Bitcoin Bugs Die in Secret, Leaving Altcoins At Risk
Bitcoin (BTC) is regularly championed as the most secure cryptocurrency out there, but even it’s vulnerable to the occasional bug, also meaning that BTC forks might be suffering from the same problem.
This unavoidable fact was brought home at the beginning of September, when a research paper revealed that Bitcoin harbored a severe denial-of-service vulnerability.
The paper explains that the bug was discovered — and patched — in 2018, yet it represents the very first disclosure of this bug. Given that it was published some two years after the vulnerability’s discovery, it raises important questions about disclosures in Bitcoin and other cryptocurrencies, including the question of whether developers have an obligation to notify the public of dangers more quickly.
According to developers speaking to Cryptonews.com, keeping software bugs a closely guarded secret (at least until a fix is rolled out) is in the best interests of Bitcoin and its users. At the same time, crypto exchanges take steps to ensure that no developer(s) with foreknowledge of bugs tries to profit from insider trading.
The book and a moral obligation
Having discovered the bug on June 22, 2018, Purse developer Braydon Fuller notified Bitcoin Core developers on July 9, 2018, with a patch being rolled out a day later by Matt Corallo, Wladimir J. van der Laan, and other maintainers.
No one else was notified, although the existence of the bug in other forks of Bitcoin (such as Decred (DCR)) was discovered in July of this year, a fact which may have led Braydon Fuller and Bitcoin developer Javed Khan to belatedly publish their findings in September.
However, while this suggests that the people involved may have been ‘hiding’ vulnerabilities and that they didn’t follow due disclosure process, other developers and people involved in the crypto industry affirmed that things were pretty much done by the book.
“I’d say that if someone not working on the project came across a bug, they have a moral obligation to inform the code owner or maintainer as soon as possible via the responsible disclosures process,” said Ben Chan, Chief Technology Office at BitGo, a major crypto custody company.
This is exactly what Braydon Fuller did in 2018. He notified Bitcoin Core developers as soon as he confirmed that the exploit affected the latest version of the protocol.
He also notified developers using encrypted email, which again is standard practice. “For Bitcoin core, you can use [email protected], and encrypt the message via GPG to the developer you prefer to contact,” said Bitcoin developer Nicolas Dorier.
Some may be tempted to fault Bitcoin Core developers for not publicizing the vulnerability after it had been patched. According to Dorier, explicitly publicizing a specific bug isn’t necessary, so long as the developers actually patch it and ensure that everyone updates their software.
“The devs fix the bug without disclosing, and when the fix has been sufficiently distributed so that an exploit can’t do any harm, there is the disclosure to the public.
Sometimes devs can say ‘stop using this version, there is a critical vulnerability that we will patch in 6 months’,” he told Cryptonews.com.
Likewise, it’s standard tech industry practice to keep knowledge of a bug to as few people as possible, particularly before a fix is developed.
“As few as possible,” agreed Dorier, “and in general, developers prefer to not be aware of it, to avoid suspicion if there is a leak.”
Fellow Bitcoin developer Bryan Bishop also affirmed that announcing a vulnerability — even after an update has been released — may not be the best way to go, and that not announcing it is standard in software development.
“They cannot announce the vulnerability because without enough time for users to upgrade, there would be greater opportunity for harm. Everything about that is standard and normal,” he told Cryptonews.com.
Disclosure issues are complicated by altcoins, particularly those altcoins forked from other cryptocurrencies such as Bitcoin. On the one hand, publicly sharing a vulnerability may put forked coins at risk of attack, while on the other, not sharing bugs may leave forked coins exposed if another researcher independently discovers the same exploit.
“However, I think what people forget, especially about altcoins, is that these vulnerabilities don’t necessarily get reported to all the 1,000s of forked coins,” said Bryan Bishop.
According to him, at some point, broadcasting security information to a group of thousands of other developers is equivalent or just as damaging as broadcasting vulnerability information to the general public.
“The consequence of this is that there are some projects that just aren’t in the loop on security issues,” he added, a point emphasized by the fact that Decred still had the June 2018 vulnerability two years later.
Another possible risk is insider trading, as explained to Cryptonews.com by a spokesperson for BitMEX.
“There is of course insider risk around the disclosure of bugs, where for example people with knowledge of a vulnerability could short bitcoin and then profit if the revelation of the vulnerability causes network issues and crashes the price,” they said.
BitMEX’s spokesperson stated that the exchange takes this risk very seriously. “That is why we are keen to attempt to remain on top of these issues by running many versions of Bitcoin and implementing automated alert systems, such as the unexpected inflation detection system.”