Learn

Solving for Blockchain’s Critical Security Flaw

While Web3 sets out to solve the problems of today’s web, it is missing two essential elements: privacy and security. Learn about four approaches to Web3 and how one, leveraging zero knowledge (ZK) technology, can fill the gap by making full-node verification ubiquitous, scalable, and secure.

Web3 will combine the decentralization of Web1 with the interactive user experience of Web2. Unfortunately, Web2 is centralized around profit-seeking big tech. With their focus on monetization rather than product benefits, users have lost their privacy and security on today’s internet.

However, Web3 is changing this. It promises user-centered value, privacy, and interactivity like convenient, decentralized apps or dApps, often used in decentralized finance and NFT marketplaces. To gain access to these benefits, you must interact with blockchains through a wallet.

Not all wallets are alike though. Most cannot manage the many hundreds of gigabytes of data needed for a traditional blockchain in a web browser. And without running a full node and verifying the chain by themselves, these wallets must depend on trusted intermediaries like servers, which the Founder of Signal, Moxie Marlinspike, raised was a critical flaw in Web3.

The Role of Intermediaries in Web3 dApps

Before exploring the problem with intermediate trust in further detail, let’s review the three approaches that dominate Web3 thus far and the role that intermediaries play: 

Approach One: Wallets connect to one or very few servers. 

Approach Two: Wallets connect to a protocol with a light client

Approach Three: Wallets connect to an expensive full node

Both approaches one and two come with security risks. In approach one, wallets like Metamask depend on very few remote procedural call (RPC) servers to serve as a trusted intermediary. If those RPCs are compromised, then users are at immediate risk. 

Approach two reduces but does not remove trust. In this approach, wallets leverage light clients which partially verify protocol information. However, some information must be trusted while also omitting full verification of all blocks. Moreover, light clients still do not meet the needs of Web3 — they require downloading large quantities of block headers which is still expensive and time-consuming, and this offers fewer trust guarantees.

Approach three is more secure, with L1 chains requiring full nodes to download and verify the entire history of a chain. It requires even larger amounts of data to be downloaded than a light client. All approaches require tradeoffs: either trusting intermediaries or running powerful computers which are expensive and a hassle to operate. 

The Problem with Intermediaries 

Web3 wallets and blockchains that rely on the trust of an intermediary don’t adhere to the tenets of decentralization and trustlessness that are core to the Web3 ethos.

On top of such tradeoffs, Web3 wallets and blockchains that rely on the trust of an intermediary don’t adhere to the tenets of decentralization and trustlessness that are core to the Web3 ethos.

Cryptographer Moxie Marlinspike ran an experiment to explain how blockchain assets on some wallets are merely displaying what is reported by centralized APIs (application programming interfaces), which risks your security. To prove it, Marlinspike created an NFT that changes based on where you were viewing it from: one image on one trusted entity, and another image on another trusted entity. When you viewed it from your crypto wallet, it would display as a large 💩 emoji.

The wallet could not display the original NFT nor verify its authenticity. Not surprisingly, someone on a trusted entity took offense and removed the display of Marlinspike’s NFT altogether, including from their crypto wallet, failing to meet yet another key blockchain property—censorship resistance.

Marlinspike’s point is clear: Intermediaries are not necessarily trustworthy. Moreover, intermediaries such as centrally-controlled servers are being used as a common source of truth for Web3 wallets which can be hacked or controlled to display information that is not reflected on the chain. 

In a real-world example, users in Venezuela and Ukraine have recently seen their access to a trusted intermediary blocked, and with it, control of their data and assets. This was due to a configuration that blocked IP addresses from certain regions per US sanctions programs.

In this way, Web3, with its intermediaries, is not much different than Web2. Wallets that rely on intermediaries undercut the opportunity for true decentralization and security. 

A New Approach to Ensure Trust in Web3 dApps 

A newly emerging fourth approach to Web3 will solve the problems intermediaries introduce:

Approach Four: Wallets connect to a less expensive node with full-node verification

Approach four provides full-node security while reducing the costs by removing the need to download and verify a lot of data and thus—reducing its computational requirements. When full node verification becomes less computationally intensive and expensive, it can empower more people to participate and remove the need for intermediaries to run nodes or query a server, allowing for more decentralization. Essentially, the fewer intermediaries plus the more decentralized participation, the more secure a chain is. But how is this possible?

An emerging technology called zero knowledge proofs (ZKPs) has been in research and development for years and the Mina Protocol ecosystem has leveraged it to design a lightweight blockchain for anyone to participate in.

Don’t Trust, Verify – with Mina’s Zero Knowledge Blockchain

As a reminder, approaches one, two, and three require trusting an intermediary or running expensive and complicated hardware.

