SI Blockchain_CTF Challenge
 
 
Blockchain - Why Legal Teams May Soon Include Professional Hackers

Like many of its buzz word predecessors (Cloud, Big Data, IOT), the blockchain hype may be extreme, but somewhere buried in there can be the sense of a real shift. The jury might still be out on whether blockchain can deliver on its promise of global adoption, but one thing is for sure, activity in the space is growing.

But what exactly is the promise of blockchain, really? Is it a new currency paradigm meant to break down our existing monetary systems? Is it an un-censorable network capable of promoting potentially criminal activity?  Is it a massive Ponzi scheme taking advantage of main street FOMO? Or is it truly something unique with the potential of changing our idea of commerce forever?

It’s hard to say, but what we do know is that the vision of a blockchain-enabled world that tech evangelists and investors in Silicon Valley are envisioning aligns more with the latter, and it all begins with the idea of "smart contracts".

To understand smart contracts, you have to step back and ask what you achieve when using a blockchain; what makes it different than any other distributed database?

The answer boils down to "trust". 

Trust that if someone says they own something, you can prove it. Trust that if someone swears that they'll make a payment once the agreed upon conditions are met, you can rest assured that payment will go through.

"Trust" In Today's Economy

Our entire economy is built on this trust.  Without it, no one would ever sell a home to a stranger, or put in a day of labor for a new employer, or hand over their credit card for a major purchase. 

In traditional systems, we have a mechanism for securing this trust, and that mechanism is our courts and legal system. With our government as an ever-available intermediary to settle financial disputes, we can conduct business knowing that our time or assets won't be stolen without repercussions.

The problem with this system is it does not scale. There are not enough judges in the world to solve everyone's disputes; for this reason, companies that enter into business together use contracts as a first line of defense to against malfeasance.

Contracts are basically code, but not written in a language for computers. They are programs written for lawyers, based on years and years of historical precedents. None the less, these written documents are programmatic expressions of rules and conditions.

One example of a typical contract between businesses might contain rules stating that one company is entitled to a certain amount of payment from the other company under certain conditions, payable at the beginning of each year, from a collection of funds in this account, etc. 

Writing legal contracts typically requires many hours of skilled work and carries steep legal fees from highly demanded professionals. However, this is usually worth the cost in order to avoid long and often prohibitively expensive battles in the courts.  That's not to say the courts aren't occasionally necessary when disputes around that contract occur, but when the code of the contract is precise and covers all necessary edge cases, the violating party often knows what their fate in court would be.  Hence,  the ambiguity vanishes and a judge becomes less necessary. 

With that said, companies don't write a contract for every little transaction. Let’s take a laundromat as an example.  It would be far too expensive to have a lawyer draft up a contract for every single customer walking through the door that says: "Customers that pay $5 shall receive 4 laundry tokens. One token will be required for detergent. Two tokens will be required for tumble dry…”

Instead we design mechanical systems within the machines to accept coins or tokens and enforce this implicit contract on its own.  In a sense, the coin operated washer and dryer are an early form of "smart contract” that allows the laundromat to service customers at a high velocity with hundreds of low-cost transactions per day without staff involvement. In a sense, you can think of this process as a form of automation.  The automation of trust.

This system does not exist in a bubble. The owner knows that if someone violates the system (maybe by creating fake tokens or by breaking open the machines when no one is looking) they will have the option of relying on the traditional legal systems to obtain justice. For this reason, they might keep security cameras inside the store as well.

The same can be said about digital smart contracts on the blockchain.  These aren't a replacement for our existing legal framework, they are supplements to it.

Smart Contracts on the Blockchain

This is where the excitement around blockchain comes in.  Blockchain is a brand-new technology that uses cryptography and game theory to create a "global trusted computation" system.

This kind of computation is not the same as typical computation, such as running an application on the cloud. It's a lot more expensive, but it also serves a different purpose. 

These blockchain applications, called smart contracts, exist as code running on a decentralized network that guarantees the ownership of digital assets and enforces the rules for how to exchange them.

Let's take a look at a simple example of where a smart contract might make sense in our evolving digital world.

Smart Contracts - Buying and Selling a Home

Buying and selling a home is often considered one of the most complex processes a family will encounter.  When dealing with assets of such enormous value, you want to be more cautious than when dealing with a couple laundry tokens.  You want to make sure that the person selling the home truly owns it, and you want to make sure that after the money has moved, the property is immediately in your name.

