The tragic combination of inevitable bugs and immutable code
Last week witnessed a catastrophic event in the Ethereum ecosystem, when The DAO, a smart contract less than two months old, began rapidly leaking funds to an unknown party. Looking at the current set of Ethereum contracts, filled with casinos and self-declared Ponzi schemes, this might not seem like a big deal. That is, until you learn that over 12 million units of ether, the Ethereum cryptocurrency, had been invested in The DAO by almost 20,000 people. That’s around 15% of all the ether in existence, valued at over $250 million on June 17th.
Two days later, The DAO’s assets dipped below $100 million. Two things contributed to this precipitous fall. First, a third of its funds (as denominated in ether) had already been taken. And second, the resulting panic sent the market price of ether crashing down from its peak of over $21 to a more sobering $10.67. (At the time of publication, the price had recovered to around $14.) This second effect was a natural consequence of the first, since much of ether’s recent increase in value was driven by people buying it to invest in The DAO.
The DAO had promised to act as a new type of decentralized crowdsourcing vehicle, like Kickstarter or Indiegogo but without the middleman and regulation. It was designed to let participants pool their cryptocurrency, collectively vote on projects looking for funding, then invest and reap the future rewards. Before catastrophe struck, over 100 projects had already been proposed, most of which were related to Ethereum itself. In addition, The DAO allowed participants to withdraw their uninvested funds at any time, positioning itself as a low risk investment.
Ironically, the individual or group which drained The DAO did so by exploiting subtle errors in this withdrawal mechanism. Like all smart contracts in Ethereum, The DAO is just a piece of computer code, which is “immutably” (i.e. permanently and irreversibly) embedded in the blockchain and executed by every node in response to incoming transactions. And like any self-respecting smart contract, The DAO provides full transparency by making its source code easily accessible online. This means that anybody can independently verify its functionality but also, crucially, look for vulnerabilities. And yet, the immutable nature of blockchains prevents any such problems from being fixed.
At the end of May, several critical issues were highlighted on the outstanding Hacking Distributed blog, alongside a call for a moratorium on project proposals for The DAO. This is what we might call the ‘white hat’ approach, in which exploits are reported for the good of the community. Nonetheless nobody seemed too worried, as the problems related to skewed economic incentives rather than a risk of outright theft. Simultaneously, however, it appears that others were poring over The DAO’s code with greater self-interest – namely, to look for a way to make a ton of money. And on June 17th, someone succeeded.
Draining The DAO
In a general sense, the attack arose from the interaction between vulnerabilities in The DAO’s code and other code which was designed to exploit them. You see, when looked at in isolation, The DAO did not contain any obvious mistakes, and indeed it was only released after an extensive security audit. But with the benefit of hindsight and many more eyes, a significant number of errors have since been found.
I won’t provide a full technical description of the exploit’s mechanism here, since others have already published superb and detailed post mortems (see here, here and here). But I will explain one particular vulnerability that was present, because it has been discovered in many other smart contracts and serves as an instructive example.
Let’s say that a smart contract holds funds on behalf of a number of users, and allows those users to withdraw their funds on request. The logic for the process might look something like this:
- Wait for a user to request a withdrawal.
- Check if that user’s balance is sufficient.
- If so, send the requested quantity to the user’s address.
- Check that the payment was successful.
- If so, deduct the quantity from the user’s balance.
This all looks eminently sensible, and rather like an ATM which gives you some cash and deducts the appropriate amount from your bank balance.
So how can this simple process go wrong? Well, it turns out that if an Ethereum address belongs to a contract rather than a regular user, then this contract can run some code in response to receiving funds. And this code can, in turn, trigger other pieces of code on the Ethereum blockchain. Crucially, it can even trigger the same piece of code that caused it to be paid in the first place.
This means that, during step 3 above, the receiving address can send a new request for withdrawal, beginning a new process at step 1 before the previous process has completed. Since the user’s balance is only reduced in step 5, a new withdrawal will be approved based on the previous balance, and the same amount will be paid out again. In response to this second payment, the receiving contract can request a third, and then a fourth, and so on until the funds are drained or some other limit is reached. At this point, the user’s balance will finally be reduced by the appropriate amount, entering the negative territory which step 2 was supposed to prevent.
The equivalent would be an ATM which delivers banknotes that trigger a free repeat withdrawal when waved at the screen. The first customer to find out could empty the ATM entirely.
This ability for a piece of code to wind up calling itself is called recursion, and is a very useful technique in general computer programming. However in the case of The DAO, it paved the way for this ruinous exploit. Nonetheless, if this had been the only problem, the attack’s potential would have been contained, because Ethereum applies a limit on how deeply recursion can occur. Unfortunately, several further bugs in The DAO amplified the effects, leading to the eventual loss of tens of millions of dollars.
Of course, if just a few lines of The DAO’s code had been written differently, none of this could have happened. For example, in the 5-step process above, if the user’s balance is reduced before the funds are sent, then recursive calling would be perfectly safe. But sadly, even if its creators’ intentions were pure, The DAO’s actual code was deeply flawed. And computers have a nasty habit of blindly following the instructions they are given, even if a five year old can see that the results don’t make sense. Having been embedded immutably in the Ethereum blockchain, the faulty DAO was granted stewardship over hundreds of millions of dollars by a horde of naïve investors, and then spectacularly went up in flames. The DAO turned out to be a complete and utter shambles, and it can never be fixed.
