platforms
· Quorum – developed by JP Morgan to enhance privacy for financial institutions.
· Hyperledger – used by Walmart to reduce food tracking time from days to seconds – improves food supply chain traceability.
· R3 Corda – focuses on privacy and enforceability for legal contracts.
Key Characteristics of Private Blockchain.
· Permissioned Access –a network administrator controls access and only granted to authorized participants to view data and validate transactions.
· Privacy and Confidentiality – transactions and data are only visible to authorized members.
· No Anonymity – users must be identified and verified.
Typically Used for:
· Supply Chain management
· Secure Data Sharing within trusted groups
· Inter-organizational record-keeping
Common Threats:
- Smart contract vulnerabilities
- Private key theft
- Network-level attacks
- Oracle manipulation
How to Secure Blockchain Systems
1. Secure Cryptographic Keys
- Use hardware wallets (HSMs)
- Enforce multi-signature wallets
- Never store private keys in plain text
2. Secure Smart Contracts
- Perform code audits
- Use formal verification
- Avoid reentrancy & overflow bugs
- Follow least-privilege principles
3. Protect Consensus & Network
- Decentralize validators
- Monitor for unusual mining or staking behavior
- Secure peer-to-peer networking (TLS, firewalls)
4. Prevent 51% & Sybil Attacks
- Increase decentralization
- Use PoS or permissioned consensus where appropriate
- Enforce identity verification in enterprise blockchains
5. Secure Oracles & External Data
- Use decentralized oracles (e.g., Chainlink)
- Validate multiple data sources
6. Governance & Monitoring
- Monitor transactions and smart contract behavior
- Implement emergency pause (circuit breakers)
- Log and audit all changes
6. Blockchain Security vs Traditional Security
Traditional Systems | Blockchain Systems |
Central authority | Decentralized trust |
Editable databases | Immutable ledger |
Perimeter security | Cryptographic security |
Account-based auth | Key-based ownership |
1. The DAO Hack (2016)
What It Was
- The DAO was an Ethereum-based decentralized investment fund.
- It used smart contracts to manage and distribute funds.
- At the time, it held approximately $150 million worth of ETH.
How the Attack Worked
- The attacker exploited a reentrancy vulnerability in the smart contract.
- The contract allowed funds to be withdrawn before the balance was updated.
- The attacker repeatedly called the withdrawal function, draining funds in a loop.
Impact
- ~3.6 million ETH stolen (~$60M at the time).
- Led to a controversial hard fork of Ethereum.
- Ethereum split into:
- Ethereum (ETH) – reversed the hack
- Ethereum Classic (ETC) – preserved immutability
Security Lessons
- Smart contracts are immutable once deployed.
- Code audits and secure coding practices are critical.
- Reentrancy protection (checks-effects-interactions pattern) is essential.
2. Ronin Bridge Hack (2022)
What It Was
- Ronin is a sidechain used by the Axie Infinity game.
- It used a cross-chain bridge to move assets between Ethereum and Ronin.
How the Attack Worked
- Attackers compromised the private keys of validator nodes.
- Ronin required 5 of 9 validator signatures to approve withdrawals.
- Attackers gained control of 5 validators, authorizing fake withdrawals.
Impact
- ~$620M stolen (ETH + USDC).
- One of the largest crypto hacks in history.
Security Lessons
- Key management is critical.
- Bridges are high-value, high-risk targets.
- Validator centralization increases attack risk.
- A multi-signature alone is insufficient without strong operational security.
3. Poly Network Hack (2021)
What It Was
- Poly Network is a cross-chain interoperability protocol.
- It allows asset transfers across multiple blockchains.
How the Attack Worked
- A flaw in the cross-chain message verification logic.
- The attacker manipulated contract calls to gain control of the contract.
- This allowed them to change ownership permissions.
Impact
- ~$610M stolen across multiple chains.
- The attacker later returned most funds (self-described “white hat”).
Security Lessons
- Cross-chain logic is extremely complex.
- Authorization logic must be airtight.
- Smart contract ownership controls are a prime attack target.
