Research conducted by security experts Trail of Bits concluded that the notion of blockchain decentralization is a fallacy. In particular, the report claimed controlling the four biggest mining pools could disrupt the Bitcoin chain, with Ethereum faring worse at three entities.
“The number of entities sufficient to disrupt a blockchain is relatively low: four for Bitcoin, two for Ethereum, and less than a dozen for most PoS networks.”
The report was commissioned by the Pentagon’s research and development branch, the Defense Advanced Research Projects Agency (DARPA), which is tasked with investigating technology for potential military use.
According to the website Tech Republic, which targets IT professionals, the report added further doubts about blockchain technology at a time when security risk and crypto price instability are at the forefront of everyone’s minds.
“The DARPA commissioned report only adds more concerns about the blockchain and affects investors’ perception and confidence.”
Blockchains are not immutable
The report goes in-depth, covering immutability, the Nakamoto coefficient, which refers to the number of entities required to attack a network successfully, mining pool vulnerabilities, 51% attacks, network topology, and network and software centrality.
The most critical findings stated immutability could be broken, and distributed ledger technology (DLT) can be centralized via authoritative, consensus, motivational, topological, network, and software means.
Expanding further, the report mentioned Virtual Machines (VM,) which are used to include new features and execute security migrations, are a potential gateway to breaking immutability.
“Bitcoin and its derivatives have a VM for interpreting transaction output scripts. Ethereum uses a VM for executing its smart contracts.”
Through VMs, software authors and maintainers can potentially “modify the semantics of the blockchain,” which can include reverting the blockchain to a previous state. Trail of Bits gives the example of Ethereum devs doing this in response to the 2016 DAO attack.
“Every blockchain has a privileged set of entities that can modify the semantics of the blockchain to potentially change past transactions.”
As such, neither blockchain data nor code can be considered “semantically immutable.”
Bitcoin is centralized
Although blockchains are sold on the concept of operating securely without centralized control, researchers state DLT can be centralized across several means.
Bitcoin has a Nakamoto coefficient of four, meaning taking control of four mining pools would be enough to attack the network. The closer the coefficient is to one, the more centralized it is.
“Bitcoin’s Nakamoto coefficient is four, because taking control of the four largest mining pools would provide a hashrate sufficient to execute a 51% attack. In January of 2021, the Nakamoto coefficient for Ethereum was only two.12 As of April 2022, it is three.”
While the cost of controlling four Bitcoin mining pools is uneconomically expensive, Trail of Bits researchers argue that “perverse incentives” still exist, such as from competing chains or unfriendly nation-states that have the resources to pull off such an attack.
Other key findings include that over a fifth of Bitcoin nodes are running an old client version, which has known vulnerabilities. And 60% of all BTC traffic passes through three Internet Service Providers.