The trouble with code
Tempting as it might be, I’m not here to haul The DAO’s programmers over the technical coals. Looking at the underlying source code, it seems reasonably well architected, with good function and variable names and clear internal documentation. While none of this proves its quality, there tends to be a high correlation between how code looks and how well it functions, for the same reason that CVs with poor punctuation warn of sloppy employees. In any event I don’t doubt that The DAO’s authors are competent developers – indeed, the fact that it passed an extensive code review suggests that the basic logic was sound.
So if the problem is not the people who worked on this project, or the work they produced, what is it? It is the fact that writing large pieces of bug-free code is extremely hard, if not impossible. I’ve worked with some truly outstanding programmers in my career, the sort who can crank out code at ten times the average developer’s pace, and with ten times fewer defects. And yet, even these remarkable individuals make mistakes which lead to software malfunctions. Donald Knuth, possibly the greatest computer programmer of all time, made a famous promise to provide an exponentially increasing financial reward to each person who found a bug in his TeX typesetting software. And he’s sent out more than a few checks.
To be clear, I’m not talking about silly slip-ups with names like “off-by-one”, “uninitialized variable” and “operator precedence”. These often cause a visible failure the first time a program is run, and can be easily spotted by reviewing the local piece of code in which they reside. And I’m not even talking about security vulnerabilities like “unvalidated inputs”, “SQL injection” and “buffer overflows”, which might not show up in a program’s regular usage, but should nonetheless be front of mind for every experienced developer.
Rather, I’m talking about trickier problems like “race conditions” and “deadlocks”. These arise from conflicts between parallel processes and tend to only show up intermittently, making them hard to detect and reproduce. As a result, they can only be understood by considering a system as a whole and how its constituent parts interact. This is much harder than regular programming, because it requires developers to think beyond the individual piece of code that they’re working on. It’s not unusual for coders to spend several days “debugging” in order to nail one of these problems down. And this is precisely the sort of holistic thinking that was needed to foresee how The DAO might be vulnerable.
With all of these difficulties, one might legitimately wonder why our increasingly code-driven world isn’t crumbling around us. Luckily, most software has three critical factors working in its favor – gradual adoption, regular updates and time.
Here’s how it works: A new software product is created to answer an emerging market need. At first, the market is small, so only a few people know they need the product. And since the product is new, an even smaller number of them will actually find it. These “early adopters” are a brave and hardy bunch who enjoy living on the technological edge, despite the associated risks. So they try out the new product, see some stuff they like, ask for a bunch of things that are missing and, best of all, report any problems encountered. Every good software entrepreneur knows to shower these people with love and assistance, and thank them for every single morsel of feedback they provide. Because while it sucks to hear about a defect in your product, it sucks a lot more not to hear about it.
Ideally, within a month or less, a new version of the product is released, fixing the reported bugs and adding some requested features. The early adopters are happy and more feedback flows in, as the latest version is put through its paces, and round it goes again. As the market grows, the number of people using the product increases. And as the product steadily improves, more and more of these people tell others about it. Even better, the more people that use the product, the more likely it is that someone, somewhere, will create that precise and unlikely situation in which an obscure bug will appear. With a bit of luck, they will let you know, and you will scratch your head in disbelief, ask for more information, eventually find and resolve the problem, and breathe a sigh of relief.
With few exceptions, this is how today’s software development works, because it is the most efficient way to create outstanding products. Of course, a good software team will also develop an extensive internal test suite, to catch as many errors as possible before they reach users, and ensure that new versions don’t break anything that previously worked. But still, most of us also rely on our user bases, because there is simply no way that we can afford to imagine and test every possible way in which our products might be used. And if you think this doesn’t apply to the big guys, you couldn’t be more wrong. How many “automatic updates” have been downloaded to your Windows, Mac or Linux system in the past year? And if you’re using Chrome or Firefox, your web browser now updates itself automatically and silently, an average of once per month.
This iterative process takes considerable time, by which I mean a few years or more. Still, after a product has been in development for long enough, and its user base has grown large enough, and those users have been (unknowingly) testing it in enough different situations, something magic happens. This magic is called “maturity”, and it’s what every software product must strive to achieve. Maturity means that a product works really well for pretty much everybody that uses it, and there are no shortcuts to getting there. But if you get the timing right, your product will mature at around the time that your target market coalesces, i.e. when large numbers of customers are actually willing to stump up and pay for it. And then, as they say, verily shall ye profit.
On immutable code
So here we come to the fundamental problem with smart contracts, as demonstrated so forcefully by The DAO:
By design, smart contracts are immutably embedded in a blockchain, and so cannot be updated. This prevents them from reaching maturity.
In previous posts, I’ve discussed other problems with smart contracts, such as their effect on blockchain performance and the fact that they are less powerful than many people imagine. For these and other reasons, we have not (yet) implemented smart contracts in the MultiChain blockchain platform. But until I witnessed the failure of The DAO, I hadn’t given enough thought to a much more fundamental issue: any non-trivial smart contract is likely to contain defects that cannot be fixed.
For the modern software developer, unfixable code is an out-and-out nightmare, setting the bar higher than most are able to reach. But we do encounter this kind of code in some situations, such as the design of the microprocessors which lie at the heart of every computer and smartphone. This code, written in languages like Verilog and VHDL, defines the physical layout of a silicon chip, which cannot be changed once manufactured. In situations like these, we tend to see several characteristics: (a) the code is written in a language that was designed with safety in mind, (b) large numbers of people work on it for several years, (c) it is subject to extensive automated testing and formal verification, and (d) if the final product is shipped with a defect, the cost of a recall falls squarely on the shoulders of the party responsible (see for example the infamous Pentium bug).
