Business challenge

Prior to the launch of its blockchain network, this large financial institution realized that it first needed to undergo extensive security testing.


The company called on the X-Force Red Blockchain Testing team, which found more than 30 critical flaws exposing the blockchain environment and provided actionable remediation recommendations.


Identified > 30 vulnerabilities

that posed a security threat to the client’s blockchain environment

> 80% of vulnerabilities

posed a medium or high threat to the security of the blockchain

Delivered an actionable remediation plan

to enable the client to close security gaps

Business challenge story

The myth of blockchain invulnerability

Security experts have found that approximately 70 percent of blockchain solutions rely on traditional technologies for back-end processes like authentication, data processing and APIs. The connected infrastructure often leaves the blockchain technology vulnerable to hacking and fraud.

According to Christopher Thomas, X-Force Red’s leading blockchain hacker: “The common misconception is that blockchain technology is secure. From a theoretical or conceptual perspective, that is true. However, from the implementation and management perspective, that is not true.”

He likens it to an armadillo: hard shell on the outside, but soft and vulnerable on the inside. The blockchain may be secure, but if attackers can find a way in through poor access controls, for example, the whole infrastructure may be vulnerable.

The company was on the brink of launching a blockchain network to share information and clear goods-based trading transactions, when the primary risk owner stopped the project. No one had yet conducted mandatory security testing of the blockchain.

Unfortunately, the customer’s blockchain team lacked the expertise to test its security. With a go-live deadline looming and numerous institutions awaiting the blockchain launch, the financial company needed to quickly find experts who could, essentially, try to hack into its blockchain infrastructure.

We create a tailored testing plan and a tailored approach to addressing any potential security concerns within our clients’ projects.

Christopher Thomas, leading blockchain hacker, X-Force Red

Transformation story

How to hack your own blockchain

The financial services company turned to X-Force Red Blockchain Testing, the blockchain security testing service that X-Force Red launched in early 2019. The team provides penetration testing services for all blockchain technologies, not just IBM solutions, and their connected infrastructure. X-Force Red hackers, whose mission statement is, “hacking anything to secure everything,” assess blockchain technology and its connected infrastructure using the same tools, techniques, practices and mindset that criminals would use.

X-Force Red offers manual penetration testing, adversary simulation exercises, vulnerability management programs, vulnerability assessments, attacker reconnaissance services and code reviews to identify, prioritize and help fix vulnerabilities before criminals find them. “We create offensive security programs that are customized to address each client’s main security concerns, stay many steps ahead of attackers and minimize risk,” says Thomas.

The X-Force Red team quickly discovered the client had little experience in assessing blockchain security, and therefore couldn’t identify testing priorities. The client provided high-level documentation to the X-Force Red team to help create the scoping document for the penetration testing.

“Because this was a large environment and a very big project, the components list spanned a couple of pages of the scoping document,” says Thomas. “We produced a kind of heat map against the architectural diagram so that our hackers and the client could see, at a glance, the focus areas and testing priorities.”

With the original go-live date already in the rearview mirror, the X-Force Red team faced a tight deadline to quickly identify any vulnerabilities in the blockchain network and architecture. The team divided the work among several hackers, who simultaneously tested discreet components of the network that did not overlap. These components included everything from the network IP address, the blockchain layer, back-end components such as databases and object stores, the APIs, the externally-facing IP addresses and even the mobile applications associated with the network.

We produced a kind of heat map against the architectural diagram so that our hackers and the client could see, at a glance, the focus areas and testing priorities.

Christopher Thomas, leading blockchain hacker, X-Force Red

Results story

Security testing reveals vulnerabilities

Within a month of engaging X-Force Red, the financial services company had its testing results: the hackers had found more than 30 vulnerabilities in the blockchain environment.

The X-Force Red team was not surprised to find that more than 70 percent came from applications accessing the blockchain. Eight came from within the blockchain itself, while three were found within the supporting infrastructure. Greater than 80 percent of identified vulnerabilities were considered high or medium risk.

Access control is critical to blockchain security. “What the client did in this instance was to implement all of the permissions and access controls at the application level, and nothing at the blockchain layer,” says Thomas.

If hackers compromised any application and accessed internal networks, they could hit any number of APIs associated with the blockchain. As Thomas notes: “That means complete access to the API set. Because there were no access controls, someone could literally do anything and everything they wanted on the chain itself.”

The X-Force Red team encountered another common security problem: data stored off the blockchain and accessed through reference codes on the chain. Although the unique ID on the blockchain that references the data cannot be changed, someone could alter the original data in the off-chain database, and the blockchain reference code would then access the changed data; which could lead to elevation of privileges, account hijacking or accessing of information from an unauthorized perspective. The client needed to tighten access controls to the off-chain documentation and data to eliminate this problem.

Finally, the team found that while the blockchain itself remained an immutable record, the client lacked adequate quality assurance processes to review how chain code would be deployed on the network. This could have allowed someone to write malicious code that, once executed, would have granted command-level access to the hosting server.

At the end of four weeks, X-Force Red provided a detailed report of these and other findings to the client. The report contained remediation recommendations, and the project leader followed up with the client’s security architects to ensure that they fully understood the report.

Because there were no access controls, someone could literally do anything and everything they wanted on the chain itself.

Christopher Thomas, leading blockchain hacker, X-Force Red

the large financial services company

The client is a large financial institution that had created a blockchain network with other financial companies to share information and clear goods-based trading transactions.

Take the next step

To learn more about the IBM solution featured in this story, please contact your IBM representative or IBM Business Partner, or visit the following website: