As more financial services firms look for ways to utilise blockchain technology within their infrastructures, Galen Stops examines whether the technology is really as safe as advocates claim, following two high-profile hacks earlier this year.
“Cyber and system security is one of the most important issues facing markets today in terms of integrity and financial stability,” said Commissioner Christopher Giancarlo of the Commodity Futures Trading Commission (CFTC) on September 8, when approving system safeguard requirements for derivatives clearing organisations.
Giancarlo is hardly alone in his concerns. Numerous regulators across the globe have been echoing these sentiments, while a survey by the Depository Trust & Clearing Corporation (DTCC) published in December 2015 showed that cyber risk was the number one concern amongst risk managers globally, with 70% of all respondents citing it as a top five risk.
While the hack on Sony Pictures at the end of 2014 and the more recent hack on the Democratic Party in the run-up to the US general election might have grabbed the most headlines, from a financial services perspective the theft of $81 million earlier this year from the Bangladesh Bank, that country’s central bank might be a more interesting case study.
In brief, it appears that cyber criminals sent 35 messages to the New York Fed pretending to be the Bangladesh Bank, the country’s central bank, requesting a transfer of nearly $1 billion. Most of the messages were rejected, but five got through and the cyber criminals apparently managed to get away with $81 million.
Now various critics have blamed the NY Fed for letting some of the messages through, Swift for not doing enough to improve the security of its messaging systems and Bangladesh Bank for becoming compromised in the first place. But regardless of who was most at fault, the point is that sophisticated hackers are targeting the financial services industry and, in some cases, doing so successfully.
This is one of the many problems that distributed ledger technology (DLT), of which blockchain is a form, could help solve, according to proponents of the technology.
Firstly, a fraud prevention system that utilises DLT would maintain a confidential record of past transactions for reference and verification that only those permissioned to do so could access. Secondly, the DLT would have a constantly updated record of authenticated credentials of the legitmate senders and receivers for a given ledger.
These two factors matter because of the network effect associated with DLT. For a transaction to be completed it has to be approved by at least a majority of the parties on the ledger, if not all of them (it depends on what form of consensus algorithm is being used).
At the very least this means that there is scrutiny on each transaction from a range of sources and at best it might require the cyber criminal to hack into every point on the node to successfully complete it. Thus, in theory, the more node points there are in a DLT system, the safer it is.
Thirdly, using DLT would almost certainly necessitate common approaches to cyber risk management and precipitate greater information sharing amongst the financial institutions on a given ledger.
Currently financial institutions operate their own individual and heterogeneous risk management systems and consult common information on blacklists and sanctions. In addition to this, financial institutions are thought to be reluctant to reveal details of attempted hacks to competitors and potential customers.
A distributed system, in contrast, would force common standards and risk controls and promote information sharing about attempted hacks.
Despite these supposed security advantages, however, there were two very high profile hacks on systems using DLT this summer, which resulted in multi-million dollar losses.
In August, 120,000 bitcoins, worth roughly $70 million, were stolen from Hong Kong-based bitcoin exchange, Bitfinex.
Although investigations are still ongoing about how exactly the hack was carried out, Bitfinex issued a statement saying that the security breach allowed bitcoins to be released by BitGo – a firm that provides a digital wallet for storing bitcoins – without BitGo realising it or the exchange becoming alerted.
The exchange has since hired blockchain forensics experts to examine the nature of the security breach, engaged a third-party firm to perform an audit of its balance sheet for both cryptocurrency and fiat assets and liabilities and, on September 1, started purchasing blockchain debt tokens it issued to customers in August as a means of paying them back for the losses that they incurred. It has to-date, however, only reimbursed a fraction of the losses sustained.
The other high-profile hack occurred on the Ethereum blockchain, which allows people to exchange tokens of value, called Ether, which are currently the second most popular cryptocurrency behind bitcoins.
Ethereum also enables users to write smart contracts, which are essentially code that is stored, verified and executed on a blockchain. On the Ethereum network these smart contracts are executed by sending Ether to them.
Now a decentralised autonomous organisation (DAO) that seeks to codify the rules and decision making apparatus of the organisation, eliminating the need for documents and people governing it, is creating a structure with decentralised control.
There are numerous types of DAOs on the Etheruem blockchain, but one in particular was structured in a similar way to a mutual/investment fund. People could buy in and vote on which investments the fund should make. By mid-May this DAO had bought about $100 million worth of Ether, about 10% of the overall $1 billion Ethereum ecosystem.
