How a cryptocurrency-destroying bug almost didn’t get reported

A researcher recently revealed how he found a bug that could have brought the fourth largest cryptocurrency to its knees – and how he struggled to report it.

Cory Fields, who works as a developer at MIT Media Labs’ Digital Currency Initiative, found the bug in Bitcoin Cash, which is an alternative cryptocurrency to Bitcoin based on software called Bitcoin ABC. A group of activists in the Bitcoin community introduced the software after becoming unhappy with the direction that the developers of the original Bitcoin software (known as Bitcoin Core) were taking.

When people began using Bitcoin ABC, they created a hard fork of the Bitcoin blockchain. This is a separate blockchain – a new ledger of transactions that split off from the original Bitcoin blockchain and is incompataible with it. It’s akin to one community in a town leaving and setting up their own town with its own rules.

Since then, the Bitcoin Cash blockchain has existed as an alternative to the original, and various members of its community have proclaimed it as the ‘real’ Bitcoin. At the time of writing, it had the fourth biggest market capitalization of any cryptocurrency at almost $10bn.

Fields, who is a Bitcoin Core developer, discovered a bug in Bitcoin Cash that could have allowed attackers to create their own involuntary split in the Bitcoin Cash blockchain. According to his Medium post, someone in the Bitcoin Cash developer community updated the rules in the software that verifies Bitcoin Cash transactions before including them on the blockchain.

A flaw in the code made it possible for an attacker to introduce transactions that the buggy version of the software would accept, but all previous versions of the software would reject. If the attacker timed the introduction of this ‘poison pill’ transaction properly, releasing it when around half of the community had updated to the new software, it would effectively cause the blockchain to split in two. This would introduce two incompatible types of Bitcoin Cash that would be very difficult to reconcile, given that the split would be pretty much 50:50.

The bug itself doesn’t pose a risk now, because Fields disclosed it privately to the Bitcoin Cash developers in April, and it was fixed and then publicly disclosed in May.

But there are nevertheless two lessons to be learned from the story, pointed out by Fields in his Medium post and in a follow-up by Neha Narula at the MIT Digital Currency Initiative.

The first lesson is that the cryptocurrency community needs to get better at developing and maintaining the code that operates a blockchain, thus avoiding bugs in the first place.

The fact that the Bitcoin Cash community allowed such important changes into its codebase after just two reviewers looked at it briefly shows the dangers of open source software without effective governance.

The second lesson is that Fields couldn’t easily find out how to tell the Bitcoin Cash team about the problem he found, thus making it hard to get the bug fixed at all.

Disclosing the bug

When Fields found the bug, the only guidance from the Bitcoin Cash was to “contact people privately”. He not only had to jump through many hoops to report the bug but also to figure out which hoops to jump through in the first place.

In the end, he tracked down a member of the Bitcoin Cash development team, got hold of an encryption key to disclose the bug anonymously and safely, and then checked to see that they had actioned it.

Fortunately, Fields had the willpower to do all of this rather than just leaving the bug for a malicious someone else to find later – or, worse still, going public with it in frustration.

Fields isn’t the only researcher to hit a brick wall when trying to inform people about a bug.

Natalie Silvanovich, a security researcher at Project Zero, recently complained about disclosure problems, citing issues with Samsung’s bug reporting procedures in which she had to wade through a sea of legalese, half of which was in Korean.

One of the clauses that was in English worried her, because it prevented her from disclosing the bug at all, ever, without Samsung’s approval. In other words, if Samsung ended up doing nothing, the bug would neither get fixed nor reported, and would simply be left around indefinitely. (Samsung has since resolved the problems, she said.)

What to do?

Other cryptocurrency efforts are cutting through the whole tangled mess and issuing bug bounties.

EOS, for example, the recently-released blockchain application platform designed to take on Ethereum, has paid out $417,000 since May thanks to an active bug reporting program conducted with Hacker One, and there are other cryptocurrency companies taking the same approach.

That’s a laudable effort – one that both encourages and rewards responsible bug hunting from the start.