Don't Get Conned by Cryptocurrency/Bitcoin/Blockchain

Jan 6, 2022 blockchain career bitcoin cryptocurrency security
Share on:

Overview

Many moons ago, I told you that blockchain was a passing fad, and that the only meaningful use of blockchain technology was cryptocurrency (a la Bitcoin). Over 4 years later, my prediction turned out to be true. But this is not an "I told you so post." Rather, it's a warning.

Cyptocurrencies have exploded in recent years, along with scammers taking advantage of crypto "investors" (suckers). You can't turn on the radio or use the internet without being pitched some training course on "investing" in crypto, supposedly taught by some self-proclaimed expert who has less than 10 years experience in cryptocurrency.

Alongside the popularity of crypto, other uses of blockchain technology have also sprung up. They go by various names, including "smart contracts", "zero-trust computing", and "non-fungible tokens (NFTs)", and they're all worthless except as academic curiosities. Not surprisingly, these blockchain applications almost always require you to give your money to someone else, usually by purchasing specific digital coins.

Any use of blockchain technology other than cryptocurrency is pointless and inefficient. I said this years ago and it has proven true. And we could just leave it at that. But the marketing hype around blockchain and crypto is powerful, and many people—with and without technical knowledge—are apt to fall prey to its false promises. So my goal in this post is twofold:

  • To help you avoid getting scammed by blockchain hype
  • To dispel some of the technical errors around blockchain/crypto (you wouldn't want to to repeat them at work or in a job interview)

Crypto/blockchain scam warning signs

There are some telltale signs that a crypto/blockchain offering is probably a scam, or at the very least, an inefficient money-suck. Blockchain hype makes bold claims and lures you in with amazing promises. Some of these claims seem too good to be true.. and they are. Once you become aware of the following claims, you'll begin to spot them everywhere.

Claims to be tamperproof or immutable

The term blockchain describes a distributed database. Blockchain evangelists love to claim that once a record is written to the blockchain, it can't be edited, deleted, or tampered with. But the truth is that nothing is absolutely tamperproof or immutable, which is a fancy word for unchangeable. Not only can blockchain data be tampered with and overwritten, it has happened repeatedly over the years.

Developers slipping in backdoors

If you remember nothing else about blockchain, remember this: the developers of a blockchain application can do whatever they want. And that includes rewriting the blockchain. This has happened with Ethereum, Bitcoin, and other cryptocurrencies.

What's especially disturbing is what happened with Ethereum. Users invested millions into a "smart contract" that was to act as a venture capital fund, somewhat like buying stock shares. This fund, which was ironically called the "decentralized autonomous organization" (DAO), was just a voting program that would pay out funds if a majority of stakeholders agreed to it. Well, the DAO had a bug in the code. Hackers discovered this bug and drained the DAO of about $60,000,000 USD.

The Ethereum developers responded by modifying the blockchain in what's called a hard fork. They actually rewound the blockchain so that the DAO hack never happened. Of course, this didn't please some of the people who had believed the lie that blockchains are immutable. This group continued to use the original Ethereum blockchain, while others used the modified blockchain. The end result is that are now (at least) two Ethereum blockchains, and they're not interchangeable. You can read more about the DAO hack here.

H4x0rs and such

A chain rewrite can also happen with a targeted attack, and can occur in different ways.

In one scenario, a worm can infect the majority of nodes, causing them to modify the blockchain. Cryptomining malware is prevalent now and effectively turns unsuspecting devices into blockchain nodes. With enough infected devices, whoever controls the malware controls the blockchain.

In another and more likely scenario, an attacker could surreptitiously slip some malicious source code into the repository of the client software that blockchain nodes run, causing them to behave in an undesired way. The fact that the nodes use open source code doesn't offer any protection. Hackers routinely infiltrate open source projects.

Then there's the reality of undiscovered vulnerabilities in the code or its dependencies. Hackers discover novel or zero-day vulnerabilities and quietly exploit them or or sell them on the dark market. Once again, code being open source doesn't guarantee the good guys will discover a vulnerability before the bad guys do. Just look at the Apache Log4j saga.

Claims to offer decentralized or "zero-trust" computing

People naively think blockchain can overcome human dishonesty and eliminate the need for trust, but it can't. Someone is always in control. Blockchain proponents try to talk around this fact by claiming that the majority of participants will operate honest nodes. They say the blockchain is consensus-based, so as long as the majority (>50%) of the nodes are behaving, you can trust the blockchain.