At any point a member can leave the fund, receiving their share of unspent Ether in addition to tokens representing returns on investments that they were part of, but which haven’t paid out yet. The system tracks these investments until they pay out.
When splitting from the DAO, individuals provide some of their own code to confirm the decision, and this code tells the DAO how to transfer the Ether. Without getting too bogged down in the technical details, essentially someone was able to exploit this code, using it to continually transfer ether out of the DAO to the value of about $60 million.
Point of Weakness
These are two very different hacks and have had very different consequences. Yet in both instances, it is not the underlying protocol of the blockchain that appears to be at fault.
Mike Morro, CEO of Genesis Trading, a digital currency broker-dealer based in New York, says that the vast majority of bitcoin users believe that Bitfinex and BitGo were at fault for the hack rather than the digital currency protocol itself.
“The thinking in the digital currency space has matured a bit and I think that most people understand that it wasn’t the tokens or the protocol that was at fault, but rather it was the integration between Bitfinex and BitGo,” he says.
However, Moro adds that the incident could damage the reputation of digital currencies, and blockchain technology, amongst the broader financial services industry.
“I’m not sure that people who aren’t involved in the digital currency space understand the nuances involved and frankly I wouldn’t necessarily blame them if they associated what we consider to be an isolated case with the entire protocol or the entire digitalisation effort.
“The negative PR and the bad headlines are still very harmful for this industry in terms of people within financial services who might be looking at digital currencies. For those that may have dipped their toes into the industry by joining a consortium of some kind it could make them nervous and it certainly doesn’t help with regards to legal and compliance concerns,” he explains.
Considering that the raison d’être of bitcoin was to create a decentralised currency, it is somewhat ironic that the Bitfinex hack highlighted the dangers of centralisation inherent within the current bitcoin exchange-traded model. Although the digtial currency is broadly decentralised, therefore making the blockchain difficult to hack, the cash and digital coins are all stored in one place at the exchange creating one single point of vulnerability.
Subsequent to the Bitfinex hack, Moro sees more digital currency holders either trading on the OTC markets or holding their assets away from the exchanges until they absolutely need to trade.
“Whether you go OTC or not, the concept of storing anything on the exchange is going to have to change,” he says.
The obvious problem that this then creates is that without open orders on the exchange, order books become thinner on both sides. One way that exchanges can potentially circumnavigate this issue is by offering credit lines, in either bitcoin or fiat currency, in order to keep the order book populated, but this is a capital intensive proposal for the exchanges and is unlikely to prove a scalable model.
“If a thin order book persists for a long time then that would hurt the growth trajectory of bitcoin, and if it persisted for a long enough time I think that ultimately it would be the slow death of bitcoin,” says Moro.
But given that he views this as an isolated incident and that the blockchain protocol itself has never been at risk, Moro views this as only a temporary issue for the market.
Meanwhile, the repercussions of the Ethereum hack are interesting as in some ways they go to the philosophical centre of the blockchain concept.
Considering that the DAO had bought 10% of the entire Ether available, the hack had a massive impact on the price of the cryptocurrency and Ethereum network developers felt that something had to be done.
Ultimately this led to a “hard fork” in Ethereum blockchain, whereby developers were able to rollback the DAO transactions, essentially re-writing part of the Ethereum ledger with the consensus of miners on the server, and retrieve the missing Ether tokens.
But, given that the blockchain is supposed to be immutable, this upset some in the Ethereum community. The entire idea of blockchains is based upon the “code is law”, and by rolling back the transaction some market participants felt that the Ethereum developers had violated this fundamental tenant of blockchain technology. In addition, they noted that the Ether had been taken in the first place, not due to a flaw or mistake in the Ethereum blockchain protocol, but rather because of a flaw in the DAO’s own coding.
For many, this had echoes of the bank bailouts after the financial crisis. The DAO lost the digital currency because of its own mistakes and the risks that it took and then was able to lobby the community and ultimately have their costly mistake corrected for them.
“This was, and still is, a hugely controversial move that required the cooperation of most of the participating nodes on the network. Until now, one of the fundamental attributes of blockchains was their immutability – i.e., that they represented a record of every transaction that could not be tampered with or undone,” noted Richard Johnson, vice president, market structure and technology at Greenwich Associates, in a piece written about the Ethereum theft in August.
He added: “Throughout financial services today there is functionality to undo transactions: stock exchanges reserve the right to cancel clearly erroneous trades, credit card companies can reverse fraudulent transactions, and all trade processing software has the ability to cancel and correct mistakes.
