3 June 2018
Blockchain technology is a digital platform for applications where seamless traceability and full transparency is required.
For example, in pharmaceutical industry blockchain could give full traceability of drugs across the entire supply chain up to the patients.
Another interesting application is mobile voting. From the Brookings publication “How blockchain could improve election transparency” (1) on the use of blockchain for internet voting in the West Virginia primaries in May this year we learn that “all data of the election process can be recorded on a publicly verifiable ledger while maintaining the anonymity of voters, with results available instantly”.
This sounds very promising.
Unfortunately, every software has bugs. On May 28th, 2018 Swati Khandelwal reported in “The Hacker News” about a remote code execution (RCE) vulnerability in the blockchain-based EOS smart contract system (2).
If an attacker exploits this RCE he could destroy the integrity of the entire system:
“Since the super node system can be controlled, the researchers said the attackers can “do whatever they want,” including, controlling the virtual currency transactions, and acquiring other financial and privacy data in the EOS network participating node systems, such as an exchange Digital currency, the user’s key stored in the wallet, key user profiles, privacy data, and much more.”
Although it is not clear whether the voting system used in West Virginia is based on the Blockchain 3.0 platform there is urgent need for action. EOSIO set up a bug bounty program (3) to improve their code. But should we rely on bug bounty programs for such important issues like elections or patient safety?
From the Qihoo 360 security researchers report (4) we learn that the vulnerability is created by “a buffer out-of-bounds write” error. This means that this vulnerability could have been avoided by performing a static code analysis prior to release.
The big question is: How many errors of this type are still included in the blockchain infrastructure? A bug bounty program is a good approach to improve security, a static code analysis is indispensable in my view. In particular when the outcome of an election can be influenced or patient safety is endangered.
Have a great week.
1. Desouza KC, Somvanshi KK. How blockchain could improve election transparency [Internet]. Brookings. 2018 [cited 2018 Jun 1]. Available from: https://www.brookings.edu/blog/techtank/2018/05/30/how-blockchain-could-improve-election-transparency/
2. Khandelwal S. Critical RCE Flaw Discovered in Blockchain-Based EOS Smart Contract System [Internet]. The Hacker News. 2018 [cited 2018 Jun 1]. Available from: https://thehackernews.com/2018/05/eos-blockchain-smart-contract.html
3. eosio. Calling all Devs: The EOSIO Bug Bounty Program is Live [Internet]. Medium. 2018 [cited 2018 Jun 3]. Available from: https://medium.com/eosio/calling-all-devs-the-eosio-bug-bounty-program-is-live-7219c625a444
4. Chen Y, Peng Z. EOS Node Remote Code Execution Vulnerability — EOS WASM Contract Function Table Array Out of Bounds – 奇虎360技术博客 [Internet]. 2018 [cited 2018 Jun 1]. Available from: http://blogs.360.cn/blog/eos-node-remote-code-execution-vulnerability/
5. By Davidstankiewicz [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)%5D, from Wikimedia Commons