Bitcoin Cash Bug Reminds About An Ever-Present Danger for Crypto
- Some companies don't actually respond to security disclosures brought to their attention.
- Bugs will continue turning up in the short and medium term, at least until the crypto-market stabilizes.
Safety, safety, safety. Most traditional investors are obsessed by the safety of cryptocurrencies as an investment. They obsess over whether it's safe to invest USD 1.000 in Bitcoin or Ethereum, as if it were entirely safe to invest the same amount in Facebook, Microsoft or eBay, who also suffered a double digit drop.
Yet as much as journalists and traditional economists wring their hands over the unpredictability of the crypto-market, there is another safety issue that affects the cryptocurrency industry at least as much.
As the recent discovery of a SIGHASH_BUG in Bitcoin Cash revealed, this issue is the ever-present danger of code vulnerabilities. And given that the crypto-industry is expanding very rapidly, it's likely that developers and users alike will have to be on their guard for as long the industry remains in its bubble-esque infancy.
Bugs, Bugs, Bugs
On August 9, Bitcoin Core developer Cory Fields published a blog, in which he detailed his April discovery of a potentially chain-splitting flaw in the Bitcoin Cash protocol.
Contained in a new implementation of Bitcoin Cash's software, this bug arose from the removal of a piece of code that performs a specific check on the signatures used to validate transactions.
As Fields explained in his blog, this removal "would have allowed a specially crafted transaction to split the Bitcoin Cash blockchain into two incompatible chains,” since nodes following the new software implementation would end up disagreeing with those nodes still running on the previous, signature-checking software.
Given this disagreement, an accidental hard fork could have been caused, although Fields anonymously disclosed the flaw to Bitcoin Cash developers, who went on to discreetly introduce a patch.
But even with the happy ending, this episode should be a concern to any with a stake in the crypto industry, since as Fields notes, "much work is still required to reach the sophisticated level of engineering that cryptocurrencies require."
Indeed, there is ample evidence that this level hasn't quite been reached in many quarters. In March, researchers published a paper detailing an alarming Ethereum bug that would have enabled hackers to seize control of a node's computing power, thereby opening the door for the theft of funds. In June, a critical transfer bug was also found buried in ICON's code, giving malicious actors the ability to disable transactions to specified wallet addresses.
In May, Bytecoin was affected by a potentially network-splitting bug of its own, which ended up causing transaction delays before being resolved by users and miners upgrading to the latest software. And in June again, the Lisk blockchain temporarily went down while its development team combated an invalid transaction bug.
Crypto is a Special Case
Needless to say, these kinds of bug are manifold in crypto (ask EOS, or Augur), and for several fundamental reasons.
As explained to Cryptonews.com by Bitcoin developer Bryan Bishop, cryptocurrencies have the unique property of being splittable if newer software versions have a 'bug' preceding versions don't.
“Crypto bugs are everywhere,” he says. “One of the reasons of this is that if one of two implementations have a bug and the other one doesn't, then the system falls out of consensus. This is the type of bug that Cory Fields identified in Bitcoin Cash. To prevent and identify these bugs requires a lot of experience with consensus-critical systems.”
According to Neha Narula of MIT's Digital Currency Initiative, the problem is made even more worse by the 'trustless' nature of crypto-platforms and the egotistical incentives that drive them. "A cryptocurrency’s resiliency comes from a design that tolerates people in the system acting in their own self-interest," she wrote recently. "Put that way, the flaw in the current system is clear: Disclosure is the least lucrative of all options."
Not only is disclosure the least profitable option in certain cases, but it’s made less likely by the unresponsive and closed-off culture prevalent at some crypto foundations and startups. “The problem is that some companies don't actually respond to security disclosures brought to their attention,” explains Bishop. “As a consequence, software and users remain vulnerable.”
And when you add these unique conditions to the bubble of money being pumped into crypto (in a way that enables people to launch blockchain-based platforms on the basis of weak ideas and inadequate coding/cryptographic experience), it's all-too predictable that bugs are turning up left, right and centre.
And this means they'll continue turning up in the short and medium term, at least until the crypto-market stabilises and a few dominant cryptocurrencies emerge.