Last Thursday it came to light that Bitcoin Cash had a vulnerability which – if exploited – could have led to a total disruption of the cryptocurrency that would have totally undermined its utility. Whilst the bug was patched in the interim, it really brings it home as to how delicate cryptocurrency can be potentially. Corey Fields, a respected Bitcoin Core developer, made the anonymous disclosure in relation to the vulnerability to Bitcoin Cash developers last April. Fields published his account on the disclosure of this vulnerability and had this warning:
“Working through this bug… has reaffirmed my belief that the threat of software bugs is severely underestimated in the cryptocurrency world. I’m presenting a detailed report of this incident… as a real-world example of how much work is still required to reach the sophisticated level of engineering that cryptocurrencies require, and as a wake-up call to companies who have not adequately prepared for this type of scenario.”
Bitcoin cash is not alone in experiencing such an exposure. In April, a hacker exploited a vulnerability in Verge (XVG) related to one of their mining algorithms. This meant that an unnatural mining speed was achieved – allowing the attacker to carry out a >51% attack and make off with the equivalent of $1.3 million. However, Verge developers did not adequately respond to the attack and succumbed to a second attack the following month – resulting in the loss of a further $1.75 million USD.
In 2016, a vulnerability in the code of The DAO – a digital decentralised autonomous organization – led to the infamous hard forking of Ethereum.
Last September, researchers from MIT and Boston University submitted a vulnerability report which identified a serious security flaw related to a non-standard cryptography technique in the IOTA (MIOTA) network. The flaw was subsequently patched, but IOTA developers caused some controversy in claiming that the flaw was intentional and was meant as a form of ‘copy protection’. Last week, a leaked transcript of a chat between IOTA board members seemed to suggest that they were concerned with regard to the potential for the imminent public disclosure of another vulnerability by the same researchers.
Lessons to be Learnt
Bitcoin Cash’s vulnerability issue has lessons for all crypto projects. The vulnerability came thanks to an update that was implemented in Bitcoin Cash and only reviewed by two people. When Fields went to report the bug, he found that Bitcoin Cash didn’t have a formal responsible reporting process, despite having a market capitalization of $10 billion. Following a number of failed attempts to report the bug anonymously, Fields finally found that the vulnerability had been patched following his third attempt to report the issue through the Bitcoin Cash bug tracker.
This issue highlights the importance for all crypto projects to implement meticulous coding and review. Cardano (ADA) is in the process of implementing smart contract security protocols to more easily identify security errors and vulnerabilities in smart contract code.
Those that utilize or invest in particular cryptocurrencies would do well to take into account the strength and depth of the development team working on a project. In reality, it’s not much different than assessing any other technology. Some teams implement better processes to prevent bugs in the first instance, and equally important, they’re likely to have systems in place to find and fix live code anomalies.
Generally speaking, software failures can lead to significant financial, reputational and operational consequences. However, with cryptocurrencies the effects can be far more acute, as damage can be inflicted without trace in many instances. If cryptocurrencies are to achieve mainstream adoption, greater efforts need to be made to minimise the possibilities of similar vulnerabilities being exploited.
Technology is never static and so there will always be vulnerabilities, but the immaturity of the technology make cryptos particularly vulnerable. It’s very much a case of adapt or die, as professional development teams will increasingly need to have a formal considered approach to dealing with potential and existing security vulnerabilities.