It goes without saying that none of this applies to the creators of The DAO, or indeed any other smart contract. But code immutability isn’t the only challenge for smart contract developers. A number of other factors conspire to make Ethereum considerably more dangerous than most computing environments:
- As discussed earlier, most contracts reveal their source code, to gain the trust of potential users. This makes bugs easy to find and exploit. While regular code can be fixed when a problem is found, with immutable code only attackers get to benefit.
- As in most programming languages, one “function” (piece of code) on the blockchain is able to “call” (trigger) another, to create cascading effects. However Ethereum is unusual in enabling direct function calls between the code written by parties who do not know each other and whose interests may collide. This is a perfect recipe for adversarial and unexpected behavior.
- As mentioned previously, if one Ethereum contract sends funds to another, the latter has the opportunity to execute some code in response. This code can be deliberately designed to cause the send operation to fail, potentially triggering all sorts of further havoc.
- When one function calls another, and this second function calls a third, a “stack” of calls and sub-calls is created. Keeping track of this stack carries a computational cost, so Ethereum includes a “call stack limit” which restricts how deep it can go. This is fair enough. But if the limit is reached by a particular function call, the Ethereum environment silently skips that call, rather than safely terminating the entire transaction and unwinding its effects. In other words, some code in a smart contract just might not be executed, and this non-execution can be deliberately caused by triggering that contract from a sufficiently deep stack. This strikes me as a truly abominable design choice, breaking the mental model that every software developer is accustomed to. Whoever made this decision probably should be hauled over the coals, though there is thankfully now a suggestion to change it.
- Ethereum also has a “gas limit”, which prevents abuse in public blockchains by making transactions pay for the computational resources they consume. The sender of a transaction decides how much gas they are willing to spend, and if this runs out before the transaction completes, it is safely aborted. While this is probably the best solution to a difficult problem, it can have unpleasant consequences. Some contracts turn out to need more gas than anticipated, while others cannot be run at all.
- The public Ethereum network’s cryptocurrency allows defects in smart contracts to send real money to the wrong place, with no easy method of recovery. While Ethereum miners seem to be voting in favor of a “soft fork” to freeze the funds drained from The DAO, this is not a sustainable solution.
To summarize, compared to regular centralized computer systems, Ethereum is a much more tricky environment to code for safely. And yet its principle of immutability serves to prevent buggy software from being updated. In other words, smart contracts are software whose bugs are visible, cannot be fixed, and directly control real people’s money. This, rather obviously, is a highly toxic mix.
Proponents of Ethereum-style smart contracts in private blockchains might be tempted to celebrate The DAO’s demise, but I don’t think this response is merited. With the exception of the last two points above, all of the issues with Ethereum apply equally to permissioned blockchains, which still rely on immutable smart contracts – although in this case the immutability is guaranteed by a group of identified parties rather than anonymous miners. If you want to claim that private blockchains allow buggy smart contracts to be more easily rewound, replaced or ignored, then what you’re really saying is that smart contracts serve no purpose in these blockchains at all. Put simply, if something is not meant to be immutable, it shouldn’t be stored in a blockchain. Instead, stick to good old fashioned legal documents and centralized application logic, using the chain for: (a) immutably storing the data on which that logic depends, and (b) representing the final consensual outcome of applying it. (This design pattern has been named Simple Contracts by others.)
Nonetheless the risks in the public Ethereum network are undoubtedly worse, because badly written smart contracts can rapidly and irreversibly send large amounts of real value (in the form of cryptocurrency) to users whose identity is unknown. Indeed, is there any better way for an evil genius to make a killing than: (a) writing a smart contract which looks right and fair, (b) allowing it to run safely and consistently for several years, (c) waiting for it to accumulate a large sum of money from investors, and then (d) triggering some obscure vulnerability to siphon off those funds. While I’m not suggesting that The DAO’s failure was deliberate, it will surely inspire others to make similar “mistakes”.
If I had to summarize the factors underlying Ethereum’s design, I might use the phrase “inexperienced genius”. Genius, because I believe it is a genuinely brilliant invention, adding two key innovations to the cryptocurrency systems that came before: (a) the Ethereum Virtual Machine which executes smart contracts and its method for assigning cost to computation, and (b) the use of Patricia trees to enable compact proofs of any aspect of a blockchain’s state. And yet, inexperienced as well, because some of Ethereum’s design choices are so obviously terrible, such as the silent-but-violent call stack limit, or the ability of a payment recipient to recursively trigger the code which paid it.
None of this would be a problem if Ethereum was being treated as an experiment, worthy of exploration but with critical issues remaining to be resolved. The equivalent perhaps of bitcoin during its first couple of years, when its total market capitalization didn’t go beyond a few million dollars. Unfortunately, as a result of speculation and inflated expectations, Ethereum hasn’t been given the same opportunity to find its proverbial feet. Instead, at less than one year old, it’s carrying a billion dollars in market value. Ethereum is like a toddler being forced to cook dinner, or an economics freshman chairing the Federal Reserve. I believe it’s time to recognize that the immaturity problem of individual smart contracts also applies to Ethereum as a whole.
Ethereum’s way forward
While I’m yet to see strong use cases for smart contracts in private or permissioned blockchains, I think they probably do have a place in public chains with associated cryptocurrencies. That is, if you accept the basic premise of censorship-free financial systems, which help the financially excluded and ransomware authors in equal measure. Putting this debate aside, there is certainly technical merit in a cryptocurrency which supports arbitrary logic, of the sort that cannot be implemented on “first generation” blockchains like bitcoin. For now at least, Ethereum is the first and only convincing attempt to build such a system, with a ton of money and momentum behind it.