Blockchain is based on circular reasoning

The idea of consensus sounds appealing, but it's a myth. The "consensus" among blockchain users is an illusion based on flawed, circular reasoning. The real hierarchy of control looks like this:

  1. Developers write code for the blockchain client software
  2. Blockchain enthusiasts download and run the client node software

Who's in control here? It's the developers. There is no consensus among the blockchain users. They just happen to be a group of people who decided to participate in the blockchain by running the software. It's the software, not the node operators, that's running the show.

If that's hard to understand, an analogy may help. Blockchain is like the game "Simon Says". The developers are Simon, and the blockchain participants are the players.

"Simon says, 'Accept this transaction'"

"Simon says, 'Ignore this other transaction'"

The players (blockchain nodes) must do whatever Simon (the developers) says. If they don't, they're out of the game.

The illusion of control

At this point, blockchain apologists might offer a rebuttal. They'd say that most blockchain projects are open source, so if developers tried anything crazy, people would know about it and could just go and write their own client software. But we've already seen how that works out. Just look at the Ethereum DAO debacle. The developers never truly lose control of the blockchain.

China controls Bitcoin (and probably others)

With Bitcoin, the person with the most computing power controls the blockchain. The majority of Bitcoin mining is done in China. Given that China has a communist government in which the state owns everything that it wants to, it's reasonable and savvy to conclude that they effectively control the Bitcoin blockchain.

The prospect of the Chinese Communist party (CCP) controlling Bitcoin has raised a troubling conundrum with the Bitcoin devs. Some of them don't like the idea of a national government controlling Bitcoin, but they also don't want to shut out the Chinese people from the Bitcoin ecosystem. The only solution is to turn Bitcoin into a permissioned blockchain which one must ask to participate in. That's probably not going to happen. 中国控制比特币.

In a proof-of-stake system like Ethereum, the golden rule applies (he who owns all the gold gets to make all the rules). The one with the most crypto coin invested holds all the power. This is usually the early adopters or devs, but can be anybody who manages to obtain a majority stake. Again, hackers have proven their ability to obtain crypto through exploits, and governments regularly seize crypto.

A theme begins to emerge here: control of the blockchain tends to become concentrated in the hands of a powerful few.

Decentralized systems don't exist

There's a false belief that blockchains are decentralized. But truly decentralized systems don't exist. When you think about it, this becomes obvious. In order for a blockchain to be decentralized, there must be a mechanism to prevent any single entity from taking control. But then whoever controls that mechanism is now in control of the blockchain, by definition. The buck has to stop somewhere.

We've touched on this already, but to briefly rehash, all blockchains are necessarily centralized in at least two dimensions:

  • The node software (client) and protocols are controlled by the developers. This means the promise of immutability is also out.
  • Even in a true open source system, vulnerabilities can still exist (e.g. OpenSSH, Log4j). Thus anyone who exploits a vulnerability could potentially wrest control of the system.

Things like the Internet and public blockchains appear to be decentralized when in fact they're just distributed. The components are ambiguous, invisible, or incomprehensible, giving rise to the illusion that nobody is in control. The Internet, for example, is controlled by governments and backbone providers. To quote the Wizard of Oz, "Pay no attention to that man behind the curtain."

Self-contradictory claims

Con artists routinely wrap themselves in logical contradictions. If you work in IT then you probably have a finely tuned sixth sense for detecting these. The two most common contradictions I've heard from blockchain peddlers are:

  1. It's trustless, but requires trusting the system and the people who wrote it.

  2. It's decentralized, but everyone must agree on the system and protocols.

Okay.

How do you get people who don't trust each other to agree on the rules? Even stranger, how is it that they reach agreement and still don't trust each other?

And then there's the problem of which blockchain to use. Remember, because the blockchain is a distributed database, everyone has a copy, and your copy may be different than mine. The nasty little problem with blockchain is that there's no way to enforce which blockchain to use. This has already shown up with the DAO fork, and it's going to show up again when Ethereum forks again to a proof-of-stake scheme.

The way blockchain developers have handled this is to assert that the longest chain (the one with most transactions) wins, which means someone with enough compute power can outpace the natural chain. This may sound like a feat, but all it would take it for botnets running on people's smartphones to fork a malicious chain. Sounds crazy, right? Norton is already installing cryptominers on people's machines without their knowledge. Now imagine Microsoft shipping a cryptominer with Windows. With that much control, hijacking the entire blockchain ecosystem becomes almost trivial.

Claims to be a world supercomputer... or something

When researching Ethereum years ago I came across this strange claim that Ethereum was a distributed computing platform, something like a worldwide supercomputer that you could pay to run your applications on. Intrigued, I looked into the technical details of this, hoping to find some amazing parallel processing capability. Nope. It turns out that the only application that can run on the blockchain is this thing called a smart contract.

