Trail of Bits: Blockchains Are not Entirely Decentralized

Trail of Bits’ research findings published on June 22, 2022, shows that distributed ledger technology (DLT) and blockchain networks, including those powering bitcoin (BTC) and ether (ETH) are not completely decentralized. The research also finds that a massive 21 percent of Bitcoin nodes were running an old version of the Bitcoin Core client vulnerable to attacks as of June 2021.

Blockchains Not Decentralized and Immutable 

While the Bitcoin network has maintained a high level of security in its 13 years of existence and is often described as the most decentralized blockchain network, the latest research findings show that distributed ledger technology (DLT)  systems may not be as immutable and decentralized as they appear to be.

Trail of Bits, a New York-based information security firm has released the findings of research conducted on behalf of the Defense Advanced Research Projects Agency (DARPA) to determine the extent to which blockchains are truly decentralized.

In a 26-page report, titled “Are Blockchains Decentralized? Unintended Centralities in Distributed Ledgers,” Trail of Bits researchers shed light on the various ways in which blockchain networks become centralized and less immutable, as well as the inherent loopholes in these networks.

The researchers focused on the two major blockchains: Bitcoin and Ethereum and tried to find out how decentralized and secure they are using various yardsticks including Authoritative centrality (the minimum number of entities needed to disrupt the system a.k.a Nakamoto coefficient), Consensus centrality, Motivational centrality, Topological centrality, Network centrality (geographical distribution of nodes) and Software centrality.

The Findings 

Notably, the researchers have brought to light some worrying findings, most of which are quite contrary to what blockchain proponents claim:

• The number of entities required to attack a blockchain network is relatively low: four for Bitcoin, two for Ethereum, and less than a dozen for most PoS networks ( Polygon 2, Fantom 3, Solana 19, Cosmos 6)
• Every widely used blockchain network has a privileged set of authorities that can modify the semantics of the blockchain to alter past transactions
• A vast majority of Bitcoin nodes across the world do not participate in mining and there are no explicit penalties for rogue or dishonest node operators.
• Stratum, the standard protocol for coordination within blockchain mining pools is unencrypted and unauthenticated.
• 21 percent of Bitcoin nodes ran an outdated version of the Bitcoin Core client as of June 2021, significantly reducing the percentage of the hashrate (49 percent) necessary to execute a 51% attack.
• The Bitcoin Network traffic is unencrypted 
• Only three ISPs handle 60 percent of the entire Bitcoin traffic
• A dense, possibly non-scale-free subnetwork of Bitcoin nodes is largely responsible for consensus and communication with miners – most Bitcoin nodes do not contribute to the health of the network
• Tor is Bitcoin’s largest network provider 
• The Ethereum ecosystem has a significant amount of code reuse: 90 percent of recently deployed Ethereum smart contracts are at least 56 percent similar to each other.

Commenting on the research findings, Joshua Baron, DARPA program manager overseeing the study said:

“This report demonstrates the continued need for careful review when assessing new technologies, such as blockchains, as they proliferate in our society and economy. We should not take any promise of security at face value and anyone using blockchains for matters of high importance must think through the associated vulnerabilities.”