The report published Tuesday highlights several scenarios in which various actors can garner excessive, centralized control of a blockchain system.

Distributed ledger technology (DLT) and blockchains including Bitcoin and Ethereum may be more vulnerable to centralization risks than initially thought, according to Trail of Bits. 

The security firm on Tuesday released its report titled “Are Blockchains Decentralized?”, which was commissioned by the U.S. Government’s Defense Advanced Research Projects Agency (DARPA).

The report aims to investigate whether blockchains including Bitcoin and Ethereum are truly decentralized, though the report appeared to focus largely on Bitcoin.

Among its key findings, the security firm found that outdated Bitcoin nodes, unencrypted blockchain mining pools and a majority of unencrypted Bitcoin network traffic traversing over only a limited number of ISPs could leave room for various actors to garner excessive, centralized control over the network.

Bitcoin nodes

The report stated that a subnetwork of Bitcoin nodes is largely responsible for reaching consensus and communicating with miners and that a “vast majority of nodes do not meaningfully contribute to the health of the network.”

It also found that 21% of Bitcoin nodes are running an older version of the Bitcoin Core client, which is known to have vulnerability concerns such as consensus errors. It states that “it is vital that all DLT nodes operate on the same latest version of software, otherwise, consensus errors can occur and lead to a blockchain fork.”

A Bitcoin node is any computer that stores and verifies blocks in the blockchain. Nodes are used to monitor the health and security of the Bitcoin blockchain and validate the accuracy of transactions. The current version all nodes should run is Bitcoin Core 22.0.

Another takeaway from the report found that Bitcoin’s mining pool protocol Stratum is unencrypted and essentially unauthenticated.

This means that malicious attacks can be made to “estimate the hashrate and payouts of a miner in the pool” and “manipulate Stratum messages to steal CPU cycles and payouts from mining pool participants.”

Funneling through ISPs

The authors also found vulnerabilities in the infrastructure, based on the fact that Bitcoin protocol traffic is unencrypted and 60% of the network traffic traverses only three ISPs.

This is a problem because “ISPs and hosting providers have the ability to arbitrarily degrade or deny service to any node.”

Twenty-six pages of detailed information, data, and infographics are contained within the report. DARPA started in 1958, and is responsible for the development of emerging technologies for use by the agency of the United States Department of Defense and the US military. Trail of Bits is a cybersecurity research and consulting firm that was engaged by DARPA to develop the report.

Related: Centralized vs. decentralized digital networks: Key differences

The report comes at interesting timing, after centralization concerns were highlighted on Solana.

On Sunday, Solana-based decentralized finance (DeFi) lending protocol Solend put together a spur-of-the-moment governance proposal aimed at taking over a whale’s wallet that was facing liquidation which was threatening to put a strain on Solend and its users.

The proposal which was passed by one whale, saw immediate kickback from Twitter, and the creation of another governance vote to invalidate the previously approved proposal. Observers arguing the move could cause damage to the overall image of DeFi as taking control of one of Solend’s wallets means the fundamental principles of DeFi fall into question and reversing a vote wasn’t much better.