Blockchain Limitations and Misconceptions There is a tendency to overhype and overuse most nascent technology. Many projects will attempt to incorporate the technology, even if it is unnecessary. This stems from the technology being relatively new and not well understood, the technology being surrounded by misconceptions, and the fear of missing out. Blockchain technology has not been immune. This section highlights some of the limitations and misconceptions of blockchain technology. 7.1 Immutability Most publications on blockchain technology describe blockchain ledgers as being immutable. However, this is not strictly true. They are tamper evident and tamper resistant which is a reason they are trusted for financial transactions. They cannot be considered completely immutable, because there are situations in which the blockchain can be modified. In this section we will look at different ways in which the concept of immutability for blockchain ledgers can be violated. The chain of blocks itself cannot be considered completely immutable.

For some blockchain implementations, the most recently published, or ‘tail’ blocks are subject to being replaced (by a longer, alternative chain with different ‘tail’ blocks). As noted earlier, most blockchain networks use the strategy of adopting the longest chain (the one with the most amount of work put into it) as truth when there are multiple competing chains. If two chains are competing, but each include their own unique sequence of tail blocks, whichever is longer will be adopted. However, this does not mean that the transactions within the replaced blocks are lost – rather they may have been included in a different block or returned to the pending transaction pool. This degree of weak immutability for tail blocks is why most blockchain network users wait several block creations before considering a transaction to be valid. For permissionless blockchain networks, the adoption of a longer, alternate chain of blocks could be the result of a form of attack known as a 51 % attack [19]. For this, the attacker simply garners enough resources to outpace the block creation rate of rest of the blockchain network (holding more than 51 % of the resources applied towards producing new blocks). Depending on the size of the blockchain network, this could be a very cost prohibitive attack carried out by state level actors [20].

The cost to perform this type of attack increases the further back in the blockchain the attacker wishes to make a change. This attack is not technically difficult (e.g., it is just repeating the normal process of the blockchain implementation, but with selected transactions either included or omitted, and at a faster pace), it is just expensive. For permissioned blockchain networks, this attack can be mitigated. There is generally an owner or consortium of blockchain network users who allow publishing nodes to join the blockchain network and remove publishing nodes from the blockchain network, which gives them a great amount of control.

There is less likely to be competing chains since the owner or consortium can force publishing nodes to collaborate fairly since non-cooperating publishing nodes can simply have their privileges removed. There are likely additional legal contracts in place for the blockchain network users which may include clauses for misconduct and the ability to take legal action. While this control is useful to prevent misconduct, it means that any number of blocks can be replaced through legitimate methods if desired by the owner or consortium. NISTIR 8202 BLOCKCHAIN TECHNOLOGY OVERVIEW 35 This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8202 7.2 Users Involved in Blockchain Governance

The governance of blockchain networks deals with the rules, practices and processes by which the blockchain network is directed and controlled. A common misconception is that blockchain networks are systems without control and ownership. The phrase “no one controls a blockchain!” is often exclaimed. This is not strictly true. Permissioned blockchain networks are generally setup and run by an owner or consortium, which governs the blockchain network. Permissionless blockchain networks are often governed by blockchain network users, publishing nodes, and software developers. Each group has a level of control that affects the direction of the blockchain network’s advancement. Software developers create the blockchain software that is utilized by a blockchain network. Since most blockchain technologies are open source,

it is possible to inspect the source code, and compile it independently; it is even possible to create separate but compatible software as a means of bypassing pre-compiled software released by developers. However, not every user will have the ability to do this, which means that the developer of the blockchain software will play a large role in the blockchain network’s governance. These developers may act in the interest of the community at large and are held accountable. For example, in 2013 Bitcoin developers released a new version of the most popular Bitcoin client which introduced a flaw and started two competing chains of blocks.

The developers had to decide to either keep the new version (which had not yet been adopted by everyone) or revert to the old version [21]. Either choice would result in one chain being discarded—and some blockchain network user’s transactions becoming invalid. The developers made a choice, reverted to the old version, and successfully controlled the progress of the Bitcoin blockchain. This example was an unintentional fork; however, developers can purposely design updates to blockchain software to change the blockchain protocol or format. With enough user adoption, a successful fork can be created. Such forks of blockchain software updates are often discussed at length and coordinated with the involved users. For permissionless blockchain networks, this is usually the publishing nodes. There is often a long discussion and adoption period before an event occurs where all users must switch to the newly updated blockchain software at some chosen block to continue recording transactions on the new “main” fork.

For permissionless blockchain networks, although the developers maintain a large degree of influence, users can reject a change by the developers by refusing to install updated software. Of the blockchain network users, the publishing nodes have significant control since they create and publish new blocks. The user base usually adopts the blocks produced by the publishing nodes but is not required to do so.

An interesting side effect of this is that permissionless blockchain networks are essentially ruled by the publishing nodes and may marginalize a segment of users by forcing them to adopt changes they may disagree with to stay with the main fork. For permissioned blockchain networks, control and governance is driven by members of the associated owner or consortium. The consortium can govern who can join the network, when members are removed from the network, coding guidelines for smart contracts, etc. In summary, the software developers, publishing nodes, and blockchain network users all play a part in the blockchain network governance.

