Blockchain Developer Blockchain Security Principles Questions and Answers

Question 1

A smart contract is designed to manage roles for a decentralized application, including 'admin' and 'user'. The contract owner should be able to grant and revoke these roles. Following the Principle of Least Privilege, which access control design pattern is most appropriate for this scenario?

Accepted Answer

Role-Based Access Control (RBAC) with distinct roles and permissions.

Answer

Role-Based Access Control (RBAC) is the ideal pattern. It allows for the creation of distinct roles ('admin', 'user') and assigns specific permissions to each. This aligns perfectly with the Principle of Least Privilege, which states that an entity should only have the access required to perform its function. Using a single 'onlyOwner' modifier is too restrictive and centralizes all power. Public functions would allow anyone to change roles, and a timelock is for delaying sensitive actions, not for managing granular permissions.

Question 2

Which of the following cryptographic principles is most fundamental to ensuring that once a transaction is recorded on the blockchain, it cannot be altered or deleted, thus providing a tamper-proof ledger?

Accepted Answer

Immutability through Cryptographic Hashing

Answer

Immutability is a core security principle of blockchain, achieved through cryptographic hashing. Each block contains the hash of the previous block, creating a secure chain. Any alteration to a previous block would change its hash, which would invalidate all subsequent blocks, making tampering immediately evident. While other options are important cryptographic tools, they serve different primary purposes: digital signatures prove ownership/authenticity, symmetric encryption provides confidentiality, and zero-knowledge proofs offer privacy.

Question 3

A developer is building a DeFi lending protocol. A user discovers they can execute a flash loan from another protocol to artificially inflate their collateral balance, borrow assets, and then repay the flash loan within the same transaction, leaving the lending protocol with a bad debt. This exploit is a form of which type of attack?

Accepted Answer

Cross-Function Reentrancy Attack

Answer

This scenario describes a cross-function reentrancy or a flash loan reentrancy attack. The attacker uses a flash loan to manipulate the state (collateral balance) and then calls another function (borrow) within the same transaction before the initial state can be properly updated or validated against the temporary balance inflation. A Sybil attack involves creating multiple fake identities to overwhelm a network. A 51% attack involves controlling a majority of the network's hash rate to alter the blockchain itself. Oracle manipulation involves feeding incorrect external data to a smart contract, which is related but the core issue here is the reentrant call pattern during the flash loan.

Question 4

What is the primary security risk associated with using `block.timestamp` as the sole factor for executing critical logic in a smart contract, such as determining the winner of a game?

Accepted Answer

The timestamp can be slightly manipulated by miners.

Answer

Miners have a degree of control over the timestamp of the blocks they produce. They can adjust it within a certain range to their benefit, potentially influencing the outcome of a contract that relies solely on this value for critical decisions. Therefore, it should not be used for security-critical actions or as a source of entropy. The other options are incorrect: reading `block.timestamp` is not gas-intensive, it is available on private blockchains, and while integer overflows are a general concern, they are not specific to the use of `block.timestamp` itself.

Question 5

A decentralized identity system built on a blockchain allows users to control their own personal data without relying on a central authority. Which principle does this most directly enhance for the user?

Accepted Answer

Data sovereignty and privacy

Answer

Decentralized Identity (DID) frameworks are designed to give users full control over their digital identities, allowing them to manage and share their credentials without a central intermediary. This concept is known as data sovereignty or self-sovereign identity, which directly enhances user privacy by letting them decide what information to share and with whom. While network decentralization is the enabling technology, the primary benefit for the end-user is control over their own data.

Blockchain Practice Test

Blockchain Practice Test

Blockchain Developer Blockchain Security Principles Questions and Answers