Is Ethereum Secure?

The short answer is no. But, there’s a longer answer too.

At the simplest possible level, Ethereum is an open software platform based on blockchain technology that enables developers to build and deploy decentralized applications. Although there are some significant technical differences between Bitcoin and Ethereum, the most important distinction is that Bitcoin is a particular implementation of blockchain technology, where Ethereum is the blockchain network itself.

Bitcoin is a peer to peer electronic cash application that enables online Bitcoin payments. While the Bitcoin blockchain is used to track ownership of digital currency (bitcoins), the Ethereum blockchain runs the programming code of any decentralized application on the network.

A common analogy is Bitcoin is to Blockchain as email is to the Internet.

In the Ethereum blockchain, instead of mining for bitcoin, miners (computer nodes) “work” to earn Ether, a type of crypto token that fuels the Ethereum network. Beyond a tradeable cryptocurrency, Ether is also used by application developers to pay for transaction fees and services on the Ethereum network.

As to the question of security, there have been several successful attacks on Ethereum projects, most notably the DAO hack, where millions of dollars in ether was stolen due to a smart contract bug. DAO stands for The Decentralized Autonomous Organization and was meant to operate like a venture capital fund for the crypto and decentralized space. But DAO is an application running on the Ethereum blockchain and has nothing to do with the blockchain itself. A smart contract application.

In June of 2016, a hacker found a loophole in the coding that allowed him to drain funds from the DAO. An estimated 3.6 million ETH were stolen, the equivalent of $70 million at the time. In that exploit, the attacker was able to “ask” the smart contract (DAO) to give the Ether back multiple times (recursive calls) before the smart contract could update its balance. The application missed the possibility of a recursive call like this one.

Two main protocol problems created this vulnerability. In addition to the recursive call, another smart contract application bug operated serially, first sending the ETH funds and then updating the internal token balance. This failure to act concurrently left a gap in event timing that created an attack vulnerability that was exploited. It’s important to stress again that this bug did not come from Ethereum itself, but from this one application that was built on Ethereum. The code written for The DAO had multiple flaws, and the recursive call exploit was only one of them. The key takeaway here is that the DAO’s hack was not due to any problem inherent on the Ethereum blockchain.

Additionally in another successful attack, an Ethereum client called Parity was hacked to the tune of around $155M in ETH. Parity provides a web interface or what is called a “multisig wallet” for the underlying Ethereum node software. It allows users to access the basic Ether and token wallet functions for currency storage, and also to interact with smart-contracts deployed on the Ethereum Blockchain. The Parity wallet is designed to integrate seamlessly with all standard tokens as well as to operate as a third party entity managing Ether transfers.

In this attack, the hackers exploited a bug in the multisig wallet code. The hack initiated two separate transactions, enabling the hackers to first make themselves the owners of the accounts/contracts, and to then transfer ETH out of various targeted accounts.

If you have ever developed software or been part of a user group dependent upon software, you already have an intimate appreciation for the seemingly endless variations on vulnerabilities that might be possible in any given set of code libraries. You probably also don’t intend to drive an autonomous vehicle anytime soon either. Maybe like not in the next 50 years or so even.

Different than Bitcoin, Ethereum was created to facilitate virtual currencies running on a decentralized network and development platform that allows developers to design all kinds of distributed smart contract applications that would avoid the necessity of a middleman or intermediary function to complete. These are known as dApps and they run on a network of distributed computers to create markets and store or move funds all the while maintaining data privacy. It is of course these apps and not the underlying blockchain technology that renders Ethereum vulnerable to cyberattacks.

This concept of decentralization using blockchain technology has many design advantages:

1.      Immutability: All data stored in a blockchain is recorded and the blockchain keeps track of all the changes (history) that have been made to it from the beginning. Because of the speed and quantity required, without a shift to quantum computing, it is theoretically impossible to change this history. A design advantage proven (thus far) to operate as intended.

2.      Incorruptible architecture: Since each computer on the blockchain stores a copy of the database, it is theoretically extremely difficult, if not impossible to hack. For example, to alter the blockchain, it would be necessary to simultaneously modify more than 51% of the participating computers simultaneously. Again, without a shift in the underlying infrastructure of computing to either a Quantum model or something like it, a hack of the blockchain itself is unimaginable. Since its inception 9 years ago, the blockchain itself has never been hacked.

3.      Network security: The blockchain works in conjunction with a powerful encrypted protocol which while not impossible to decipher, is very difficult to do and no one thus far has even come up with a theoretical model for accomplishing a dynamic decryption.

4.      Network and computing reliability: It is practically impossible to simultaneously shut down every computer participant in the Ethernet blockchain, resulting in a theoretically continuous online operation, dependent only on the reliability of the world wide web. One could imagine scenarios of complex tradecraft where the global Internet could be taken out of commission long enough to commit an all-out and all-encompassing threat envelope sufficient to breach the blockchain network, but it is not likely with modern technology.

5.      Transparency: Since all contracts are public and in full view at all times, anyone with appropriate technical knowledge and skill can observe and validate that all elements of every contract are present and accounted for.

This design creates a theoretically secure infrastructure upon which to build applications for transacting contracts without intermediary trust agents and as such, is a secure foundation for disruptive technologies that can and will transform the way probably all of today’s business transactions are done in the future.

The applications however are where the devil resides and so far, as with so many things of this nature our rush to push product out the door has interfered with our ability to protect content and prevent successful attacks like the ones described. I think it is fair to say that the Ethereum protocol is still in development, and the tools for the "general public" to use it have not yet been fully developed or adequately tested.

When they are, smart contracts represent our future and will likely become a very efficient way to achieve safe and secure transactions without intermediary assistance.

Sort of a libertarian nirvana.