- It’s an official tech practice to keep knowledge of a bug to a small circle as possible.
- Disclosing concerns are baffled by altcoins, particularly those altcoins branched from other cryptocurrencies such as Bitcoin.
Bitcoin (BTC) is routinely championed as the most secure cryptocurrency out there, but even it’s helpless to the occasional bug, also meaning that BTC forks might be suffering from the same problem.
This inevitable fact was brought home at the beginning of September when a research journal exposed that Bitcoin harbored a severe denial-of-service vulnerability.
The document reveals that the bug was discovered — and patched — in 2018, yet it describes the very first disclosure of this bug. Given that it was published some two years after the vulnerability’s discovery, it raises important questions about disclosures in Bitcoin and other cryptocurrencies, including the question of whether developers must notify the public of dangers more quickly.
As a result of the developers who sent the update, managing software bugs a closely guarded secret (at least until a fix is rolled out) is in the best interests of Bitcoin and its users. Concurrently, crypto exchanges take steps to ensure that no developer(s) with foreknowledge of bugs tries to profit from insider trading.
An Ethical Responsibility
Being able to have discovered the bug on June 22, 2018, Purse developer Braydon Fuller notified Bitcoin Core developers on July 9, 2018, with a patch being rolled out a day later by Matt Corallo, Wladimir J. van der Laan, and other maintainers.
This was kept internally, although the existence of the bug in other forks of Bitcoin such as Decred (DCR) was found in July of this year, a fact which may have led Braydon Fuller and Bitcoin developer Javed Khan to belatedly publish their findings in September.
Nevertheless, while this suggests that the people involved may have been ‘hiding’ vulnerabilities and that they didn’t follow due disclosure process, other developers and people involved in the crypto industry asserted that things were pretty much done by the book.
“I’d say that if someone not working on the project came across a bug, they have a moral obligation to inform the code owner or maintainer as soon as possible via the responsible disclosures process,” said Ben Chan, Chief Technology Office at BitGo, a major crypto custody company.
This is exactly what Braydon Fuller did in 2018. He notified Bitcoin Core developers as soon as he confirmed that the exploit affected the latest version of the protocol.
He also informed developers using encrypted email, which again is official practice. “For Bitcoin core, you can use email@example.com, and encrypt the message via GPG to the developer you prefer to contact,” said Bitcoin developer Nicolas Dorier.
A few may be motivated to fault Bitcoin Core developers for not publicizing the vulnerability after it had been patched. As per Dorier, specifically publicizing a specific bug isn’t necessary, so long as the developers patch it and ensure that everyone updates their software. He also added that;
“The devs fix the bug without disclosing, and when the fix has been sufficiently distributed so that an exploit can’t do any harm, there is the disclosure to the public. Sometimes devs can say ‘stop using this version, there is a critical vulnerability that we will patch in 6 months’”
Moreover, it’s standard tech industry practice to keep knowledge of a bug to as few people as possible, particularly before a fix is developed.
“As few as possible,” agreed Dorier, “and in general, developers prefer to not be aware of it, to avoid suspicion if there is a leak.”
Fellow Bitcoin developer Bryan Bishop also affirmed that announcing a vulnerability — even after an update has been released — may not be the best way to go and that not announcing it is standard in software development.
“They cannot announce the vulnerability because without enough time for users to upgrade, there would be greater opportunity for harm. Everything about that is standard and normal,” he informed CNWN.
Declaration issues are compounded by altcoins, particularly those altcoins forked from other cryptocurrencies such as Bitcoin. On the one hand, publicly sharing a vulnerability may put forked coins at risk of attack, while on the other, not sharing bugs may leave forked coins exposed if another researcher independently discovers the same exploit.
“However, I think what people forget, especially about altcoins, is that these vulnerabilities don’t necessarily get reported to all the 1,000s of forked coins,” said Bryan Bishop.
As per Bishop, at some point, declaring security information to a group of thousands of other developers is equivalent or just as damaging as broadcasting vulnerability information to the general public.
“The consequence of this is that there are some projects that just aren’t in the loop on security issues,” he included, a point highlighted by the reality that Decred still had the June 2018 vulnerability two years later.
Another possible risk is insider trading, as explained to CNWN by a speaker for BITMEX.
“There is of course insider risk around the disclosure of bugs, where for example people with knowledge of a vulnerability could short bitcoin and then profit if the revelation of the vulnerability causes network issues and crashes the price,” they said.
BitMEX’s spokesperson stated that the exchange takes this risk very severely. “That is why we are keen to attempt to remain on top of these issues by running many versions of Bitcoin and implementing automated alert systems, such as the unexpected inflation detection system.”