Common Themes Across All Hacks
Theme | Explanation |
Smart contract flaws | Code bugs lead directly to financial loss |
Key compromise | Stolen keys bypass cryptography |
Centralization risk | Fewer validators = easier compromise |
Bridge risk | Bridges aggregate massive value |
No rollback | Recovery is difficult or controversial |
Blockchain removes trust in people — but increases trust in code and keys.
1. Public vs Private Blockchains
Public Blockchains
Definition:
Open, permissionless networks where anyone can read, write, and validate transactions.
Examples:
Bitcoin, Ethereum, Solana
Characteristics:
- Fully decentralized
- Anonymous or pseudonymous participants
- Transparent ledger
- Economic incentives (tokens)
Security Model:
- Cryptography + game theory
- Trust is minimized through consensus
- Attack resistance via decentralization
Pros:
- High censorship resistance
- Strong immutability
- No central point of failure
Cons:
- Lower transaction throughput
- Higher latency and fees
- Difficult governance
- Public data exposure
Private (Permissioned) Blockchains
Definition:
Restricted networks where participants are known and approved.
Examples:
Hyperledger Fabric, Corda, Quorum
Characteristics:
- Centralized or consortium governance
- Identity-based access control
- Limited transparency
- Faster performance
Security Model:
- Traditional enterprise security + cryptography
- Trust placed in organizations
Pros:
- High performance and scalability
- Regulatory compliance
- Easier governance and auditing
Cons:
- Reduced decentralization
- Greater insider threat risk
- Single points of failure are possible
Public vs Private Summary Table
Aspect | Public Blockchain | Private Blockchain |
Access | Open | Restricted |
Identity | Pseudonymous | Known identities |
Governance | Community-based | Organization-led |
Transparency | Fully public | Controlled |
Performance | Slower | Faster |
Trust Model | Trustless | Trust-based |
Compliance | Challenging | Easier |
2. Aligning Blockchain Security to NIST
NIST CSF (Core Functions)
Identify
- Asset inventory of nodes, smart contracts, and validators
- Risk assessment of bridges and consensus mechanisms
Protect
- Cryptographic key management (HSMs, multisig)
- Smart contract secure development lifecycle
- Identity management for permissioned nodes
Detect
- On-chain transaction monitoring
- Validator behavior monitoring
- Smart contract anomaly detection
Respond
- Incident response playbooks (key compromise, contract exploit)
- Emergency pause/circuit breakers
Recover
- Governance-led recovery processes
- Contract upgrades and redeployment
- Key rotation and validator replacement
NIST SP 800-53 Control Mapping (Examples)
Control | Blockchain Application |
IA (Identity & Auth) | Validator identity, wallet auth |
SC (System Comm) | Secure P2P networking |
CM (Config Mgmt) | Smart contract versioning |
CP (Contingency) | Forks, failover nodes |
AU (Audit) | Immutable transaction logs |
3. Aligning Blockchain Security to Zero Trust
Zero Trust Principle: Never trust, always verify
1. Identity-Centric Security
- Treat wallets, validators, nodes, and smart contracts as identities
- Strong authentication for validators
- Continuous verification of node behavior
2. Least Privilege
- Minimal smart contract permissions
- Role-based access for administrators
- Multi-signature approval for sensitive actions
3. Continuous Monitoring
- Monitor transactions, consensus participation, and gas usage
- Detect abnormal validator or contract behavior
- Alert on large or unusual fund movements
4. Micro-Segmentation
- Separate validator nodes, RPC endpoints, and admin systems
- Isolate bridges and high-value contracts
5. Assume Breach
- Design for key compromise scenarios
- Rapid validator rotation
- Emergency shutdown mechanisms
4. Public vs Private in Zero Trust Context
Zero Trust Area | Public Blockchain | Private Blockchain |
Identity | Wallet-based | PKI / IAM |
Trust Assumption | Trustless | Conditional trust |
Monitoring | Public analytics | Internal telemetry |
Enforcement | Protocol rules | Org policy + protocol |
Response | Governance | Admin control |
Blockchain security is not anti–Zero Trust — it is Zero Trust by design, but only when implemented correctly.