BigchainDB is "a scalable blockchain database" (which falls under the category of so-called "private" or "permissioned" "blockchains", I believe) which was released in February 2016. It generated a lot of hype due to impressive scalability benchmarks: it was able to process a million transactions per second.
BigchainDB got a lot of praise from private blockchain enthusiasts. It entered many partnerships, e.g. with Eris Industries, Everledger, Capgemini, etc.
But BigchainDB's architecture is fundamentally flawed. All BigchainDB nodes, by design, connect to a single RethinkDB cluster. (RethinkDB is a distributed NoSQL database, kinda like MongoDB but better.) If something bad happens to that RethinkDB cluster, the whole blockchains goes down.
E.g. suppose one node is hijacked by an attacker and executes "dropTable" on the RethinkDB cluster it is connected to. All other nodes will go down because they don't have an independent storage.
I think it's a beautiful illustration to Andreas Antonopolous's argument that private blockchains will end up less secure:
In the end, it also lags behind in terms of security because it’s not exposed to the kind of robust peer review that an open Internet-based system has to have to survive. While bitcoin is getting stronger and stronger with security, these things will actually wither.
The idea being that intranets end up being these really insecure places where you’re running Outlook and FrontPage and old versions of Apache that haven’t been patched. Whereas on the Internet, if you’re Facebook, if you’re Google, if you’re Apple and you’re operating Internet applications, you have to be robust. You have to respond to vulnerability. You have to make systems that are antifragile, resilient to attack and they’re constantly evolving and they’ve become very robust.
I used to think that this argument is weird, but we've got a confirmation: a system which is fundamentally flawed gets all the praises and people start building apps on top of it before it is thoroughly analyzed.
You might think I'm just making this up or exaggerating. It's hard to believe that all 9 people working on BigchainDB (that's how many co-authors its whitepaper has) don't see a problem with using a single shared RethinkDB cluster. I though that maybe I'm missing something, so I asked this question in their gitter:
killerstorm @killerstorm May 01 23:03 Hey people, do you I understand it correctly that all nodes are connected to a single rethinkdb cluster? what if one of nodes will execute r.dropDb(…)?
Rodolphe Marques @r-marques May 02 12:56 @killerstorm yes all federation nodes are connected to a single rethinkdb cluster. We are working on a consensus protocol that requires a majority of the nodes to agree in any change done in the database (voting of blocks is part of that consensus protocol). For data deletion we are listening to changefeeds on the data and revert any change that should not happen. Regarding more admin tasks like table and db drops we are trying to leverage rethinkdb permissions and replication to make sure no single node is able to just drop the database (still work in progress).
killerstorm @killerstorm May 02 15:39 Sorry, I don't see how changefeed can protect against data loss. Where would data come from after it's deleted? Is there a backup?
Rodolphe Marques @r-marques May 02 15:41 backups are a planned feature. Changefeeds can be used to restore data when documents are deleted. When documents are deleted the changedfeed will return the documents that were deleted Although changefeeds are not enough to prevent dataloss in case a node uses db drop.
So they confirmed that a single db drop can destroy this "blockchain database".
But they say that some time in future they will start working on securing their system. A day after I asked a question about dropDb, they added an issue: How to lock down the RethinkDB "admin" account?:
@killerstorm pointed out that anyone with admin access to RethinkDB could just drop the database. What can be done to prevent that and similar things (e.g. dropping tables)?
So, basically, 8 months after they started the project and 3 months after they released it publicly they became aware that this problem exists. Wow, just wow.
Obviously, this isn't the only potential attack vector. It's just the simplest thing which came to my mind. There are probably thousands of serious attack vectors. The fundamental issue is that RethinkDB is not Byzantine fault tolerant, it is not designed as such, it's just an ordinary database. And so if you implement a "blockchain" as a thin layer on top of RethinkDB you get it exposed to potential attackers.
It's hard to imagine that none of people working on BigchainDB weren't aware of the problem, that would imply that all 9 people working on it are pants-on-head stupid.
No, they know that BigchainDB isn't "Byzantine fault tolerant", it is mentioned in the white paper.
They just don't see a problem with it. It is a startup mindset: make an MVP, "fake it till you make it", generate buzz… Security is literally their last priority. They believe that they will add security after they get a lot of money from partners, investors, etc. And, meanwhile, it's just a prototype, bro.
The problem with it is that it's highly misleading. Here's what BigchainDB paper says about security:
Byzantine faults: In order to operate in a trustless network, BigchainDB incorporates measures against malicious or unpredictable behavior of nodes in the system. These include mechanisms for voting upon transaction and block validation. Efforts to achieve full Byzantine tolerance are on the roadmap and will be tested with regular security audits.
It incorporates measures, you see. Mechanisms. Business people reading this will understand that it's "mostly secure".
While in reality it's like not secure at all. It can be destroyed with a single line of code.
The mechanisms they are talking about are hashes and signatures. It's similar to what Bitcoin does, but by themselves hashes and signatures do not make things secure. You need to use proper architecture and protocols. After all, hashes and public key cryptography existed for almost 50 years, but we've got Bitcoin only 7 years ago.
An apt analogy for BigchainDB would be a cargo cult of a blockchain tech: it has hashes like in a real one, it has blocks, etc. There is superficial similarity. But it doesn't "fly" like a real one, because superficial similarity doesn't define object properties.
And BTW that 1 M tps benchmark they didn't isn't impressive: they were, basically, testing RethinkDB IO speed (as they say themselves). Yep, sure, RethinkDB is great. BigchainDB, on the other hand…
The lack of focus on security is understandable when if you take into account that there are no serious uses for "private blockchains" yet. People are just experimenting with stuff, doing proof-of-concepts and whatnot. Everybody understands that you aren't going to have real adversaries when you run an internal test. So these make-believe blockchains are OK.
Maybe in future this stuff will mature app. BigchainDB might become secure if RethinkDB becomes Byzantine fault tolerant, for example. But, personally, I'm rather disappointed with the "security last" approach and deceptive marketing.
I work in a company which might be, potentially, a BigchainDB competitor. This isn't a coincidence: obviously, "blockchain tech" people review blockchain tech software.
So this post might be seen as "shitting on your competitor" kind of a post, I understand that. But I'm writing this on my own, in my spare time. And when I mentioned BigchainDB to my colleagues, they recommended against writing any articles.
If you dig through my comment history, you can see that I've been critical to many things: Mastercoin, alt-coins, 21 inc Bitcoin computer, sidechains and so on. This is just what I do.