$3,973.70 -0.22%
BCH · 27w

Consider this a lesson learned for the community: Not only to be careful with code changes, but to make sure there are easy ways for bugs to be reported. Full story of the potentially dangerous vulnerability found in Bitcoin Cash software, fixed before anything bad happened.

Responsible disclosure in the era of cryptocurrencies My experience disclosing a critical Bitcoin Cash vulnerability

On April 25, 2018, I anonymously and privately disclosed a critical vulnerability in Bitcoin Cash, one of the world’s most valuable cryptocurrencies — not to be confused with Bitcoin. A successful exploit of this vulnerability could have been so disruptive that transacting Bitcoin Cash safely would no longer be possible, completely undermining the utility (and thus the value) of the currency itself. Instead, the vulnerability was fixed without incident, and publicly disclosed on May 7, 2018.

A quick clarification: Bitcoin Cash is a cryptocurrency that is distinct from and incompatible with Bitcoin. It is named as such because it is derived from Bitcoin. The now-fixed bug described below only affected Bitcoin Cash; the only relation to Bitcoin is the similar name.

As for me and my motivations, I work for the Digital Currency Initiative at the MIT Media Lab, which as the name implies, is a group tasked with researching and developing cryptocurrencies. Specifically, I help develop and maintain Bitcoin Core, Bitcoin’s primary software implementation. Because of that work, I’m often asked at conferences and workshops what I consider to be Bitcoin’s greatest challenge in the future. My answer is always the same: avoiding catastrophic software bugs.

Working through this bug, which certainly had the potential for catastrophe, has reaffirmed my belief that the threat of software bugs is severely underestimated in the cryptocurrency world. I’m presenting a detailed report of this incident not as a slight against Bitcoin Cash, but as a real-world example of how much work is still required to reach the sophisticated level of engineering that cryptocurrencies require, and as a wake-up call to companies who have not adequately prepared for this type of scenario.


In short, a portion of the transaction signature verif...

Continue on
Recent news
BTC -0.22% · · 7h

Bad Actor Alert - shitCoinbase hires Hacking Team

On the off-chance that you really are fucking oblivious @brian_armstrong, here is a history lesson on work of the person you just acquired:"Mapping Hacking Team’s “Untraceable” Spyware"
BTC -0.22% · · 13h

Tippin extension buckles under the pressure

Stop #intermediation @tippin_me @jack Promote free and open source practices to avoid the risks of closed, proprietary and custodial behaviour. #NotYourKeysNotYourBitcoin— B...