%0 Journal Article %1 hofmann2021 %A Hofmann, Adrian %A Gwinner, Fabian %A Winkelmann, Axel %A Janiesch, Christian %D 2021 %J JIPITEC %K blockchain ethereum security %N 4 %P 347--359 %T Security Implications of Consortium Blockchains: The Case of Ethereum Networks %U https://www.jipitec.eu/issues/jipitec-12-4-2021/5453/hofmann_pdf.pdf %V 12 %X By definition, blockchain platforms offer secure and reliable data exchange between stakeholders without a trusted third party. Private and consortium blockchains implement access restrictions, so that sensitive data is kept from the public. However, due to its distributed structure, only one node with faulty configuration can leak all blockchain data. For our study, we scanned the Internet for misconfigured private Ethereum nodes. Overall, we found 1421 nodes belonging to 621 blockchains that are not one of the large Ethereum-based networks. For our analysis, we chose a diverse sample of networks. Then, we analyzed in-depth 4 different networks with 10 to 20 nodes enabling 800 to over 34 million transactions. We used the exposed remote procedure call interface of nodes to extract the complete transaction history and to gain insights into the actors' behaviors those networks. We used graph visualization tools to picture the networks transactions and to identify stakeholders and activities. Additionally, we decompiled and reverse engineered smart contracts on the networks to infer the purpose of smart contracts, the network, and its participants' roles. With our research, we show how to reveal confidential information from blockchains, which should not be exposed to the public and could potentially include identities, contract data as well as legal data. Thereby, we illustrate the legal and social implications of data leakage by this distributed and supposedly secure technology. In summary, we show that the large attack surface of private or consortium blockchains poses a threat to the security of those networks. The nodes used in this study were not configured according to the Ethereum guidelines and exposed information directly to the Internet. However, even correctly configured nodes provide an excellent target for attackers as they allow them to gain information about a whole network while only breaching one weak point. Lastly, our study discusses whether (private) blockchain networks can reach a consensus without sharing all data between nodes and what data distribution strategies defend best against weak links in the chain.

@article{hofmann2021, abstract = {By definition, blockchain platforms offer secure and reliable data exchange between stakeholders without a trusted third party. Private and consortium blockchains implement access restrictions, so that sensitive data is kept from the public. However, due to its distributed structure, only one node with faulty configuration can leak all blockchain data. For our study, we scanned the Internet for misconfigured private Ethereum nodes. Overall, we found 1421 nodes belonging to 621 blockchains that are not one of the large Ethereum-based networks. For our analysis, we chose a diverse sample of networks. Then, we analyzed in-depth 4 different networks with 10 to 20 nodes enabling 800 to over 34 million transactions. We used the exposed remote procedure call interface of nodes to extract the complete transaction history and to gain insights into the actors' behaviors those networks. We used graph visualization tools to picture the networks transactions and to identify stakeholders and activities. Additionally, we decompiled and reverse engineered smart contracts on the networks to infer the purpose of smart contracts, the network, and its participants' roles. With our research, we show how to reveal confidential information from blockchains, which should not be exposed to the public and could potentially include identities, contract data as well as legal data. Thereby, we illustrate the legal and social implications of data leakage by this distributed and supposedly secure technology. In summary, we show that the large attack surface of private or consortium blockchains poses a threat to the security of those networks. The nodes used in this study were not configured according to the Ethereum guidelines and exposed information directly to the Internet. However, even correctly configured nodes provide an excellent target for attackers as they allow them to gain information about a whole network while only breaching one weak point. Lastly, our study discusses whether (private) blockchain networks can reach a consensus without sharing all data between nodes and what data distribution strategies defend best against weak links in the chain.}, added-at = {2021-12-17T03:35:27.000+0100}, author = {Hofmann, Adrian and Gwinner, Fabian and Winkelmann, Axel and Janiesch, Christian}, biburl = {https://www.bibsonomy.org/bibtex/21eff741275e1e3ea5e97d121339ce654/winkelmann}, interhash = {efeaea7acba44feff385645ae76bab2d}, intrahash = {1eff741275e1e3ea5e97d121339ce654}, issn = {2190-3387}, journal = {JIPITEC}, keywords = {blockchain ethereum security}, language = {english}, number = 4, pages = {347--359}, timestamp = {2022-07-09T08:40:23.000+0200}, title = {Security Implications of Consortium Blockchains: The Case of Ethereum Networks}, url = {https://www.jipitec.eu/issues/jipitec-12-4-2021/5453/hofmann_pdf.pdf}, volume = 12, year = 2021 }