Meet FumbleChain, the Deliberately Flawed Blockchain

There's a new blockchain for developers to break at will. The "capture the flag" project from Kudelski Security is meant to educate.

AccessTimeIconAug 14, 2019 at 3:00 p.m. UTC
Updated Sep 13, 2021 at 11:20 a.m. UTC

FumbleChain makes breaking blockchains a sport.

Demonstrated for the first time last Thursday at the Black Hat infosec event, the deliberately flawed technology is meant to act as an educational tool for crypto developers.

“Basically, this what people call CTF, or ‘capture the flag,’” explained Nils Amiet, a senior security engineer at Kudelski and one of the developers behind the project. “Whenever you solve a challenge, that is when you get the flag. … The challenges are pretty technical.”

Through these curated and gamified challenges, the aim is to teach users about the complexities of blockchain technology.

According to Dan Guido, co-founder and CEO of cybersecurity firm Trail of Bits, which has audited over 20 different cryptocurrency projects, FumbleChain is similar to the wargames used in traditional software development.

“Competitions and training exercises are used throughout the security industry, sometimes in live competitions of 30,000 or more players at one time, to help educate and demonstrate the knowledge that participants have gained,” said Guido, adding:

“It's long overdue for blockchain security to have its own wargame.”

Users collect game points dubbed “fumblecoins” every time they exploit a vulnerability in the FumbleChain blockchain and capture one flag. (The coins are only of value within the game itself.) Kudelski’s Amiet says FumbleChain’s core technology “looks a lot like bitcoin,” only simpler.

Daryl Hok, COO of blockchain cybersecurity company CertiK, said FumbleChain is designed to make blockchain “approachable” for engineers coming from a diverse set of backgrounds.

“[FumbleChain] provides a gamified, wargames model that may interest a broad audience with its approachability and incentives,” said Hok. “The project currently focuses on source code level attacks, as opposed to economically oriented attacks, but that may be something that is added in the future.”

Indeed, Kudelski Head of Cybersecurity Research Nathan Hamiel hopes FumbleChain will take on a life of its own now that the code has been open-sourced on GitHub.

“So many projects like this have a tendency to wither away as people move on to other things,” said Hamiel. “I feel the only way to have a successful project like this is to have it be open-source. … We’re hoping people continue to not only utilize but develop new challenges and really come on board and be a part of the project.”

Lessons from battle

FumbleChain was birthed after Kudelski completed a number of security audits for cryptocurrency projects including privacy coins Monero and Zcash, said Hamiel.

The first challenge on FumbleChain simulates what is called a replay attack, where duplicate transactions are generated on two separate chains. This attack vector was a concern back in 2017 during the chain split between bitcoin and bitcoin cash.

Other blockchain attack vectors identified on FumbleChain include transaction input validation, public key and wallet address mismatch, as well as denial of service or “spam” attacks.

Speaking to these network vulnerabilities, Hamiel said:

“The blockchain ecosystem has many of the same vulnerabilities that a traditional [software] ecosystem has. If you think about it at a low-level, a blockchain is not very useful without the ecosystem around it … exchanges, wallets, etc.”

As such, FumbleChain also offers a browser-based web wallet and blockchain explorer to mess around with.

Further expanding FumbleChain to include both smart-contract challenges and lessons on blockchain privacy are next steps both Hamiel and Amiet hope to see in the months to come.

At the very least, says Marc Laliberte, a senior security analyst at WatchGuard Technologies, FumbleChain could have an impact on existing blockchain applications by creating opportunities for “hands-on” learning.

Laliberte said:

“Experience with identifying and exploiting common vulnerabilities is a great way to learn how to not make the same mistakes yourself. FumbleChain provides an opportunity for developers and enthusiasts to learn about common flaws and play around in a safe ecosystem, and then take that knowledge back to their own applications.”

FumbleChain image via Kudelski Security

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Trending

1
CoinDesk - Unknown
Do Rate Hikes Matter? Bitcoin Traders Learn How Fed Moves Markets in Twitter Era

The Federal Reserve has become a big believer in forward guidance over the years, starting with Ben Bernanke. But the central bank under Jerome Powell has taken transparency to a new level.

CoinDesk - Unknown
2
CoinDesk - Unknown
Grayscale’s Legal Battle Against the SEC

The lawsuit was filed after the SEC rejected the company’s filing to convert GBTC to a spot bitcoin exchange-traded fund.

CoinDesk - Unknown
3
CoinDesk - Unknown
New York Environmental Regulators Deny Greenidge’s Power Plant Permit

Greenidge Generation has been in hot water with environmentalists for its use of fossil fuels to power its bitcoin mining operation on New York’s Seneca Lake.

CoinDesk - Unknown
4
CoinDesk - Unknown
Market Wrap: Bitcoin Heads for Record Half-Year Loss of 59%

BTC slipped below $19K for the fifth straight daily price decline. Stocks headed for their worst first half since the 1970s as a consumer spending slowdown stokes fresh recession concerns.

CoinDesk - Unknown