In brief

In brief

  • In this report we examine traditional security best practices integrated with blockchain specific enhancements to ensure enterprise level security.
  • The myth and hype of blockchain vulnerabilities obscure real risks which include endpoints, untested code and third-party security.
  • Embed security in each layer of the stack for cyber resilience. Include measures for governance, application, data, transaction and infrastructure.
  • Safeguarding for the future requires addressing increasingly sophisticated threats. Biometrics and quantum computing are two topics to watch.

Blockchain technology will likely revolutionize the way we live and work. It has the potential to give us greater control over our healthcare and well-being, provide greater insight into the origins and quality of the food we eat and the products we buy, financial transactions will execute faster and be simultaneously more transparent and private, and business will be conducted with greater efficiency and less risk.

Blockchain’s unique attributes will provide a new infrastructure on which the next generation of streamlined business applications will be built. But it also creates unique security challenges.

High profile breaches promote the MYTH that blockchain has been hacked, yet at no point was the underlying blockchain technology broken. All occurred on permissionless platforms where a nefarious actor identified vulnerability within the ecosystems.

US $.5 billion

In 2014, nearly half a billion dollars’ worth of Bitcoin was stolen from Mt. Gox, the largest Bitcoin exchange in the world at the time.

US $60 million

Two years later, roughly US$60 million worth of Ether, a value transfer token, was redirected to a hacker’s account via the DAO, built on Ethereum.

US $72 million

The second largest Bitcoin attack occurred in 2017 at Hong Kong-based cryptocurrency exchange platform, Bitfinex. Hackers made off with US$72 million.

View All

There is a full spectrum of touchpoints across an end-to-end blockchain-based solution. Taking that into consideration is imperative to securing the entire solution. The vulnerabilities outlined above illustrate the fact that, while at no point was the underlying blockchain technology hacked, and these hacks occurred on permissionless platforms, each nefarious actor identified a vulnerability within these blockchain ecosystems. And, while permissionless platforms are unlikely to be the basis of an enterprise solution, there are valuable lessons to be learned.

Blockchain technology will be just one component of the new IT stack. Security needs to be baked into the entire architecture of any blockchain solution. There is quite a bit of confusion and hype around blockchain security, yet threats fall into three main buckets:

  • Endpoints
    The most direct and potentially easiest method of attacking any technology solution is through the endpoint vulnerabilities. This is where humans and technology connect and, with blockchain-based solutions, can include digital wallets, devices, or the client-side of the application.
  • Untested Code
    As new technologies enter the market, developers are incentivized to be first or early with the release of applications, often at the risk of deploying insufficiently tested code on live blockchains. Given the decentralized model of many blockchain solutions, the risks are often greater due to the irreversibility of the technology.
  • Ecosystem / Third-Party Risks
    Organizations wishing to deploy third-party blockchain applications and platforms must be aware that the security of their blockchains is only as strong as its weakest link across all technology provided.

Embedded Security:
Blockchain implementations and solutions should consider security embedded in the blockchain technology stack. Security measures should be implemented at each layer with a risk-based approach.

Security measures are listed as a starting baseline for each of 5 layers: Governance, Application, Data, Transactions and Infrastructure.

Embedded Security

Safeguarding for the future
There is an acceleration of enterprise applications with blockchain technology. Just as use cases are examined for their long-term potential, security must also be built to address increasingly sophisticated threats. There are a few hints today that can help uncover what security risks may exist in the future.

  • Identity
    Soon, biometric identification will likely be a common method of identity verification, where multiple security protocols will create a unique identifier that can be indexed on a blockchain. No data will be kept on chain, but it will allow the user to prove they are who they say they are
  • Quantum
    Post-quantum cryptography has arisen as the study of quantum-resistant cryptographic algorithms. And quantum-secured blockchain networks are in early development with the potential to develop mining and private key cryptography that is safe from quantum attacks.
Blockchain is here, and the time to begin thinking about development and security implications for the entirety of a blockchain application is now.

John Velissarios

Security Lead – Global Blockchain Technology

Justin Herzig

Sr. Principal, Lead – Global Blockchain Research

Didem Unal

Blockchain Security Consultant


Digital Identity with Blockchain and biometrics
Blockchain interoperability connects ecosystems

Subscription Center
Visit our Subscription and Preference Center Visit our Subscription and Preference Center