“As the industry develops DLT solutions for financial services, it will need to address the issue of immutability – is this in fact a bug and not a feature? Or should the industry build functionality to record or impose counteracting transactions that have the same effect as reversal but preserve the benefit of a complete historical transaction record?”
Despite the questions that both of these attacks raise, as regulated financial services firms consider the use of DLT, itshould be emphasised that the blockchain itself was not hacked or corrupted in either instance.
“Bitcoin has never been hacked, the edges of the network have and that’s always been the case. That’s one of the indirect vulnerabilities of the network of bitcoin itself, it’s always the on-ramps that are being compromised,” explained Dan O’Prey, chief marketing officer at Digital Asset, at a “Bizhackathon” event hosted by BNP Paribas in New York in September.
With regards to the Ether theft, he pointed out that it was not really a “hack” as the system was just running a programme as it was coded.
“If you look at something like the DAO, there was probably a sense of hubris in the way that they were trying to invent everything from scratch. Using non-standard language and trying to rush things to market when you’re dealing with large sums of money was probably a mistake,” added O’Prey.
Overall, he described the bitcoin and Ether thefts as “instructive” for firms developing DLT, but viewed them as very distinct problems from the work that Digital Asset is currently doing with financial institutions.
This was also the view expressed by Todd McDonald, co- founder and COO of R3, at the same event.
“There are lessons to be learnt from these examples, but parallels shouldn’t be drawn too closely,” he said.
With regards to the Ethereum example, McDonald commented: “You can debate whether technically it was a hack or not because the code is supposed to be the law and the code functioned as it was implemented, if not designed.
“It’s an interesting case study and it gets more dramatic every week, but it’s not really relevant to what we’re working on in financial services. The DAO is autonomous, so the code is not only censorship resistant but self-executing and self- enforcing. These are principles that you can’t just let loose within financial services, there still needs to be escape points where people can stop the system and make choices, or even reverse things if need be,” he added.
On the bitcoin side, Moro also ponders whether exchanges might need to start accepting a human element in order to bolster their security. “One of the features of bitcoin is that everything is instantaneous. So people that trade on exchanges, which are mostly retail clients, expect everything instantly. They expect instant transactions, instant deposits and instant withdrawals. But when you’re doing things on an instantaneous basis it equals automation, and automation is what’s hackable as far as a programmer or coder is concerned,” he says.
“While some people laugh at the old financial services model of T+1 or T+3 settlement, there is some benefit to having a delay between transaction and settlement because the manual element in between means that it’s possible to check that the transaction is correct,” he adds.
If Bitfinex had operated on a T+3 model, would it have noticed that something was wrong and stopped the withdrawals?
“I’m not advocating that, but there’s still things that you can do that are T+0 but still allow for a human element to confirm transactions and withdrawals. Having something that’s T+3 hours or T+6 hours could help mitigate some of the issues caused by automation. For exchange users globally, they might be willing to give up that instant withdrawals and deposits if they get some added security. It’s a trade-off,” says Moro.
Quantum Computing Threat
As pointed out, although thefts of bitcoin and Ether are interesting case studies, not only did the blockchain themselves continue to function as they were supposed to, but ultimately any blockchain that does get implemented within the financial services industry will look very different to the ones utilised by those two networks.
It seems highly likely that the financial services industry will only use permissioned ledgers, whereby only a pre-approved set of counterparties are able to access the ledger, as opposed to permissionless ledgers, such as are used in the bitcoin and Ethereum networks.
In addition to this, the financial services industry operates in such a highly regulated manner that the amount of data officers, security officers, CTOs, compliance staff and regulators that will probably have to sign off on the implementation of any new DLT is in stark contrast to the decentralised approach of a group like the DAO.
This is not to say that the future of DLT is free of security concerns, nor that the technology is un-hackable, a point that was well made at the Bizhackathon event by Pascal Bouvier, a fintech venture capital (VC) investor who is currently working with Santander Group’s global fintech VC fund.
“If you leave aside what has happened and what will continue to happen on permissionless public blockchains, I don’t think that financial services firms planning to implement blockchain technology should be worried,” he says. “There’s plenty of security features and functionality that they can deploy to get as close as possible to a zero fault tolerance system.
“What worries me as an investor is the impact that the advent of quantum computing could have on security and cyber security,” Bouvier continues. “Within the context of blockchain, given that cryptographic science is actually fairly old, what are the vectors that are going to be needed to be developed in order to have resilience on blockchain security consensus algorithms so that quantum computing doesn’t come out and negate a lot of the things that we are trying to implement?
“That keeps me up at night, not the hacks that we’ve seen which occurred in a completely different ecosystem within the blockchain space,” he adds.