An anonymous source recently tipped off Bitcoin ABC — one of the leading development teams behind Bitcoin Cash (BCH) — as to a mining-centric vulnerability in ABC’s software version 0.17.0. The problem’s now been patched, and the ABC team’s interested in rewarding the informant.
On May 7th, 2018, the Bitcoin ABC team published an incident report detailing “the response to a critical vulnerability applicable to miners of Bitcoin Cash using Bitcoin-ABC 0.17.0.”
The incident in question originally began on April 26th, when “unknown person(s)” notified the ABC devs about a flaw in the current software that could have led to an undesired Bitcoin Cash network split.
“Appropriate action has been taken to mitigate the impact of this vulnerability,” the ABC team wrote. “This document is provided for information purposes only.”
As the ABC devs noted in their report, the identified vulnerability was nothing to scoff at:
“An attacker may construct a malicious transaction which would be accepted by Bitcoin-ABC 0.17.0 and mined into a block. This block would be rejected by all other versions of Bitcoin Cash compliant implementations. The malicious transaction would contain the bitflag of 0x20 set in the signature hash type.”
The result of this flaw, then, was that “BUCash and versions of Bitcoin-ABC prior to 0.17.0 could be split from the majority Bitcoin Cash blockchain” so long as it was unremedied.
Accordingly, ABC’s devs quickly developed a patch and initially began discreetly disseminating the fix to BCH mining pool operators, not wanting to attract any more attention than necessary at first while the flaw was still unmet.
The dissemination wasn’t immediately uniform, however, per the report:
” Due to the decentralized nature of the mining community it was not possible to reach everyone directly. This release was provided to verified Bitcoin Cash miners to forward to trusted miners once they had upgraded.”
With that said, the ABC team is still recommending all users of 0.17.0 to upgrade to 0.17.1 immediately.
The ABC devs are now interested in rewarding the party or parties responsible for the initial tip-off:
“Bitcoin ABC wants to thank the person(s) who disclosed this vulnerability responsibly. They provided a clear and professional report. If they are willing to come forward, we would like to ensure they receive a reward.”
Lastly, the report indicated ABC was working with “industry participants to establish a formal bug bounty system.” Such a system would undoubtedly help root out flaws like the one discussed above in the best way possible: early.
What’s your take? Would you participate in a bug bounty system if you could? Let us know in the comments below.
Images via Cybellum, Hacked