The power inherent in the fourth approach, like in Mina’s blockchain, comes from its recursive zk-SNARKs (a zero knowledge succinct non-interactive argument of knowledge). You are able to perform full-node verification that allows you to verify a ZK proof of the validity of the complete state of the blockchain (including your account), not just the latest block. This all happens with a small verifiable cryptographic proof that is less than the size of a tweet. In other words, full-node verification on Mina is efficient and protects users with full verification security without downloading the whole blockchain. 

If you think about it though— with Mina, even if the node you connect to does not have full-node verification, you can still verify the integrity of the chain with the cryptographic proof.  This works even if you are connected to a non-full-verification node or an evil node.  The proof being received cannot be faked by a malicious node— and you can verify it.  This is the power of Mina!

For the few who would like to hold onto the history of every account on the network, Mina archive nodes are optional types of nodes you can run on your local machine, durable storage providers, or centralized providers. These, however, are not needed for the network to be secure, because full-verification consensus nodes provide proof of the validity of the chain. As CEO of the Mina Foundation, Evan Shapiro says, “think of it as your credit card —you don’t need the history of transactions to transact. The system just needs current balances to transact, while you may as an individual want to hold on to your own history of transactions.”

The Mina ecosystem is taking this one step further by leveraging Mina’s succinctness to develop the ability for anyone using a web browser to run a node, enabling further decentralization and security. For developers, a web node also significantly lowers the barrier to entry, removing the need to run and maintain nodes in a Linux environment—thus reducing energy requirements and deep technical knowledge.

Mina’s Web3 dApps will also be able to leverage Mina’s full-node security, while also utilizing ZK for data-privacy applications. ZKPs allow you to prove that you have access to information, like your personal data, without revealing it to anyone while also allowing you to verify it’s correct without seeing the details. That means developers can build applications that preserve their user’s privacy on top of knowing the chain they are submitting transactions to is secure. 

As a result, your data can remain private even when processing, recording and verifying transactions on a web browser.

The Bottom Line for Solving Blockchain’s Security Issue? 

Zero knowledge with Mina removes intermediaries and provides provable information.

In today’s computerized world, your privacy and security should be the norm, and making zero knowledge accessible to everyone including other chains will be key to that. Several teams in Mina’s ecosystem are also working to further enable the possibility. Beyond the progress on non-consensus browser nodes, Mina contributors are also working on zero knowledge smart contracts (zkApps), and a zkBridge so other chains can access Mina’s privacy and security properties.

If you’re ready to build decentralized apps with ZK and already know TypeScript, check out some Mina developer resources to get started

Learn more about how you can build towards this user-owned and private future by subscribing to get developer resources right in your inbox.

About Mina Protocol

Mina Protocol is being incubated by O(1) Labs, the leader in zk-SNARKs and verifiable computation. Mina Protocol, the world’s lightest blockchain, provides a foundation for the decentralized digital economy (Web 3.0), by affording all participants fully P2P, permissionless access to the chain, from any device. By utilizing recursive zk-SNARKs, the Mina blockchain always stays the same size — about 20 kilobytes (the size of a few tweets). Recursive zk-SNARKs allow nodes to rapidly share and update proof of the correct blockchain state across the network. This breakthrough application of zk-SNARKs solves the issues of scalability and high barrier to entry for nodes that have plagued legacy blockchains to-date. By making it easier for nodes to participate, Mina improves decentralization and therefore security of the network. The Mina blockchain can be easily accessed from any device, including phones and browsers, and can be seamlessly integrated into new decentralized applications (dapps).

More from our Blog

SEE ALL POSTS
Retro / 2024-03-21 / Vitor Silva
Upgrade Mechanism Testing Retrospective
Track 3 allowed for the testing of various loads and helped uncover issues which have since been resolved. As a result, an optimal configuration was identified, and the release candidate for the Mainnet Upgrade is ready.
Read more
Learn / 2024-03-15 / Will Cove
Introducing ‘httpz’: the internet you can trust
Read more
Community, Events / 2024-03-13 / Mina Protocol
BUIDL with Mina Protocol at ETH Seoul 2024
Read more
Announcement / 2024-03-12 / Mina Foundation
zkIgnite, Cohort 3 Funded Projects
Read more

Teknoloji hakkında

AboutTechCta

Mina, salt hesaplama gücü kullanmak yerine gelişmiş kriptografi ve tekrarlı zk-SNARK'lar ile ölçeklendirebilir merkeziyetsizlik sunuyor.

Başla

GetStartedCta

Mina makes it simple to run a node, build and join the community.