Bitcoin Core developer Cory Fields recently published an article on Medium describing his experience after discovering a critical Bitcoin Cash bug.
As a developer at MIT for the main Bitcoin (BTC) network, Fields had no specific obligation to report the Bitcoin Cash bug. Unlike new crypto projects trying to prove their worth, Bitcoin Cash doesn’t offer a ‘bug bounty’ reward for hackers who discover vulnerabilities in their code.
Discovering the bitcoin cash bug
Due to the similarities in the commonly-shared code used by cryptocurrency projects, Fields often searches for bugfixes on alternative networks in the event that something may be relevant to Bitcoin Core. By chance, he discovered a change to a critical piece of validation code that hadn’t been sufficiently reviewed. On further inspection, he quickly discovered a bug that could have catastrophic effects on the Bitcoin Cash network.
Despite the network not being his own, he felt a shared responsibility to warn the Bitcoin Cash (BCH) developers of the vulnerability and potential risk it posed. However, he faced one problem – the vulnerability could allow an attacker to steal billions of dollars in cryptocurrency. If he revealed the problem and then an attack was launched before a bug fix could be implemented he would be prime suspect number one. Considering the huge amount of money involved, Fields understandably feared for his life. If he were to disclose the Bitcoin Cash bug, anonymity was paramount.
“People have been killed for much less. So not only was anonymity important, I considered it a necessity for my safety.”, he states in the article.
Eventually, using the public encryption keys of a known Bitcoin Cash developer, he managed to deliver an encrypted message via Github using Tor browser and a fake account name to ensure his anonymity. He received no immediate reply and was unsure his message had been received until eventually, a few days later, a bug fix was released.
The danger of open source networks
The incident reveals the fragility that is ever-present within the decentralized, open source networks that support cryptocurrencies. Confirmation of a change or update relies upon the collective consensus of those involved and doesn’t necessarily benefit from the strict attention to detail that individual responsibility brings. While the crypto community is fortunate enough to have some of the best minds in the industry working to maintain global blockchains, it’s not unrealistic to assume that a vulnerability similar to the Bitcoin Cash bug could bring down even the Bitcoin (BTC) network.
As Fields mentions in his article, “It would be a shame if the ecosystem did not benefit from an analysis of such a substantial near-miss.”
Mark Hartley is an IT specialist, freelance writer, keen traveler, and blockchain enthusiast. He has worked on the trading floors of the world’s biggest interdealer broker in London and helped integrate crypto-services into IT trading systems. When he’s not searching for the world’s most beautiful beach, he’s nose deep in any crypto and blockchain related news.