Bitcoin is one of the most famous and valuable blockchain networks nowadays. As its reputation and net worth skyrocketed, so did the temptation to possess one. Unfortunately, at the same time, news of millions of dollars worth of bitcoins getting lost or stolen is not uncommon. This article will introduce the bitcoin security protocol and popular attacking possibilities.
Bitcoin Security Model
Digital key and address
Bitcoin security goes hand in hand with cryptography. In particular, public-key cryptography is implemented to generate digital keys, which are essential to establishing bitcoin ownership. These digital keys come in pairs of private keys and public keys. The public key can be used to create a bitcoin address. In a way, the address is similar to a bank account number, while the private key serves as a way to provide control over that account.
Consensus
The Bitcoin blockchain can be viewed as a distributed ledger. Instead of relying on a central authority to manage and store the ledger, the blockchain is kind of everywhere. Everyone has a copy of this ledger. The challenge here is to ensure that everyone can have a complete copy of a public ledger that can be proved trustworthy without a central authority. Bitcoin solves this by introducing the "mining" mechanism. The new blocks are added to the blockchain by implementing the Proof of Work algorithm to achieve consensus among nodes.
Attack on Bitcoin
Bitcoin is a digital asset with intrinsic value that can be instantaneously stolen and irreversibly transferred to new owners. That provides hackers with a huge incentive to steal Bitcoins.
Attacking the consensus protocol
One of the most well-known theoretical vulnerabilities of Bitcoin's consensus mechanism is the 51% attack scenario which involves controlling a majority (51%) of the entire network's computing power. As a result, attackers can cause deliberate "forks" in the blockchain and double-spend transactions thanks to their ability to mine most of the blocks to interfere with recording new transactions.
Let's take a look at a 51% attack to double-spend bitcoins in action. The attacker wants to buy an item using bitcoins from a merchant. After confirming that the attacker's transaction has been included in the newest block of the blockchain, the merchant hands the item to the attacker. At this time, the attacker can launch the 51% attack by re-mining the block containing the attacker's payment transaction. The re-mined block will substitute the payment transaction with another one spending those bitcoins. That essentially allows the attacker to double spend his bitcoins. With his enormous mining power, the attacker then continues to mine additional blocks to make the chain containing his double-spend transaction longer than the original chain. In this case, according to Bitcoin's consensus algorithm, a fork will happen, and the original payment transaction to the merchant will then be fully replaced by the double-spend one, resulting in the attacker getting the item without having paid for it.
To mitigate this kind of attack, merchants, especially those who sell high-value items, should wait for more blocks to be added to the blockchain before handing over their items. The deeper the block is re-mined, the longer and harder it is for the attackers to cause a deliberate fork.
Attacking the user
While the 51% attack has been proven possible, acquiring the majority of network computing power is far too costly for the potential profit. Much more economic attacks are ones that target the users owning the bitcoins.
A bitcoin transaction is just a particular amount to be sent to a specific recipient and cannot be altered or falsified. It does not contain any personal information about the involved parties, and it cannot be used to authorize future payments. As a result, a bitcoin payment network does not need to be encrypted or eavesdropped-proof. Bitcoin transactions can even be broadcasted over an insecure public channel such as Wifi or Bluetooth without compromising security. The remaining question is how the private key of the user's Bitcoin is managed. In Bitcoin's decentralized model, the users possess a lot of power, but with that great power comes the responsibility for protecting their private keys. Nowadays, this task can be pretty challenging with general-purpose internet-connected computers such as laptops or smartphones. From September 2013 to January 2014, a large number of computers were infected by a botnet called Pony. Digital wallets (Bitcoin and other cryptocurrencies software used to manage private keys) stored locally on infected machines got hacked, which resulted in up to $220,000 worth of cryptocurrencies getting stolen. Other popular internet-related attacks such as Phishing or Man-in-the-middle are also proven to be potential threats to bitcoin's owners. Not only are personal devices vulnerable to hackers' schemes, but even the most securely protected systems such as financial services companies or intelligence agencies can be penetrated. In 2019, Binance, One of the biggest cryptocurrency exchange platforms in the world, got attacked as the adversaries got away with $40 million of bitcoin.
Because of these threats, some users prefer physical Bitcoin storage. A Bitcoin private key is just a long number which means it can be printed or etched. Securing a private key in this form is essentially protecting other physical assets, which most people find more comfortable. There are also hardware wallets designed to serve one purpose only: hold the private key. These devices are often not connected to the internet, which decreases the attack vectors the hackers can exploit to steal them. One example is the cold wallet which lots of users consider the safest way to store bitcoin.
Conclusion
Bitcoin and other blockchain-applied technologies are still rather new and complex. Security tools and practices are destined to be improved and developed to ease the use for non-experts users. For the time being, the information provided in this article hopefully can provide people with basic knowledge to have a secure and trouble-free bitcoin experience.
References
[1] Andreas M. Antonopoulos, Mastering Bitcoin 2nd edition, accessed 15th March 2022.