Smart contracts are a dumb idea

Smart contract is the term for an application that's stored on the blockchain and runs on participating nodes. (It's also called a distributed app [dapp]). Before going into the technical details, it helps to understand the basic concept.

A smart contract can only read from or write data to the blockchain, so its only practical uses are storing data on the blockchain and sending Ether/ETH (Ethereum's cryptocurrency) to other accounts. Now suppose you want to gift 10 ETH (currently valued at the price of a new car) to your grandma on her 100th birthday. Here's how you'd do it:

  1. Write a smart contract to send 10 ETH to grandma's Ethereum address on her birthday

  2. Pay 10 ETH to deploy the contract to the Ethereum network

  3. When grandma turns 100, the smart contract will release the funds to grandma

But here we come to a huge flaw in the system: the code has to be executed. Once the smart contract is on the blockchain, the nodes in the Ethereum network execute it. Yes, multiple nodes execute the same code and hopefully arrive at the same result. The fact that this is inefficient isn't lost on the Ethereum folks. The benefit, they reckon, is that doing it this way avoid trusting a single node. The idea is to have multiple nodes run the same code and arrive at a consensus result.

Grandma's centennial birthday gift is now in the hands of thousands of anonymous strangers. What could possibly go wrong? Plenty. Once you pay money to put your smart contract onto the blockchain, you have no way of getting it back should you change your mind. And if there's a bug in your code, grandma may not get the money. The smart contract will hold onto it forever.

Even if your code is perfect, there's still the problem of trust. The very nature of computing requires trusting a computer to execute a set of instructions. You thus must trust that each node is operating honestly. If one node can be compromised, they all can.

There's no accountability. There are no consequences for running a malicious node. Why pay Ether tokens to run your code on machine you don't control when you can pay real dollar bills to run it on a machine you do control?

It's much easier (and more secure) to just validate and trust nodes that you control, which is what everyone was doing before blockchain came along. In addition to having no accountability, on a public blockchain you have no confidentiality at all. Incidentally, this is exactly why when the big boys (IBM, Apache, etc.) began offering enterprise blockchain products, they made darn sure to support private or permissioned blockchains. Nobody actually wants to use public blockchains for anything important. So why use blockchain at all? You're better off using a centralized database. Blockchain adds nothing but needless complexity.

NFTs

"Non-fungible tokens" or NFTs are a class of smart contracts that bilk you out of your money in exchange for putting some data on the blockchain. Buying NFTs is like paying money for free samples.

An NFT is a "digital asset" (music, GIFs, videos, pictures, etc.) or a worthless record on the blockchain that says you own some real world goods. Most NFTs are things like Nyan Cat GIFs or Pepe the Frog stored on the blockchain. There are even collections of themed NFTs, reminiscent of Pokemon cards. The idea is that you can use crypto to "buy" and become the proud "owner" of the NFT. Of course, this is a delusion because you don't actually own anything. Because the NFT is stored on the public blockchain, anyone can copy it and use it. For example, let's say you buy an NFT of Pumpkin Spice Nyan Cat flying through space. Nothing's to stop someone else from taking this GIF, using it on their website, and even selling it as an NFT to someone else!

But to truly appreciate how devoid of basic logic the whole NFT idea is, you have to read this gem from the Ethereum website:

Non-fungible is an economic term that you could use to describe things like your furniture, a song file, or your computer. These things are not interchangeable for other items because they have unique properties.

Huh? I had to read that last sentence multiple times to make sure I wasn't missing something. It actually says that you can't exchange a unique item for anything else because the item is unique. This is obviously false. People buy, sell, and trade unique items all the time.

Other things blockchain can't do

To use a familiar and annoying headline motif, "No, blockchain won't replace CDNs, protect you against DDoS attacks, or provide unlimited, infinite, indestructible data storage."

I won't bore you. These uses of blockchain, while technically possible, would be unbearably slow and would produce blockchains so large that the cost would quickly become prohibitive.

Cryptocurrency is the only valid use of blockchain

The only valid use case for blockchain is when you need a distributed database among untrusted parties. Only one application fits that definition: cryptocurrency.

But tread carefully. Most people pushing crypto don't believe in it enough to use it as money. They're not using crypto to buy and sell items. Instead, they're buying crypto using traditional fiat currency only to turn around and sell it for a higher price. In other words, gambling (they'd call it investing).

The price of crypto, especially Bitcoin, is driven by speculation, a sort of self-fulfilling prophecy. People believe the price will go up, so they buy some, which drives the price up. This continues until enough people stop believing that the price is going to keep going up. Fewer people buy, more people sell, and the price goes down. And then the cycle repeats.

