Across the Aisle: Bitcoin Core Dev Was Anonymous Tipster on Bitcoin Cash Bug
In May 2018, Bitcoin ABC published an incident report disclosing their patch of a critical mining vulnerability in their Bitcoin Cash implementation. The flaw had been discreetly revealed through an “unknown person(s).” Now, that source has come forward: it was Cory Fields, a Bitcoin Core developer who has detailed in a new Medium post his thought process behind the noble disclosure.
Subscribe to the Bitsonline YouTube channel for great videos featuring industry insiders & experts
A Gentleman, and a Scholar
A few weeks ago the Bitcoin ABC team released their 0.17.0 software patch, which rectified a “critical mining vulnerability” that could have allowed malicious chain splits of the Bitcoin Cash blockchain. At the time, Bitcoin ABC thanked the anonymous tipster for their “clear and professional report.”
Now, they know who to thank: Cory Fields.
Wow. BCH had a consensus vulnerability. Core dev Cory Fields anonymously lets them know. They fix and continue without the issue. Read the whole thing. https://t.co/GypIq1JFA0
— Jimmy Song (송재준) (@jimmysong) August 9, 2018
Fields, a Bitcoin Core developer and member of the Digital Currency Initiative at the MIT Media Lab, may seem on the surface an unlikely source for the report. Indeed, the BTC vs. BCH scaling debates have generated no shortage of general animosity between many in both projects’ communities.
Yet in his new August 9th post entitled “Responsible disclosure in the era of cryptocurrencies,” Fields said his actions upon discovery of the bug were simply guided by the golden rule:
“I had no obligation to report anything, after all. But if someone had discovered an equally nasty bug in Bitcoin Core, I would hope that person would bring it to our attention as discreetly and securely as possible. So I decided to do exactly that: create the report I would want to read, and deliver it as I would want to receive it.”
Sounding the Alarm
In April 2018, Fields was poring through Bitcoin ABC changelogs for any kinks that could be relevant to the Bitcoin Core implementation because, as he wrote, “it is typical for these derivative projects to have similar bugs and therefore similar bugfixes.” Therein and within minutes, the developer discovered the potentially catastrophic chain-splitting “SIGHASH_BUG.”
Fields determined he would need to submit the report anonymously so as to 1) prevent having his name linked with knowledge of the flaw if an attacker leveraged it before his disclosure could be acted on, and 2) for his personal safety due to the “billions of dollars [that] could have been lost as a result of this exploit.”
The developer next struggled to make secure contact with the Bitcoin ABC team. An eventual “encrypted message to Bitcoin ABC’s bug tracker” on GitHub did the trick, with the ABC team beginning discreet and eventually successful work on a fix some two days later.
Eyes on the Horizon
Back in May, the Bitcoin ABC team said of the discloser that “we would like to ensure they receive a reward.” The BCH development team also said they had begun engaging with “industry participants to establish a formal bug bounty system” to help incentivize further whitehat enggement with their implementation.
For his own part, Fields concluded in his post:
“The Bitcoin Cash vulnerability that I discovered was successfully disclosed and mitigated, and ultimately had no noticeable impact on the cryptocurrency. It would be a shame, though, if the ecosystem did not benefit from an analysis of such a substantial near-miss. As cryptocurrency developers, it is necessary to take a step back now and then to re-evaluate the tools at our disposal, as well as the policies and procedures that we put into place. We may not be able to eliminate the threat of bugs like these, but we can learn from them and be better prepared to handle them in the future.”
The developer’s message is not singular, then, but rather aimed at the cryptocurrency space in general — software bugs can be calamitous in the cryptoeconomy, and much more must be done on this front going forward.
“I’m often asked at conferences and workshops what I consider to be Bitcoin’s greatest challenge in the future,” Fields wrote. “My answer is always the same: avoiding catastrophic software bugs.”
Not Everything Is Crypto-Peachy, Of Course
The rare BTC/BCH olive branch comes as Ethereum’s Vitalik Buterin and Cardano’s Charles Hoskinson have recently begun skirmishing over their respective blockchain’s Proof-of-Stake models.
The Casper vs. Ouroboros debate, which has taken place over Twitter, Reddit, and Medium, has left no love lost between the two crypto thought leaders, with Vitalik Buterin commenting at one point, “Charles, this is pathetic.”
It’s just the latest example of how differing visions and strong convictions has seen battle lines drawn in the space, possibly setting the stage for future platform fragmentation in the years ahead.
What’s your take? Do you think the ecosystem could use more acts of decency like Fields’ bug report? Let us know in the comments section below.
Images via Pixabay