This is the abstract my Deutsche Bank colleagues Riccardo Riccobene and Prof. Wolfgang Hoehnel and I submitted for Industrial Track WI2019.
The threat surface of blockchains can be divided into two parts. Inside the Blockchain and Peripheries of blockchain.
Peripheries are systems that connect to blockchain network from outside. For example, an exchange where different currencies get traded or wallets where users store their own keys. The most of the hacks for example on bitcoin happened on the peripheries of bitcoin network. Especially, the Exchanges and not inside the blockchain. For example, the famous Mt.Gox which was an exchange where in June 2011, 750 thousand bitcoins( More than a 5 Billion USD value today) were reported to be missing from the exchange to the latest Zaif exchange hack in Sep 2018 where 60 million dollar was stolen. Bitfinex, Bitfloor, Poloniex and Bitstamp all were surrounding system where security breaches happened and not in the blockchain itself.
The Second type of threat surface is inside the blockchain itself. Smart contracts are code by which blockchain platforms are programmed to execute the needed logic. Example of a simple smart contract would be transfer money X from address A to address B. If there is a cryptographic error or simple programmable errors, that can be used to abuse the blockchain network. Here the new networks where the code is still not used for long time, and all bugs are not yet corrected are susceptible. For example, famous DAO project would be a good case. Smart contract Split-Return was used to hack the blockchain network to pay-out large sum of 52 Million dollar. Weak consensus algorithm and methods of consensus are as well big issues. Many of the smaller projects and non-proof of work suffer from this issue. There are multiple threat vectors but the most important ones to be smart contracts quality and proof of consensus algorithms. To avoid inside chain attacks, it is important to write very clear code and tested from multiple angles and audited by third-parties before live deployment.
Most of the threat you see would be variants of the above two. Cyber Security teams need to handle both of these threat surfaces. Most of the work being discussed is in-blockchain security and smart contracts but blockchain becomes more usable by enterprises when end-2-end security including the peripheral systems and applications using them are also taken care from security perspective.
There are multiple methods used to secure end-2-end. But core of all this and fundamental one to all this is cryptography. So End-2-end key and certificate management plays the most important role. Identity to key mapping and vice versa is also big part of the solution. It is important to use the typical defence-in-depth security from hardening to penetration testing must be done on the oracles. Oracles are the gateways through which data is transmitted in and out of the smart contracts in the blockchain. Normally a typical IT system would be GIGO: Garbage In and Garbage out. In blockchain world, it is GIGS: garbage in garbage Stays.
Last but not the least, we as users are the biggest threats be it outside or inside. This is the area, where we believe, most of the future research will go into in addition to the privacy and custodianship which are as well very important pillars in Cyber Security for Blockchain.