Auditing Blockchains

by Ronald Chichester, Esq.

Presented at the ISACA One-Day Conference
December 4, 2017
Houston, Texas

Disclaimer!

I am a lawyer

But I'm not your lawyer

If this were legal advise, it would be followed by a bill

Auditing Blockchains

Audit a What?

A Blockchain

A blockchain is a decentralized list of records (called blocks), which are linked and secured using cryptography (to form a chain).

Blockchains are used in:

Cryptocurrencies like Bitcoin

Corporate Ledgers

E-Commerce (both B2B and B2C)

State Laws are Changing

e.g. Delaware SB 69 allows companies:

...to use cryptocurrencies in e-commerce

...to use blockchains for, e.g., a general ledger

...shares of company stock to be sold/recorded on a blockchain.

Corporations Are Adopting

Reliability

No Bank Delays

Transparency

Continuous Audit

What is there to audit?

The integrity of the blockchain

The transactions on the blockchain

The procedures that use the blockchain

Implementation of the Blockchain

  • Blockchains are implemented in software on a network
  • You will have to audit the network AND the source code AND the compilation of that source code AND the invocation mechanism of the executable code
  • You will need to be familiar with TCP/IP, routing, etc.

Implementation of the Blockchain

  • You will also need to be familiar with popular blockchain languages (C++, Javascript and Python)
  • You will need to know how software is compiled and executed on a server that is connected to the network
  • Yes, this means that you will have to go through every line of code.  Are you ready for that?

Transactions of the Blockchain

Blockchains record transactions, not balances.

The Transaction Process

  1. Origination (creation)
  2. Signature (authorization)
  3. Broadcast (to the network)
  4. Validation (by a node)
  5. Propagation (to the other nodes)
  6. Verification (by a mining node)
  7. Confirmation

Anatomy of a record

Example: Cryptocurrency

Someone wants to send bitcoin to someone else

Example: Cryptocurrency

Both the sender and the receiver have a respective address

An address could look like: 1L75eRMgeCwAxEjD1oWXjLgud9jxwxm34u

You can look at an address online at a site like https://blockchain.info

Inforamtion about a bitcoin address

How is anything kept private?

The answer is cryptographic keys

typically held in a wallet

Example: Cryptocurrency

So someone with access to the balance at
1L75eRMgeCwAxEjD1oWXjLgud9jxwxm34u
wants to send money to someone else who has an address at
1N6syVXHuQ7h6nikuQADi1MBXX2thd4BRv

But wait!

If you don't want to send all of your bitcoin, then you need a change address

... like 1DFMzaJWsGCGCTwbeM4Kw4LxHsMnuodqqN

of which you control with a cryptographic key

So now we have...

1L75eRMgeCwAxEjD1oWXjLgud9jxwxm34u (0 Btc)
1N6syVXHuQ7h6nikuQADi1MBXX2thdBRv (0.5 Btc)
1DFMzaJWsGCGCTwbeM4Kw4LxHsMnuodqqN (0.4998 Btc)

Note: Usually each change address is new/unique which complicates tracking.

Creation

Ultimately, the transaction has three pieces:

  1. An input (the originating address)
  2. An amount (in this case, in bitcoin)
  3. A receiving address

A typical bitcoin transaction

Whew!

There is software that simplifies the review of a transaction

That software is called a Block Explorer

There are lots of block explorers

An example of a block explorers is etherchain.org

Notez Bien!  Some of the block explorers give more information than others... but anything more than what was in the core statement is guesswork.

ehterchain.org

Procedures related to the The Blockchain

This part is pretty straightforward, traditional auditing.

Who can add a transaction to the blockchain.

How transaction statements are sent or received to the blockchain.

Questions?

Ronald Chichester
713-302-1679
Ron@TexasComputerLaw.com