7.4 Beyond the Digital

Blockchain networks function effectively within their own digital ecosystems. However, challenges arise when blockchain systems must interact with real-world events and external data sources. This challenge is commonly referred to as the Oracle Problem.

Blockchain networks can record data entered by humans or collected from physical sensors. However, they generally lack intrinsic mechanisms to verify whether such input accurately reflects real-world conditions. For example:

A sensor may malfunction and record inaccurate data.
A human may intentionally or unintentionally input false information.

These challenges are not unique to blockchain technology but apply to digital systems broadly. However, in pseudonymous blockchain environments—where user identities are not directly tied to real-world identities—data misrepresentation can be especially difficult to address.

For instance, if a cryptocurrency transaction is executed to purchase a physical item, the blockchain network itself cannot determine whether the item was shipped. Verification requires reliance on external human or sensor input.

To address the Oracle Problem, several projects have attempted to create reliable methods for importing external data into blockchain systems. One example is Oraclize, which provides mechanisms for retrieving data from web APIs and converting it into blockchain-readable formats.

However, solutions such as Oraclize may introduce centralized components, potentially creating single points of failure. To mitigate this concern, newer projects—such as Mineable Oracle Contract—have explored decentralized oracle mechanisms inspired by blockchain consensus models and economic incentives.

Despite ongoing innovation, securely integrating trustworthy external data into blockchain systems remains a fundamental technical and governance challenge.

7.5 Blockchain Death

Traditional centralized systems are routinely created and decommissioned. Blockchain networks may follow a similar lifecycle. However, due to their decentralized nature, a blockchain network may never be completely shut down. Even after a project loses broad participation, individual nodes may continue operating independently.

A defunct blockchain network poses specific risks. If only a small number of publishing nodes remain active, a malicious participant with sufficient computational power or stake could potentially dominate the network. This dominance could allow the attacker to reorganize or replace blocks, undermining the ledger’s integrity.

Consequently, a largely abandoned blockchain network may no longer serve as a reliable historical record, particularly if it lacks sufficient decentralized participation to maintain security guarantees.

7.6 Cybersecurity

The adoption of blockchain technology does not eliminate inherent cybersecurity risks. Effective and proactive risk management remains essential. Many cybersecurity risks involve human factors, including misconfiguration, poor operational practices, and social engineering attacks.

Established cybersecurity standards and best practices remain highly relevant for systems that interface with or rely upon blockchain networks. With appropriate adjustments to account for blockchain-specific attributes, existing frameworks provide a strong foundation for managing risks.

For example, the National Institute of Standards and Technology (NIST) Cybersecurity Framework explicitly recognizes that it is not a one-size-fits-all solution. Organizations face unique threats, vulnerabilities, and risk tolerances. Although not designed specifically for blockchain systems, the framework’s flexible and risk-based approach can be effectively applied to blockchain environments.

A robust cybersecurity program is therefore critical to protecting blockchain networks, supporting infrastructure, and participating organizations from emerging threats.

7.6.1 Cyber and Network-Based Attacks

Blockchain technologies are often described as secure due to their tamper-evident and tamper-resistant properties. Once a transaction has been included in a validated and published block, altering it is extremely difficult.

However, transactions that have not yet been included in a confirmed block remain vulnerable. Potential attack vectors include:

Manipulation of transaction timestamps (particularly in systems relying on synchronized time).
Spoofing or altering time within ordering services.
Denial-of-service (DoS) attacks targeting the blockchain platform or smart contracts.

Blockchain networks and associated applications are also susceptible to traditional cyber threats, including:

Network scanning and reconnaissance
Exploitation of software vulnerabilities
Zero-day attacks
Misconfigured nodes

As blockchain-based services are rapidly deployed, newly developed applications—such as smart contracts—may contain coding errors or deployment weaknesses. These vulnerabilities can be exploited similarly to vulnerabilities in traditional web applications.

7.7 Malicious Users

While blockchain protocols enforce transaction validation rules, they do not inherently enforce user behavior standards. This limitation is particularly significant in permissionless blockchain networks, where users are pseudonymous and identities are not directly linked to real-world entities.

Permissionless networks typically employ incentive mechanisms (e.g., cryptocurrency rewards) to encourage honest participation. Nevertheless, some participants may act maliciously if doing so offers greater economic gain.

To cause significant disruption, malicious actors must control a substantial portion of network resources, such as computational power (in Proof of Work systems) or stake (in Proof of Stake systems). Once sufficient influence is achieved, malicious activities may include:

Ignoring or censoring transactions from specific users, nodes, or geographic regions.
Secretly creating an alternative blockchain and releasing it once it becomes longer than the honest chain. Under many blockchain protocols, nodes follow the chain with the most accumulated work or stake, which could undermine the network’s tamper-evident properties.
Withholding blocks from other nodes to disrupt information propagation.

Such attacks are less feasible in highly decentralized networks with strong participation. However, reduced decentralization increases vulnerability.

Summary

While blockchain technology offers enhanced transparency, tamper resistance, and distributed trust, it does not eliminate the need for governance, cybersecurity controls, or careful risk management. Challenges such as the Oracle Problem, network decline, cyberattacks, and malicious participation illustrate that blockchain systems must be designed, implemented, and maintained with comprehensive security considerations in mind.