In his yesterday’s article on Medium, Cory Fields shares his experience of disclosing a Bitcoin Cash vulnerability.
Cory Fields is a Bitcoin Core developer working for the Digital Currency Initiative at the MIT Media Labs, a group tasked with researching and developing cryptocurrencies.
Cory was examining some of the Bitcoin ABC (Bitcoin Cash client) software updates in the hope of finding any bugfixes that might come relevant for Bitcoin Core. He noticed that some of the code, responsible for verifying transactions, had been rewritten. The new code did not include a critical check in the transaction signature type. This flaw could potentially split the Bitcoin Cash chain into two incompatible chains, which could entail the damage measured in billions of dollars.
He decided to inform the Bitcoin Cash developers of the vulnerability but then he realized he had a problem. He could not disclose the information because, if someone would have exploited the bug the following day, all the arrows would be pointing at Cory. There would be no way of proving that he had not been the attacker for he had all the necessary knowledge at the time.
He had certain doubts as to why he should risk his safety: he had no obligation whatsoever to report anything. But all the doubts evaporated when he thought about how he would want such information to be brought to his attention, had ‘an equally nasty bug’ been discovered in Bitcoin Core.
After several failed attempts Cory eventually found a way to send an encrypted message to Bitcoin ABC developers. The bug was fixed on April 27, two days after Cory had reported it. The catastrophe was averted.
Cory’s take-away from this incident:
Read here for more on Cory’s responsible deed for the crypto community.