After anonymously notifying Bitcoin ABC developers in April of a critical ‘chain-splitting’ bug in the Bitcoin Cash code, a Bitcoin Core developer has emerged to claim responsibility for the discovery — what he describes as a “wake-up call” for the entire cryptocurrency industry.
In a post on Medium, Cory Fields revealed that he was the individual responsible for the anonymous tip-off, having alerted Bitcoin ABC of the SIGHASH_BUG on the 25th of April, 2018.
According to Fields, the bug could have caused an unintended split in the Bitcoin Cash network — compromising the integrity of transactions, and potentially bringing the fourth-largest cryptocurrency by market capitalization to its knees.
The vulnerability was addressed by the ABC team, however, and was announced to have been mitigated on May the 7th. Included in the incident report was a technical description of the issue:
“An attacker may construct a malicious transaction which would be accepted by Bitcoin-ABC 0.17.0 and mined into a block. This block would be rejected by all other versions of Bitcoin Cash compliant implementations.”
Having avoided what Fields described as the “potential for catastrophe”, Bitcoin ABC acknowledged the actions of their unknown hero and offered them an unspecified bounty.
The Dangers of Disclosure
For Fields, however, anonymity meant safety.
The developer explained that, had he openly disclosed the bug to ABC, he would be the first in the firing line if a hacker had exploited it — as the only identified individual to have knowledge of the vulnerability. Explaining his reasoning, Fields noted that “people have been killed for much less”:
“I would have no way to prove that I was not the attacker. Then consider that, collectively, billions of dollars could have been lost as a result of this exploit. People have been killed for much less. So not only was anonymity important, I considered it a necessity for my safety.”
Fields went on to explain that Bitcoin ABC’s lack of a responsible disclosure policy may be partly to blame — a legislation he describes as a “must-have for any security-critical project”.
Where some would see the BCH bug as water under the bridge, Fields maintains that the issue was not endemic — and was a “real-world example” of the significant challenges facing all cryptocurrencies, including Bitcoin. He wrote:
“I’m often asked at conferences and workshops what I consider to be Bitcoin’s greatest challenge in the future. My answer is always the same: avoiding catastrophic software bugs.”
According to the developer, all projects must be adequately prepared for any eventuality — one might entertain the idea that disclosure policy is the tip of the iceberg.
Cover Photo by Martin Oslic on Unsplash