To deal with these complexities, we employ the services of "trusted third parties." One of these parties might be a title company, ensuring that the title presented by the seller is legitimate. Another is an escrow company that sits in the middle of the two parties and holds onto the funds until the rest of the paperwork has completed.  Both of these parties serve important purposes, and in the process demand thousands of dollars in premiums for their work. These rates are often steep, but when you're already spending much more than that on your new home, you grow to accept it as inevitable.

This is where smart contracts come in.  Both of these functions (escrow and title management) can be easily codified in a blockchain application, with a simple proof concept checking in at no more than 200 lines of code.  This is the power of the blockchain. 

Hackers as Your New Contract Lawyers 

Many have raised fair points when arguing that handling that much value on a system as new and unproven as blockchain is absurd.  Digital security is incredibly difficult to get right and the properties of blockchain can make it difficult, if not impossible, to recover from a successful exploit.

However, some argue that despite the extreme security hazards, blockchain may still win the risk/reward battle because:

1) Security is now a top priority.  Unlike traditional technology sectors, where thinking about security is often an afterthought, blockchain startups are demonstrating their awareness that the insecurity of their code can be the death knell to their organization.  It is not uncommon for companies in this space to undergo three or more public audits of their critical smart contract code for each major release.

 

2) Blockchain is a bug bounty at an enormous scale. It has had its share of expensive hacks, but as each one occurs, the community strengthens and uses these lessons to improve processes around security. Many have even argued that the value of Bitcoin, the first blockchain application, stems partially from the fact that it has existed for 10 years without being irrecoverably broken.  Under that logic, as smart contracts exist in the wild and grow to hold more value over time, consumers may grow comfortable with using them for their own financial purposes.

3) Blockchain is attracting the brightest minds in formal verification research.  Formal verification has been a long sought-after goal post for technological security advocates. This rigorous process becomes more difficult to accomplish as an application scales, but due to the succinct nature of smart contracts, blockchain technology may prove to be the perfect testing ground for establishing real standards around formal verification in critical code.

With this vision in mind, we can imagine a world a decade out where blockchain-integrated companies are choosing to reallocate their budget from in-house contract lawyers to smart contract security auditors. These security experts will in many ways take on the same roles as their legal team predecessors, ensuring the edge cases around their financial code are air tight and cannot be easily exploited by malicious actors.

The consequences of a smart contract hack are large, but with the right protections in place they can be better managed. Smart contracts are immutable by nature, but in a system where an application’s users are known (through KYC or other identity management), there would be nothing preventing a traditional judge from arbitrating a contract violation, based on the intended “spirit of the contract”. In this way, blockchain would not be designed to side-step our existing legal systems, but instead optimize them by acting as a first pass protection.

Looking to Blockchain in 2019

Home sales on a public blockchain is just one example of a traditional process that might benefit by migrating to the blockchain.

In the same way that traditional legal contracts have been used to save on costs (since a long legal battle is not required to arbitrate every single transaction) smart contracts might save consumers and organizations from the unavoidable fees sprinkled throughout our current systems of commerce. Thoughtful smart contract applications might prove to eliminate the need for those costly middlemen that skim from the top with every sale that they handle. This includes those marketplaces that silently collect their rewards from connecting a buyer to a seller.

This is the future that the venture capitalists are banking on.  The potential to reduce these inefficiencies through the automation of trust is an exciting concept many believe is worth the exploration.

Most of these systems are still in the development phase with the technological infrastructure being established. Many projects are likely several years out from any chance at adoption. But as we enter the new year, we are excited to keep watching the development of this field of research. At Security Innovation, we value our role of assisting the technological pioneers piloting this new technology as they navigate through the threats of vulnerabilities. With the goal of creating a more secure and efficient technological landscape, we are excited to keep researching blockchain, and helping our customers filter the buzz from the breakthroughs.

Try Out our Blockchain Smart Contracts CTF Challenge from
March 1- March 11, 2019

Click Below:

SI Blockchain_CTF Challenge


Mick Ayzenberg is a senior security engineer at Security Innovation.  He is the head of the Blockchain Center of Excellence (COE) and is the creator of the "Intro to Hacking Blockchain Applications and Smart Contracts" course at Blackhat Las Vegas.  Tickets for the training are available at: https://www.blackhat.com/us-19/training/schedule/#an-introduction-to-hacking-blockchain-applications-and-smart-contracts-13991

You can read more about Blockchain in our Blockchain COE https://www.securityinnovation.com/about/centers-of-excellence/blockchain-center-of-excellence/