Nonetheless, as a developer ecosystem, Ethereum appears to be fundamentally broken. While The DAO is its most costly and high profile failure, many other contracts are suffering from similar problems. So how can Ethereum clean up its act?
- Send a clear message that, at least for the next two years, nobody should send any funds to a smart contract unless they are happy to lose them in the name of self-education.
- Fix some glaring issues with the Ethereum Virtual Machine (“EVM”), namely: (a) removing the call stack limit, (b) providing a way to send ether without triggering code, and (c) allowing contracts to be marked as “non-reentrant”, meaning that their functions cannot be called while they are already in the middle of something.
- Develop a new programming language for smart contracts, which uses a more restrictive method for expressing computation that is amenable to formal proofs of correctness. Decades of research have already been invested in this field, so there is much existing work to be leveraged. (This won’t require changes to the EVM itself, since the chosen language could still be compiled into regular “bytecode”.)
- Build up an official set of secure smart contracts and functions, which have been peer-reviewed to death and proven themselves reliable in many different situations. This is akin to the standard libraries that are available for many mature programming languages. (Though at this point it’s tempting to ask: why not just hard-code the functionality of these libraries into the EVM, and enjoy much better performance as a result? Answer: Because Ethereum was specifically designed to move away from blockchains with hard-coded feature sets. But still, it does make you wonder.)
The current option, of manually intervening in response to the failure of specific smart contracts, will not be viable on a larger scale if Ethereum is to maintain its identity as a trustless and decentralized computing platform. Indeed, some make a credible case that this single judgment-based act of governance has already destroyed Ethereum’s reputation. And we should note that The DAO’s terms and conditions explicitly state that nothing “may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code”. In other words, whoever drained The DAO was acting in accordance with its published terms, and is therefore presumably on the right side of the law.
We must also accept the possibility that, after several more years of good work, Ethereum might still prove too difficult for developers to work with safely. In that case, it will languish as a matchmaking service between anonymous scammers and their foolish marks. But that wouldn’t mean it was a waste of time – at the very least, Ethereum is a fascinating experiment, from which the blockchain community will learn a lot.
In the meantime, for users of private blockchains, I can only repeat what I’ve said before:
If your application doesn’t require smart contracts, then use a simpler blockchain architecture.
Whereas this advice was previously justified in terms of performance, it is now reinforced by the apparent difficulty of getting smart contracts right. And if you’re not sure whether your use case requires smart contracts, feel free to email us with some details, and we’ll be happy to let you know.
Please post any comments on LinkedIn.
Kucoin and Revain Announce Partnership
Before deciding to buy or apply for any service, consumers are primarily interested in doing their homework via the ability review via 3rd Party Objectivity based on what other people are thinking.
In order not to get lost in multiple offers of wallets, exchanges, and cryptocurrencies, Internet users are starting to look for reviews to guide their decision-making process.
The revain.org project began to use blockchain to keep all reviews unchanged. This gives trust to the community and allows users to learn with the ability to interact with both projects that interest them and the communities they represent.
Trust can play an extremely important role for serious companies. The KuCoin and Revain projects have started cooperation for the common benefit of both communities. The Revain Widget implemented on the main page of one of the leading exchanges allows visitors to read and write reviews directly on the platform.
Companies that have already achieved success should understand that the review widget increases a conversion rate and provides additional traffic.
And there are other pluses as well
For example, why would you buy products on a mystery shopping service if you can simply read a ready-made review on the Revain website?
And it will be fair, fast and, most importantly, it’s free.
It’s not a surprise when blockchain technologies are used in the crypto community. But the Revain Project doesn’t intend to stop there and has serious plans to expand the topic on which the writers will write reviews.
It’s important for people that the review includes pros and cons.
This could stem from concerns about fake reviews, and an underlying assumption that balanced reviews feel more authentic than reviews that are overly or exclusively positive.
Consumers want retailers to have better technology, offer more services, and establish better personal connections. Consumers think about what good shopping experience looks like in the first place. Therefore, when people read or write a review, they pay attention not only to the facts but also to the feelings that appeared after the purchase from the company to which the review was then written.
When there are feelings, it is important to preserve a zone of trust and comfort
The usual advertising channels carry information about the product and the brand. But they do not contain the emotions of other buyers. The buyer chooses where he will share his buying experience.
And it is especially important that the credibility of the review that is written on the seller’s website does not reach heaven. It is very important to have an independent platform, the need for which has been ripening for a long time in the Internet community.
Therefore, reviews are written on the Revainplatform. You can display these reviews on your website using a simple widget. Thus, customers will see the independence of the review and at the same time, they can read it without leaving your site.
Of course, there were sites for reviews, they exist now and will continue to appear. But a project like Revain meets the expectations of ordinary people and businesses as much as possible. After all, reviews cannot be deleted or falsified because of blockchain. The hash of each review is kept for centuries.
Because of this, some reviews may seem funny as their authors decided to add some new facts or correct mistakes later. I recommend visiting and reading such reviews. A very interesting experience.
Source: Rinat Arslanov has been the Co-Founder and CEO of Revain since its inception. He describes his passion for Revain as a life project for him. He is currently doing his Ph.D. at Plekhanov Russian University of Economics and is expected to complete his doctorate in 2022.
Record Number of Dark Markets Online as Demand for Illicit Goods and Services Continues to Grow
The criminal environment of darknet markets is extremely turbulent. Numerous darknet markets are launched every year and just as many are constantly exiting, being seized, or otherwise going defunct. Despite this barrage, CipherTrace has noted more dark markets online than ever before.
