The Latest Bitcoin Bug Was So Bad, Developers Kept Its Full Details a Secret!

This week’s major bitcoin bug was even worse than developers initially let on.
The bug originally rocked the bitcoin world when it was reported the vulnerability could be used to shut down a chunk of the network.
While this sounded bad enough for many, it turns out developers for Bitcoin Core kept a second, bigger part of the bug a secret. As disclosed through an official Common Vulnerabilities and Exposures (CVE) report, an attacker could have actually used it to create new bitcoin – above the 21 million hard-cap of coin creation – thereby inflating the supply and devaluing current bitcoins.
Such a perversion of the rules would, at worst, according to many, make users not trust the cryptocurrency anymore.

Because of the disastrous implications of the bug, developers decided to keep it a secret, buying themselves time to fix the exploit and urge miners and users to upgrade their software.
The CVE report written by Bitcoin Core developers explains:
“In order to encourage rapid upgrades, the decision was made to immediately patch and disclose the less serious denial of service vulnerability, concurrently with reaching out to miners, businesses and other affected systems, while delaying publication of the full issue to give time for systems to upgrade.”
And for now, the plan seems to have worked.
Over half of bitcoin’s mining hash rate has upgraded to the patched software version, meaning the attack can no longer be used, and developers are “unaware of any attempts to exploit this vulnerability,” the report states.
Who found it?
Finding such a serious bug was a stressful position for developers to be in.

According to the report, an anonymous user originally filed a report about the denial-of-service bug to top developers of Bitcoin Core and Bitcoin ABC, the main software implementation of bitcoin cash. About two hours later, Chaincode engineer and Bitcoin Core developer Matt Corallo realized the bug could have been exploited to print unlimited bitcoin.
Based on the seriousness of the vulnerability, the developers decided to keep those details secret at first.
Instead, beginning with Slush Pool, they started pushing miners to upgrade. And for bitcoin users running a full node, the call to action is the same.
“You should not run any version of Bitcoin Core other than 0.16.3. Older versions should not exist on the network. If you know anyone who is running an older version, tell them to upgrade it ASAP,” bitcoin subreddit moderator Theymos remarked in a post currently pinned to the top of the forum.
Yet, another problem exists now – the possibility of a bitcoin chain split

Since users are now running different versions of the bitcoin software, there’s a risk the network will temporarily split into two, then come back together again. Transactions on the chain running old software, then, might ultimately be lost.
While the situation is being monitored closely, Theymos thinks the risk of this happening is small. But, he argued that people should still take precautions, such as waiting longer to make sure a bitcoin transaction actually gets verified.
Theymos added:
“For the next week or so you should consider there to be a small possibility of any transaction with less than 200 confirmations being reversed.”

What’s on some users’ minds, still though, is whether it’s possible the bug has already been exploited.
“How do we know if that vulnerability wasn’t exploited already and there is someone out there with a bunch of fake bitcoin?” asked one bitcoin user.
Luckily, Bitcoin Core contributor Pieter Wuille explained, due to the power of code, bitcoin users would have been able to detect suspicious activity by now.
When downloaded for the first time, full nodes double check every transaction made in bitcoin’s history. A node running the new software, 0.16.3, would detect the problem immediately.
Even so, questions remain regarding what would have happened if the bug wasn’t caught in time.
According to Theymos: “Even if the bug had been exploited to its full extent, the theoretical damage to stored funds would have been rolled back.”

Theymos continued, saying that rollback would be much like what happened during the so-called “value overflow incident” in 2010 when 187 billion bitcoins were created out of thin air but, ultimately, were destroyed.
Still, while Bitcoin Core, litecoin and several other coins that were based Bitcoin Core’s code have released a patch for the exploit, others have not – and might still be vulnerable to the inflation bug.


Source
Author: Alyssa Hertig
Image Credit

Bitcoin Cash Bug Reminds About An Ever-Present Danger for Crypto

Some companies don’t actually respond to security disclosures brought to their attention.
Bugs will continue turning up in the short and medium term, at least until the crypto-market stabilizes.LIONBIT

Safety, safety, safety. Most traditional investors are obsessed by the safety of cryptocurrencies as an investment. They obsess over whether it’s safe to invest USD 1.000 in Bitcoin or Ethereum, as if it were entirely safe to invest the same amount in Facebook, Microsoft or eBay, who also suffered a double digit drop.

