Using blockchain to secure the software supply chain

Applied Cryptography



Defence Funded Research

August 2023 August 2027

49 months

Arnaud Stoz

When developing software, developers and companies usually rely on numerous external libraries. According to GitHub State of the Octoverse Report 2019 [1], open-source projects have an average of 180 package dependencies. The same goes for commercial and closed-source software, although no official numbers are available.

For an attacker, it is enough to compromise one of these dependencies to break into the network or data of the final user of the software [3]. This technique has proven extremely effective, and hence is increasingly used by attackers [2].

This supply chain attack technique can be applied to any programming language and dependency management tool: PHP/composer, Python/PIP, DotNET/NuGet, Java/Maven. All these dependency management systems rely on a central system storing the details of available libraries.

In this project, we plan to study how these central systems can be replaced by a distributed system relying on blockchain. A blockchain system is often compared to a distributed ledger. It allows to guarantee the integrity of stored data: no record can be inserted or modified in the database of libraries without being detected by the users of the database. This property would allow to create a software supply chain that would be protected against supply chain attacks.


  1. GitHub State of the Octoverse Report, 2019
  2. Microsoft Digital Defense Report, September 2020
Analyse of a crypto scam

Blockchain Ethereum

If you ever connected to a discord server related to ethereum (geth, you probably noticed that despite very useful information given about the technology, those server are also unfortunately full of scammer... Let's have a look at one of them and analyse the scam it propose.

Solidity: ABI encoding explained

Blockchain Ethereum Smart Contract

If you have already been curious about how Ethereum smart contract works under the hood or even participated to a CTF where you had to exploit some weakness in smart contract, you probably stumble upon the solidity abi encoding page. Even if this is the reference paper, it can look a bit difficult to understand and it's not easily readable even though it's not really difficult. Let's review how the encoding is working with the help of few example.

gweb3: a go module to interact with ethereum blockchain

Blockchain Ethereum

Have you ever wonder why most of the web3 tools are written in go (geth, kubo,....) but it's actually difficult to find a go module that would let you interact with the web3 ecosystem like web3.js or does ? This blog post will introduce you to gweb3, a go module that aims at facilitate the interaction with an Ethereum blockchain from a go program.

Ethereum under the hood

Blockchain Ethereum

If you have already looked at blockchain technology, you might have noticed that two different names are often opposed:

This website uses cookies. More information about the use of cookies is available in the cookies policy.