CipherTrace researchers are currently monitoring over 35 active darknet markets. The newest darknet markets – both launched around early September – are Invictus Market and Lime Market. Lime Market, thought to be run by the former admins of DarkBay, appears to be a very small market and is not expected to become a very notable enterprise. Invictus Market, on the other hand, is run by the admins of the well-known Imperiya darknet service—an enterprise that creates and maintains darknet vendor shops for a modest fee. As the admins of Invictus already have a good reputation among the darknet community, it stood to see quick growth. However, while Invictus was able to gain close to 10,000 customer accounts in its first month, by the end of its second month of operation (October 20), Invictus’ customer base had barely surpassed 10,000 accounts, indicating its exponential growth appears to have slowed drastically.
Three Tumultuous Exit Scams
Empire Market was one of the largest, longest running and most successful darknet markets. Launched in February of 2018, Empire rose to become the largest darknet market in the Western world during its time. However, by late August 2020 the dark market pivoted and exit scammed—a scheme where a dark market or fraudulent exchange ceases operation and steals all the funds in escrow and account wallets. An exiting market will either abruptly shut down or remain online with escrow payouts and withdrawals disabled, but deposits still enabled, allowing the scammers to net more funds until users catch on.
Following Empire’s exit, its vendors and customers had to move to a new market, leading to a large influx of new users on all other open darknet markets.
On September 10—less than three weeks after Empire’s exit—Icarus Market also went offline. The site never came back up, taking all their vendors’ and customers’ funds with them . Icarus had been pushing high effort updates soon before the exit, leading CipherTrace analysts to believe that the exit likely wasn’t planned. Rather, it’s probable that the large influx of new users from Empire and their deposits made Icarus ripe for a profitable exit. As a result, the admins may have taken advantage of the opportunity and exited sooner than they had originally planned.
Sometime around October 12, DeepSea market also abruptly went offline. After just a few days with no word from market admins, users and one DeepSea forum moderator concluded that the market had exit scammed. As of the writing of this report, it has been one week since the market went offline. It is possible—but unlikely—that the market will return. It could have been seized instead of exit scammed, but law enforcement has yet to announce the seizure. If the market doesn’t return and law enforcement don’t announce a seizure, it can be concluded that DeapSea has exit scammed.
White House Market, due to its good reputation among darknet users, will take some traffic from these exits and has the potential to be the next biggest market. However, White House Market’s high security requirements tends to turn the average dark market user away. It is more likely that DarkMarket will take much of the traffic from the Empire, Icarus, and DeepSea exit scams.
As it stands, DarkMarket and White House Market appear to be the largest darknet markets in the Western world with over 300,000 customer accounts each. White House Market saw a 40% increase in users between August 27 and September 28, following the exit scam of Icarus, and a further 8-10% increase between late September and October 20. The next most notable darknet markets currently active are Versus Market, Monopoly Market, ToRReZ Market, and of course the Russian darknet behemoth—Hydra—which has been active since 2015 and is likely the largest darknet market in the world.
Why So Many Dark Markets Come and Go
Creating a darknet market requires little upfront cost, and the potential rewards can be high—Empire market admins, for example, reportedly profited around $30 million from their exit scam alone, not including the money they made in the two years of their operation. Evolution market exited with $12 million in user bitcoin. This results in numerous darknet markets launching every year. According to CipherTrace research, there has been at least one notable darknet market launched every month on average since early 2019.
However, darknet markets go as quickly as they come. The eventual fate of all darknet markets is to be seized, to be hacked, to exit scam, or to voluntarily shut down. It’s most likely that the majority of darknet markets plan to exit scam from their inception, especially as a plan B if things go sideways.
Operating a darknet market is risky. Market operators have a long list of adversaries. Law enforcement is the most obvious, powerful, and dangerous adversary of a darknet market. If a market runs for long enough, it’s likely to be seized and its operators arrested. Ten years ago, the first dark market, The Farmers Market, appeared on the Tor network; eight years ago its eight founders were arrested, seven pled guilty and the leader was convicted to 10 years in prison for selling narcotics and laundering money. Ross Ulbricht, aka Dread Pirate Roberts, allegedly operated Silk Road—the first large scale dark market with over 100,000 customers. Ulbricht was also charged with a murder for hire plot and was sentenced to a double life sentence plus forty years without the possibility of parole. Ulbricht built this black market bazaar to exploit the dark web and the digital currency Bitcoin to allow users to conduct illegal business beyond the reach of law enforcement. According to the DOJ “Ulbricht’s arrest and conviction – and our seizure of millions of dollars of Silk Road Bitcoins – should send a clear message to anyone else attempting to operate an online criminal enterprise. The supposed anonymity of the dark web is not a protective shield from arrest and prosecution.
Darknet markets are also under constant threat of being hacked by adversaries who want to steal funds from a market’s hot wallet, extort the admins, or conduct an attack that might lead to a profit. Furthermore, darknet markets are constantly receiving Denial of Service (DoS) attacks. DoS attacks on a market might be conducted by an individual demanding ransom, by admins of a competing market who want to diminish competition, or even by law enforcement who want to destabilize these criminal enterprises.
Even if a market intends to be around forever and manages to avoid being seized or hacked, there is always the chance of either a slip up in their operational security or an attack that poses too great a threat to the admins that they’re forced to execute their plan B: an exit scam. By conducting an exit scam, the admins of a darknet market are able to solve their problem while making a substantial profit.
The Ease of Creating a Dark Market
The ease of creating a dark market adds to its lucrative appeal, particularly if one intends to exit scam. While the biggest hurdle to operating a dark market was once the issue of gaining the trust of vendors and customers to use your site, the barrage of seizures and exits leaves many bouncing to and from one dark market to the next.