Yet as much as journalists and traditional economists wring their hands over the unpredictability of the crypto-market, there is another safety issue that affects the cryptocurrency industry at least as much.

As the recent discovery of a SIGHASH_BUG in Bitcoin Cash revealed, this issue is the ever-present danger of code vulnerabilities. And given that the crypto-industry is expanding very rapidly, it’s likely that developers and users alike will have to be on their guard for as long the industry remains in its bubble-esque infancy.

On August 9, Bitcoin Core developer Cory Fields published a blog, in which he detailed his April discovery of a potentially chain-splitting flaw in the Bitcoin Cash protocol.
Contained in a new implementation of Bitcoin Cash’s software, this bug arose from the removal of a piece of code that performs a specific check on the signatures used to validate transactions.

As Fields explained in his blog, this removal “would have allowed a specially crafted transaction to split the Bitcoin Cash blockchain into two incompatible chains,” since nodes following the new software implementation would end up disagreeing with those nodes still running on the previous, signature-checking software.

Given this disagreement, an accidental hard fork could have been caused, although Fields anonymously disclosed the flaw to Bitcoin Cash developers, who went on to discreetly introduce a patch.

TIP

But even with the happy ending, this episode should be a concern to any with a stake in the crypto industry, since as Fields notes, “much work is still required to reach the sophisticated level of engineering that cryptocurrencies require.”

Indeed, there is ample evidence that this level hasn’t quite been reached in many quarters. In March, researchers published a paper detailing an alarming Ethereum bug that would have enabled hackers to seize control of a node’s computing power, thereby opening the door for the theft of funds. In June, a critical transfer bug was also found buried in ICON’s code, giving malicious actors the ability to disable transactions to specified wallet addresses.

In May, Bytecoin was affected by a potentially network-splitting bug of its own, which ended up causing transaction delays before being resolved by users and miners upgrading to the latest software. And in June again, the Lisk blockchain temporarily went down while its development team combated an invalid transaction bug.

Needless to say, these kinds of bug are manifold in crypto (ask EOS, or Augur), and for several fundamental reasons.
As explained to Cryptonews.com by Bitcoin developer Bryan Bishop, cryptocurrencies have the unique property of being splittable if newer software versions have a ‘bug’ preceding versions don’t.
“Crypto bugs are everywhere,” he says. “One of the reasons of this is that if one of two implementations have a bug and the other one doesn’t, then the system falls out of consensus. This is the type of bug that Cory Fields identified in Bitcoin Cash. To prevent and identify these bugs requires a lot of experience with consensus-critical systems.”

According to Neha Narula of MIT’s Digital Currency Initiative, the problem is made even more worse by the ‘trustless’ nature of crypto-platforms and the egotistical incentives that drive them. “A cryptocurrency’s resiliency comes from a design that tolerates people in the system acting in their own self-interest,” she wrote recently. “Put that way, the flaw in the current system is clear: Disclosure is the least lucrative of all options.”

Not only is disclosure the least profitable option in certain cases, but it’s made less likely by the unresponsive and closed-off culture prevalent at some crypto foundations and startups. “The problem is that some companies don’t actually respond to security disclosures brought to their attention,” explains Bishop. “As a consequence, software and users remain vulnerable.”And when you add these unique conditions to the bubble of money being pumped into crypto (in a way that enables people to launch blockchain-based platforms on the basis of weak ideas and inadequate coding/cryptographic experience), it’s all-too predictable that bugs are turning up left, right and centre.

And this means they’ll continue turning up in the short and medium term, at least until the crypto-market stabilises and a few dominant cryptocurrencies emerge.



Here at Dollar Destruction, we endeavour to bring to you the latest, most important news from around the globe. We scan the web looking for the most valuable content and dish it right up for you! The content of this article was provided by the source referenced. Dollar Destruction does not endorse and is not responsible for or liable for any content, accuracy, quality, advertising, products or other materials on this page. As always, we encourage you to perform your own research!

Source
Author: Simon Chandler
Image Credit: iStock/pixelprof


Don’t forget to join our Telegram channel for Crypto, Business & Technology news delivered to you daily.