Does Bitcoin, and crypto in general, have a future as a real currency?

There are some digital services that accept crypto. You can buy VPN services, fake social media accounts, shipping services, and contraband. Have you ever wondered why can't you go to the store and buy groceries or gas using crypto? One reason is because the price of it isn't stable. The problem is that there are two competing uses of crypto: one as a currency, and the other as a speculative investment.

The people who use it as a currency need its price to be stable relative to the US dollar. This is what we expect of cash. $100 today should be able to buy about the same amount of groceries as $100 could buy last week. We don't expect huge day-to-day shifts in prices. But people who invest in crypto want these huge swings. They want the price of Bitcoin to suddenly drop so they can buy it low, and then they want it to swing up so they can sell it at a profit. Think about it like this: why do people buy things with cash instead of bartering gold or real estate or stock certificates? Because there's just too much price movement, too fast.

Decentralized currencies can't exist

And now we come to the ugly truth about crypto that nobody wants to admit. For a currency to survive, it has to have the blessing of the government.

Inevitably, people buying and selling with crypto will have disputes. Someone will defraud the other, or a seller will refuse to give a refund to the buyer for unsatisfactory goods or services. Who settles these disputes? The government. Yes, the government settles disputes between parties.

Now here's where it gets interesting. Suppose a court orders a seller to issue a refund to a person who paid in Bitcoin. Here's the question: does the court order the seller to refund the Bitcoin, or to pay the cash value of what the Bitcoin was worth at the time of the transaction? If the seller has to refund the exact amount of Bitcoin, there's a chance either the seller or the buyer will come up short, depending on which way the price of BTC has moved. The government has to choose a preferred currency, and they're not going to choose Bitcoin.

And let's not forget taxes. A business that accepts Bitcoins and collects sales tax isn't going to be remitting Bitcoins to the government. They're going to have to pay in cash.

Disadvantages of Bitcoin

Bitcoin has problems, some of which are unique to Bitcoin, others which are common to all currencies.

Bitcoin can't exist without the Internet

This is a rather far out and even apocalyptic notion, but if World War 3 takes out the internet, forget about transferring Bitcoins. I know, if that happens bitcoins will be the least of your concern. But it's a possibility.

A much more realistic concern is at the regional level. Small countries occasionally shut down Internet access to their citizens.

Transaction fees

It's a pay-to-play system. Credit/debit cards are like this, but the fee is hidden and paid by the merchant. Bitcoin reverses this and makes the fee paid by the sender. You're paying to pay, but you're not paying to receive. Seems backwards. Once all of the coins have been mined, the only incentive miners will have is transaction fees.

No recourse for stolen funds

If it's stolen, there's no getting it back.

If someone steals your gold bars, it's possible to get them back. If someone steals money from your bank account, it's possible to get it back. But if someone steals your bitcoin wallet and private key and extracts the funds, there's no getting it back. There is no undo button.

Hard to steal also means hard to get back.

Some have posited creating a "vault" smart contract that holds funds and releases them only when, say, you provide a vault key and wait 24 hours. After 24 hours, the contract sends your funds. In the event a hacker steals your vault key and tries to steal funds, you can use a recovery key to undo that transaction within the first 24 hours. The problem here is that it institutes a mandatory waiting period.

It's not anonymous or private

Because the blockchain ledger is public, anyone can see your transactions. This isn't necessarily a problem, but it is a bit strange. It's like if there were a public record of every time you paid in cash. We already have an anonymous currency, it's called cash money. You can go out to eat, buy groceries, and get gas anonymously as long as you bring along someone like Ben Frank or Mr. Jackson.

It can be destroyed

Bitcoin can be destroyed similarly to if you were to lose cash in a fire. How do you destroy Bitcoin? There are two ways:

  1. Send it to a non-existent address
  2. Destroy your private key

Poof. It's gone, and you can't get it back.

Bad arguments against cryptocurrency

We've covered the good arguments against crypto. Now let's cover the bad ones. Following are some oft-repeated bad arguments out there against using cryptocurrency.

"It's not backed by anything of value"

There is no such thing as intrinsic economic value. The economic value of anything depends on what people are willing to trade for it. Right now, people are willing to trade thousands of dollars for a single Bitcoin. Incidentally, they're also willing to pay a decent amount of money for an ounce of gold. But neither gold nor bitcoin have intrinsic economic value.

"It's easy to steal"

Actually, bitcoin is very difficult to steal if you take the right precautions. If you keep your wallet encrypted well, you could leave it lying around in a public facing S3 bucket and nobody would steal your coins.