There are many ways criminals can quickly produce dark markets, with the easiest being to simply buy a pre-built marketplace template—all the customer has to do is replace any place-holder text and install the software to their servers. This method was used by the popular dark market “DarkMarket.” The current price for a standard, pre-built marketplace kit that accepts BTC and Monero is only $599 in BTC. Support for additional coins range from $50-$90 per coin. This upfront cost is minuscule when compared to the profits of many of the established exit scams.
The ease of creating your own dark market, coupled with the profitability of exit scamming and constant demand shown by the volume of customer accounts on these marketplaces culminate in a record number of dark markets now online. It is likely that this number will only grow in the future, however, the use of blockchain analytics such as CipherTrace can ensure that the funds originating from any of these dark markets are identified the moment they are moved to fiat off-ramps such as exchanges.
Top 10 Blockchain-as-a-Service (BaaS) Providers
🔥🚀 BaaS or Blockchain-as-a-Service is a paid blockchain-based cloud service that blockchain companies provide to customers. BaaS provides customers with the ability to build, host, and use their own blockchain apps, smart contracts, and any other digital services on a distributed network.
It is important to clarify that the BaaS concept is derived from the concept of SaaS (Software as a service) and works similarly to it. 👇
◆ How does BaaS work?
According to the BaaS concept, blockchain companies install, manage, and maintain, blockchain-based cloud platforms in addition to providing the tools necessary to build blockchain applications to customers in return for a fee.
◆ The future of the BaaS industry
Currently, the global revenue from blockchain services is estimated at $ 2.5 billion and by 2025 this number is expected to rise to $ 19.9 billion.
Overall, the business value of blockchain solutions will increase to more than $ 360 billion by 2026, with estimates of this number reaching $ 3 trillion by 2030.
The previous figures clearly show the future of the industry as well as explain the huge and successive investments in the blockchain business in general.
❖ Advantages of using the BaaS model
The BaaS model provides its users with many advantages, most notably high data security, efficiency, scalability, unlimited customization potential, as well as it is compatible with current cloud services.
In addition to the above, the adoption of the BaaS model reduces administrative burdens and provides better management and recruitment of resources.
Moreover, the BaaS model is easy to use and affordable, given the value it offers.
☉ BaaS vs owning a blockchain-based cloud platform
The BaaS model is a better solution for business than having a blockchain-based cloud platform in all aspects. Owning a blockchain-based cloud platform is hugely costly due to start-up costs (infrastructure, personnel, software, licensing, hardware, consulting, and more), retirement costs (decommissioning of server racks), and operational costs (monitoring, cost per transactions, bandwidth expenses).
In addition to the above, owning a blockchain model means fully assuming administrative responsibilities. 👇
🗨 While in the BaaS model, the cost is significantly lower because you only pay for the service you get. The service price in the BaaS model is subject to several factors, including the transaction rate, the maximum number of concurrent transactions, the payload size on transactions, and so on.
Also, in the BaaS model, all administrative burdens are borne by the provider.
● How to choose the right BaaS provider?
There are a number of points to consider when selecting a BaaS provider. For instance, the provider’s experience and reputation, the security of the platform, the technical support as well as the ease of use and pricing.
In addition, it must be ensured that the platform integrates with the existing operating systems and software.
🚀 It should also ensure that the platform supports smart contract integration and deployment, identity access management (IAM) system, different runtimes, and frameworks. 👇
🟥 Top 10 Blockchain-as-a-Service (BaaS) Providers
Blockwell is one of the world’s leading providers of blockchain solutions to governments, enterprises, and end-consumers. Founded in 2018 by experts who have contributed for 20 years in developing emerging technologies for some of the largest companies in the world.Blockwell aims to assist organizations in adopting blockchain solutions by providing consulting and a cloud blockchain platform in addition to a distinct and diverse set of tools and programs.
Blockwell aims to help everyone generate profits by allowing them to build and expand blockchain tools, services, and products.
Currently, content creators rely on existing toolkits developed by Blockwell, set their own commission structures, and earn percentages as they sell and promote their tools around the world.
During the past two years, Blockwell has developed blockchain solutions for cryptocurrency businesses around the world. 👇
🔻In addition, Blockwell has vetted dozens of token contracts for some of the most popular exchanges in the world, prevented and stopped hacks saving individuals millions of dollars, built successful token-swaps tools, and analytics tools.
Blockwell’s previous work includes the names of many well-known businesses such as JPMorgan Chase Bank, Wells Fargo, Disney, GoPro, Paramount, Mattel, Universal, Lucas Arts, Suzuki, Epson, Time Warner Cable, Guitar Center, Beachbody, Marriott, Jaiyen Eco-Resort and more.
🗨 Blockwell has an impressive list of tools and applications. Notable among them are Blockwell Wallet, Pride Token, Fire Tokens, EgoCoins, Blockwell, Blockwell Book, Sheets-n-Blocks – Blockchain, Contract Tool, VoteBlock, API Miner, Smart License Creator, Blockwell Prime, Listener, Token Swapper, Blockwell Daico, Blockwell Telescope, Blockwell Spyglass, Blockwell Velvet, Blockwell KYC Form Builder, Non-Fungible Token Creator, BW, and Dumbapps.
In addition to apps and tools, Blockwell has launched a store for DApps named “Well Spring” that has 16 working apps so far.
Blockwell backed tokens are valued at over $ 80M.
