Page 51 - FIGI: Security Aspects of Distributed Ledger Technologies
P. 51
DLTs show great promise in use in the developing enced developers, and third-party dependencies.
world and financial inclusion context, from secure These create an opportunity for design ‘bugs’ where
disbursement of funds, to secure and transparent although the functionality works as intended, they
access to assets and record; raising of funds using can be abused by an attacker. These further allow
crypto-based tokens; tracing of trade finance pay- software bugs, which are software errors allow the
ments for small farmers, to secure identities that DLT – possibly a smart contract - enter an insecure
can be used to access funds and credit. Especially state, unintended by the designer or design. Securi-
with a financial component to their use, security of ty audits before deployment are critical to the safe
DLTs and the tokens they enable is vital and neces- functioning of DLTs. The DLT ecosystem also creates
sary Altogether, this new ecosystem is known as ‘dis- a rich attack source for directly stealing value – as
tributed finance’ (DeFi), part of an emerging global tokens - from ‘wallets’, often stored in exchanges that
crypto-economy. They also provide opportunities use basic security unrelated to the more robust DLT
to innovators and may challenge the current role of that spawned the tokens.
trusted intermediaries that have positions of control DLTs in the current state of development are also
within a centralized hierarchy. 378 resource-intensive, and while some end-user com-
Use of private keys to access DLTs is thought to ponents can be run on feature phones and through
keep data on a DL and the access thereto secure. SMS, the backend running the DLT must be secure
Some iterations have raised security concerns. end-to-end, including uptime requirements for val-
379
That is, while the still relatively young DLTs eco- idation nodes required to implement consensus
system matures and prototypes tested, there are mechanisms in the chosen DLT design. This creates
current and evolving concerns that will need to be challenges, especially in developing countries where
addressed in both developed and developing world communications networks may not be robust or
contexts. These range from confidentiality of data, fast enough to allow nodes to be available for these
user privacy, security of DLTs, legal and regulatory purposes. The less nodes, the more a DLT could be
issues, and fragmentation of the technology, as well subject to attack. And while integration of Internet
as the veracity of the data placed on a DLT. Notably of Things (IoT) devices with DLTs show great prom-
380
though, while there do not appear to be major vul- ise – especially in the agricultural value chain ecosys-
nerabilities in the Bitcoin Blockchain and Ethereum tem – these external devices acting as DLT oracles
internal technologies, the technologies and imple- are often insecure and thus create the opportunity
mentation thereof invariably introduce vulnerabil- for injection of incorrect data in a DLT that could set
ities. For example, public DLTs allow any computer off a chain of incorrect smart contract ‘transactions.’
connected to the internet to join the network. And Policy makers may have a role in DLT deployments
381
since transactions are verified through consensus in developing and mandating principles – rather
which is more problematic when the network size than specific technologies or standards – that those
is small because if a user gets control of 51% of the involved in developing and implementing DLTs need
participants in the network, they can have complete to abide by. Security audits for example could be
control of the outcomes. Private DLTs on the other mandatory, as well as 2FA methodologies if available
382
hand allow an operator to determine who can join in a particular environment. As programs running on
the network, who can submit transactions and who DLTs, smart contracts may have security vulnerabili-
can verify them. This may introduce insider threats. ties caused by bugs. Policymakers could boost their
383
It is thus important for users, market participants and use by creating rules and regulations in these prin-
regulators to understand the specifics of the technol- ciples - or in separate contract law provisions - that
ogy and its risks when deciding on which DLT type provide clear guidance on how, in case of smart con-
to use. These are all part of operational risk in imple- tract-related bugs, to navigate liability trees and on
mentation of new technologies. how to assess damages. Data protection laws or reg-
Further, the abundance of new DLT types – often ulations could also protect data on DLTs by adopting
called Layer 2 - that aim to improve on the initial ‘Lay- best practices for securing and restricting access to
er 1’ design using new features along with complex data such as using 2FA and restricting access per-
logic to implement them, introduce these vulnerabil- missions.
ities. This is exacerbated by the distributed nature of
DLTs and the associated wide attack surface and in
many cases, a rush to implement solutions that are
not properly tested or are developed by inexperi-
Security Aspects of Distributed Ledger Technologies 49