While blockchain provides security relative to the integrity of the data recorded on a blockchain, the blockchain alone, without additional technologies or systems, cannot protect against unauthorized access, such as a data breach, according to the report from Federal Reserve Bank of Minneapolis.
For example, a recent "51% attack" on the Ethereum Classic token exchange showed why even blockchain is not impermeable to gaming. A 51% attack refers to a bad actor who gains control of the majority of CPUs in a cryptocurrency mining pool. Such attacks are generally limited to smaller blockchains with fewer nodes, because they're more susceptible to a single person seizing control based on a Proof of Work (PoW) consensus mechanism.
Data transparency, or the ability for all parties on a blockchain to view transactions, is part of its appeal in that bad actors can quickly be identified if they attempt to add unverified data. Transparency of data, however, can also be a threat. For example, in a settlement or clearing system for financial institutions where confidentiality may be a key component of security, system data transparency is a security risk, the Federal Reserve's report noted.
"Where transparency is present, but confidentiality is needed, either encryption of the data on the chain or strong authentication access is required," the report stated. "Confidentiality and access control can be built into a blockchain, but are not inherent attributes. The blockchain itself also does not provide authentication."
In other words, don't assume because one blockchain design implementation includes a particular feature, such as privacy, transparency, or strong user authentication, that others will also have that feature.
Systems that provide information to blockchains, such as smart contracts, can also be attack vectors because they are not decentralized but are single points of failure, Bennett noted.
Smart contracts are neither smart nor contracts
Smart, or self-executing, contracts are a business automation tool built atop blockchain. They are one of more attractive features of the technology in that they're able to remove administrative overhead. Essentially, once certain conditions of a contract are met, receipt information, money, property or goods are released automatically.
For example, an insurance company could use smart contracts to release claim money based on events such as large-scale floods, hurricanes or droughts. Or, once a cargo shipment reaches a port of entry and IoT sensors inside the container confirm the contents have been unopened, stored at proper temperatures, and so on, a bill of lading could automatically be issued.
Bennett, however, argued that so-called smart contracts are neither smart nor contracts in the legal sense. Combined with a lack of blockchain scripting language maturity, there's intrinsically a steeper learning curve for programmers that could lead to bugs or vulnerabilities.
While a smart contract is only as good as the rules and software used to create automated processes, that is becoming less of an issue, according to Bennett.
"We're even beginning to see tools that allow businesspeople to pull together the basics of a smart contract," she said. "That's only the beginning, though — as some companies have already discovered, it can be a challenge to ensure that every network participant runs the same version of a smart contract."
Other challenges include ensuring that no security issues arise from smart contracts themselves, Bennett added, and making sure that any external inputs to the smart contracts are valid and correct.
"As I keep saying, just because it's on a blockchain doesn't mean it's true," Bennett said, referring to ensuring that data input is accurate and verified at the source. "A smart contract will only ever be as good as the rules that teams put together for automating processes, and also depends on the quality of the programming."
Blockchain participants also need to agree on how they'll abide by the way the contract operates, and what happens in the case of a disputed contract. Creating a new business process also requires agreement on those conditions between disparate users, and there are already instances of blockchain projects being held up because people can't agree on the conditions under which they should be operating. So, as much as blockchain is about IT, it's also about contractual agreements.
"As someone recently said to me, blockchains are 80% business and 20% technology," Bennett said.
Additionally, while blockchains may be decentralized across dozens or thousands of nodes, smart contracts are not. That means the blockchain nodes have no visibility into how the smart contract works; in other words, a consortium of companies who are a part of a blockchain network must rely on one entity for the information being fed into the smart contract — an oracle.
Blockchain networks use centralized software agents called oracles to find and verify that real-world events have taken place, which then triggers a smart contract to act based on predefined conditions. So, for example, the temperature of pharmaceuticals being shipped from California to Denmark could be monitored by an IoT sensor in the shipping container. The sensor information is collected by the oracle software and then sent to the smart contract, which, if the temperature ranges were met throughout the journey, can trigger an event through the blockchain, such as issuing a bill of lading or release of payment for the shipment.
If your company is part of a blockchain consortium — a supply chain, for example — it has no way to know what's running in the smart contract. There's no verifiability. Essentially, you have to take the word of the company running the server on which the oracle and smart contract reside for the information being fed to the blockchain.
"You have to go to one source, one table, one oracle for that data. There's no standard processes to verify the data is what is says it is and it's coming in properly. It's a central point of failure," Gartner's Litan said.
"It's not mature yet," Litan continued. "I've talked to companies participating in a consortium and asked them, 'How do you know what the smart contract is doing?' and they say they don't. If you have a contract running your life, wouldn't you want to know what it's doing?"
This article was originally published in November 2017 and updated in July 2019.