🗨 Regarding the future, Blockwell is seeking to expand by investing $ 10M. The company plans to obtain it by selling 100MM tokens to investors.🔻
Amazon introduced its BAAS service called “Amazon Managed Blockchain” in 2018 through its cloud arm, Amazon Web Services (AWS). Amazon Managed Blockchain is a managed service that makes it easy to create and manage scalable blockchain networks using open source frameworks including Ethereum and Hyperledger Fabric.
Moreover, Amazon allows customers who want to manage their own network to go ahead, but it is an option that needs experience in dealing with AWS Blockchain Templates.
Amazon also enables companies to integrate their blockchain-based networks and business processes to improve IT infrastructure, business processes, human resources, financial transactions, and supply chains.
In addition to the above, Amazon provides AWS Key Management Service to secure Hyperledger Fabric’s CA (Certificate Authority) and Amazon QLDB technology to manage augmented ordering service.
🗨 The BAAS offer from Amazon is characterized by flexibility in identifying resources to suit companies’ needs.
Amazon customers’ list includes star names like Nestlé, BMW, Accenture, Sony Music Japan, and the Singapore Exchange. 👇
🚀IBM is one of the world’s most important BaaS service providers. Forbes selected it among the top 50 blockchain companies, thanks to its blockchain platform “IBM Blockchain“, which it launched in 2017.
IBM Blockchain is a fully-integrated distributed ledger technology platform that enables businesses to “’ develop, govern, and operate a blockchain ecosystem quickly and cost-effectively on a flexible, cloud-based platform by using Kubernetes.
Partnerships have been vital to IBM’s continuous BaaS expansion. it created the Trust Your Supplier platform alongside blockchain firm Chainyard and also pioneered the Contingent Labor platform in conjunction with IT People.
As well as IBM Blockchain has joined The Linux Foundation’s Hyperledger Project to evolve and improve upon earlier forms of blockchain. Instead of having a blockchain that is reliant on the exchange of cryptocurrencies with anonymous users on a public network (e.g. Bitcoin), a blockchain for business provides a licensed network, with known identities, without the need for cryptocurrencies.
👉 IBM Blockchain Platform has been used widely in industries such as food supply, media, advertising, and trade finance. 👇
🔥 Microsoft is one of the oldest BaaS service providers as it has been in the market since 2015 when it launched Azure Blockchain Service.
Microsoft aims through its BaaS service to enable users to build public, private, and consortium blockchain environments with industry-grade frameworks and bring their blockchain apps to market.
🎯Microsoft provides three products to customers: Azure Blockchain Service, Azure Blockchain Workbench, and Azure Blockchain Development Kit.
Azure is compatible with other Microsoft products such as Logic Apps and Flow, making it a great choice for organizations looking to harness blockchains such as General Electric and T-Mobile.
Microsoft Azure’s most prominent features are the support of several Blockchain frameworks, including Quorum, Corda, Hyperledger Fabric, and Ethereum. Plus, ease of deployment using Azure CLI, Azure Portal, or Visual Studio Code with the Azure Blockchain extension. Azure also supports full monitoring and logging.
🗨 The above helped Microsoft to forge important partnerships with prominent entities such as its partnerships with Ripple and BitPay. 👇
🔻 Alibaba is one of the leading blockchain solutions providers around the world. The well-known Chinese company introduced its BaaS service in 2018 through its cloud platform.
🗨 Alibaba has an active research team and has registered many patents on blockchain during the past period.
Utilizing Quorum, Hyperledger Fabric, and the Ant Blockchain, the platform integrates Alibaba Cloud’s Internet of Things (IoT) and anti-counterfeiting technologies to create blockchain solutions for product traceability.
Alibaba’s BaaS offering provides diverse solutions to meet user needs including encompasses enterprise-level BaaS services, an agile BaaS platform that supports private deployment, and specific blockchain solutions for container services. 👇
🚀 Software giant Oracle unveiled its BaaS service in 2017. The service, called “Oracle Blockchain Cloud Service”, aims to provide an enterprise-grade distributed ledger platform that can help businesses to “increase trust and provide agility in transactions across their business networks.”
Oracle enables its service users to provide permission blockchain networks for private or consortia models, enroll member organizations, and run smart contracts to update and query the ledger in addition to many other benefits.
🎯 Also, Oracle enables its service users to use its other solutions such as Oracle Supply Chain Management (SCM) Cloud, Oracle Enterprise Resource Planning (ERP) Cloud, and other Oracle cloud solutions. 👇
🔥 R3 launched its BaaS service called “Corda” to enable companies to transact directly and privately using smart contracts.
Corda is an open-source blockchain platform that works on minimizes blockchain nodes’ deployment time by a few minutes, allowing enterprises to host the Corda network in a few clicks.
👉 Interoperability, security, and privacy are the foundations of the finance-focused Corda.
Royal Dutch Airlines (KLM) recently hired Corda service to streamline financial processes and enhance settlements
Corda provides users with the following benefits: Easy cloud-based deployment and quick setup of nodes with Docker, a Built-in blockchain application firewall to provide additional security, as well as R3’s Interoperability feature that allows developers to work with more than one application at the same time.
🗨 It is worth noting that R3 has developed solutions for more than 300 clients in addition that it has partnerships with many prestigious institutions such as Barclays, Credit Suisse, Goldman Sachs, J.P. Morgan, and Royal Bank of Scotland, Bank of America and Wells Fargo, and more. 👇
🎯 SAP launched its BaaS service “Leonardo” in 2017. Through its service, SAP aims to help companies transition into the digital age through the use of distributed ledger technology.
Leonardo is a Hyperledger based service and resides in the SAP Cloud service, meaning it can be accessed from any device.
