By Adam Back
On Friday 26th June, a security issue on the Liquid Network was disclosed publicly by blockchain developer James Prestwich. Although this was a known issue, a fix for the problem had been delayed due to external challenges in coordinating the updates on the functionary servers that maintain the network.
The Bitcoin funds on Liquid continue to remain highly secure, but this is not up to our usual standard of trust-minimization and we have been working with the Liquid Federation to deploy a patch very soon.
Longer-term, the ongoing Dynamic Federations update is designed to fully resolve the issue while additionally providing a range of new features that provide further autonomy to the Liquid Federation.Liquid’s Multisig Security Model
Bitcoins sent to the Liquid Network through peg-ins are secured in an 11-of-15 multisig wallet that is controlled by the Liquid Federation. To protect against network failures, this multisig wallet uses timelocks to enable a set of 2-of-3 emergency backup keys to recover the funds in the event that the network becomes inactive for an extended period.
The emergency keys are held by Blockstream in extreme cold storage distributed around the world.A Description of the Issue
The current issue is caused by an inconsistency between the timelock parameters used by the functionary HSMs and the functionary servers. Due to this bug, some timelocks are occasionally being refreshed shortly after expiry, instead of before expiry as designed.
Normally the amount recoverable by the emergency backup keys as a result of this issue is small, but due to the recent rapid growth in BTC peg-ins (100BTC in December 2019 to 2,000BTC+ today), one timelock on a large UTXO (870 BTC) expired for 40 minutes.
All funds on the network remained secure — the backup recovery keys have never been accessed at any point during Liquid’s operation — and the ti...