Page 51 - FIGI: Security Aspects of Distributed Ledger Technologies
P. 51

DLTs show great promise in use in the developing   enced developers, and third-party dependencies.
            world and financial inclusion context, from secure   These create an opportunity for design ‘bugs’ where
            disbursement  of  funds,  to  secure  and  transparent   although  the  functionality  works  as  intended, they
            access to assets and record; raising of funds using   can be abused by an attacker. These further allow
            crypto-based tokens; tracing of trade finance pay-  software bugs, which are software errors allow the
            ments for small farmers, to secure identities that   DLT – possibly a smart contract - enter an insecure
            can be used to access funds and credit. Especially   state, unintended by the designer or design. Securi-
            with a financial component to their use, security of   ty audits before deployment are critical to the safe
            DLTs and the tokens they enable is vital and neces-  functioning of DLTs. The DLT ecosystem also creates
            sary Altogether, this new ecosystem is known as ‘dis-  a rich attack source for directly stealing value – as
            tributed finance’ (DeFi), part of an emerging global   tokens - from ‘wallets’, often stored in exchanges that
            crypto-economy. They also provide opportunities    use basic security unrelated to the more robust DLT
            to innovators and may challenge the current role of   that spawned the tokens.
            trusted intermediaries that have positions of control   DLTs in the current state of development are also
            within a centralized hierarchy. 378                resource-intensive, and while some end-user com-
               Use of private keys to access DLTs is thought to   ponents can be run on feature phones and through
            keep data on a DL and the access thereto secure.   SMS, the backend running the DLT must be secure
            Some iterations have raised security concerns.     end-to-end, including uptime requirements for val-
                                                         379
            That is, while the still relatively young DLTs eco-  idation nodes required to implement consensus
            system matures and prototypes tested, there are    mechanisms in the chosen DLT design. This creates
            current and evolving concerns that will need to be   challenges, especially in developing countries where
            addressed in both developed and developing world   communications networks may not be robust or
            contexts. These range from confidentiality of data,   fast enough to allow nodes to be available for these
            user privacy, security of DLTs, legal and regulatory   purposes. The less nodes, the more a DLT could be
            issues, and fragmentation of the technology, as well   subject to attack. And while integration of Internet
            as the veracity of the data placed on a DLT.  Notably   of Things (IoT) devices with DLTs show great prom-
                                                 380
            though, while there do not appear to be major vul-  ise – especially in the agricultural value chain ecosys-
            nerabilities in the Bitcoin Blockchain and Ethereum   tem – these external devices acting as DLT oracles
            internal technologies, the technologies and imple-  are often insecure and thus create the opportunity
            mentation thereof invariably introduce vulnerabil-  for injection of incorrect data in a DLT that could set
            ities. For example, public DLTs allow any computer   off a chain of incorrect smart contract ‘transactions.’
            connected to the internet to join the network.  And   Policy makers may have a role in DLT deployments
                                                    381
            since transactions are verified through consensus   in developing and mandating principles – rather
            which is more problematic when the network size    than specific technologies or standards – that those
            is small because if a user gets control of 51% of the   involved in developing and implementing DLTs need
            participants in the network, they can have complete   to abide by. Security audits for example could be
            control of the outcomes.  Private DLTs on the other   mandatory, as well as 2FA methodologies if available
                                  382
            hand allow an operator to determine who can join   in a particular environment. As programs running on
            the network, who can submit transactions and who   DLTs, smart contracts may have security vulnerabili-
            can verify them.  This may introduce insider threats.   ties caused by bugs. Policymakers could boost their
                          383
            It is thus important for users, market participants and   use by creating rules and regulations in these prin-
            regulators to understand the specifics of the technol-  ciples - or in separate contract law provisions - that
            ogy and its risks when deciding on which DLT type   provide clear guidance on how, in case of smart con-
            to use. These are all part of operational risk in imple-  tract-related bugs, to navigate liability trees and on
            mentation of new technologies.                     how to assess damages. Data protection laws or reg-
               Further, the abundance of new DLT types – often   ulations could also protect data on DLTs by adopting
            called Layer 2  - that aim to improve on the initial ‘Lay-  best practices for securing and restricting access to
            er 1’ design using new features along with complex   data such as using 2FA and restricting access per-
            logic to implement them, introduce these vulnerabil-  missions.
            ities. This is exacerbated by the distributed nature of
            DLTs and the associated wide attack surface and in
            many cases, a rush to implement solutions that are
            not properly tested or are developed by inexperi-



                                                                   Security Aspects of Distributed Ledger Technologies  49
   46   47   48   49   50   51   52   53   54   55   56