🔻 The platform provides plug-and-play blockchain solutions and allows for the easy setup and hosting of blockchain nodes.
SAP Leonardo functions as a blockchain cloud service, machine learning service, and supports the Internet of Things (IoT) in a single ecosystem.
👉 SAP Leonardo provides its users with several benefits such as cloud deployment, monitoring of blockchain data in real-time, and more. 👇
🚀 Well-known Chinese smartphone manufacturer Huawei launched its BaaS service in 2018. The service, called “BCS“, is based on Linux Foundation’s Hyperledger Fabric, a blockchain framework that allows components, such as consensus and membership services, to be plug-and-play.
With its BaaS service, Huawei aims to enable companies to develop smart contracts on top of a blockchain network for several use-case scenarios.
🔥 Huawei also works with enterprise customers to promote the deployment of blockchain solutions and applications and to build reliable, public infrastructure, and an ecosystem-based on blockchain and shared success.
🗨 According to Huawei, BCS enables enterprises to deploy blockchain technology within five minutes. It concentrates on nine application scenarios, including data assets, Internet of Things (IoT), operation, identity verification, data certification, data transactions, new energy, philanthropic donations, and inclusive finance.
Huawei has many and varied partnerships inside and outside the Chinese market, but the most prominent name remains the famous car manufacturer Honda. 👇
🔻Factom launched its BaaS service in 2017. The service, called “Factom Harmony“, aims to allow enterprises and software vendors to quickly add blockchain capabilities to any application or workflow using simple API calls.
Harmony also aims to enable users to create portable, archivable cryptographic proofs to use as trusted inputs for internal and external audits.
🚀 What sets Factom Harmony apart is that it reduces the time and resource requirements to perform audits and meet compliance objectives. ⤵
✍ Author: Husayn Hashim
👤Bio: Husayn Hashim works as an author and programmer. He has been writing about blockchain technology and cryptocurrencies for si years. He’s interested in programming, technology, finance, and business. He loves writing and loves to share his knowledge with others.
Kucoin and Revain Announce Partnership
How the PS5 Will Completely Change Gaming As We Know It?
Compromised Credentials used by Hackers to Access the Content Management System
Which are the safest payment methods for online betting?
How to stay safe if you’re using an Android device for betting?
Bell nonlocality with a single shot
Optimization of the surface code design for Majorana-based qubits
Classical Simulations of Quantum Field Theory in Curved Spacetime I: Fermionic Hawking-Hartle Vacua from a Staggered Lattice Scheme
How Digital Transformation Will Change the Retail Industry
Cyber Security Prognostication Conversation
Win a Huge The Walking Dead Onslaught Merch Bundle Including the Game
Hold Your Nerve With These Scary VR Horror Titles
Ethereum City Builder MCP3D Goes DeFi with $MEGA Token October 28
Why Bitcoin’s Price Is Rising Despite Selling Pressure from Crypto Whales
AR For Remote Assistance: A True Game Changer
Smart Contract 101: MetaMask
Yupitergrad Adding PlayStation VR & Oculus Quest Support Jan 2021
New Darknet Markets Launch Despite Exit Scams as Demand Rises for Illicit Goods
Bitcoin Millionaires at an All-Time High as Analysts Warn of a Pullback Before BTC Moves Higher
The Impact of BPM On the Banking And Finance Sector
Samsung & Stanford University are Developing a 10,000 PPI OLED Display
New Found Intercepts 22.3 g/t Au over 41.35m and 31.2 g/t Au over 18.85m in Initial Step-Out Drilling at Keats Zone, Queensway Project, Newfoundland
Kennebec County Community Solar Garden Reaches Project Milestone
Kalaguard® SB Sodium Benzoate Registered Under EPA FIFRA
LF Energy Launches openLEADR to Streamline Integration of Green Energy for Demand Side Management
Thermal Barrier Coatings Market To Reach USD 25.82 Billion By 2027 | CAGR of 4.9%: Reports And Data
$1 Billion in Bitcoin Moved, Making It the Largest Dollar Value Crypto Transaction in History
Digital Catapult’s Augmentor Programme Reveals 10 new XR Startups
erkaSt joins NG
Hands-on: Impressive PS5 DualSense Haptics & Tracking Tech Bodes Well for Future PSVR Controllers
Alibaba Founder Jack Ma Criticizes Current Financial Regulations
Google Classroom Comments: All You Need to Know! – SULS086
Bank for International Settlements to Issue a PoC CBDC With the Swiss Central Bank Before the End of 2020
Ripple CEO Disagrees with Coinbase CEO’s Apolitical Work Policy, Considers Relocating Overseas
Smart Solutions to Screen Mirroring iPad to Samsung TV
Video: TeSeS vs. Vitality
Seven Tools for Effective CDO Leadership
Key Considerations for Executing a Successful M&A Data Migration or Carve-Out
Best Powered Subwoofer Car Reviews and Buying Guide
Jorjin Technologies announcing J7EF, the latest of its J-Reality
Blockchain1 week ago
Bitcoinnami Officially Launches on October 21, 2020
Esports1 week ago
Who is Dr. Karlov in Warzone?
AR/VR1 week ago
The Best VR Headsets in 2020
Blockchain1 week ago
How Does the Future Look for Cryptocurrencies in the Financial Market?
AR/VR1 week ago
HTC Vive’s XR Suite for Remote Collaboration Goes Live
Esports1 week ago
How to use the AR Mapping features in Pokémon Go
Esports4 days ago
How to Play With Friends Online in Dynamax Adventures in Pokémon Sword and Shield The Crown Tundra
Cleantech1 week ago
GM Unveils Factory ZERO