Blockchain Systems Need Mature Disclosure Policies

Blockchain Systems Need mature disclosure policies.jpg

By Cassio Goldschmidt

Despite the security community's best effort to educate the industry about security response, many companies still don’t publish an email address to securely receive information about flaws in their products. In the absence of a vulnerability disclosure policy, security researchers who attempt to report vulnerabilities often encounter considerable legal and sometimes even life-threatening risks.

This was the situation of Cory Fields, a bitcoin (BTC) core developer who discovered a critical vulnerability in Bitcoin Cash (BCH) (not to be confused with Bitcoin [BTC]).

While reviewing a portion of BCH’s transaction signature verification code, Cory noticed that the functions omitted a critical check of a specific bit in the signature type. This omission would have allowed a specially crafted transaction to split the Bitcoin Cash blockchain into two incompatible chains. The undesired behavior creates a critical flaw because when the Bitcoin chain splits, the miners must choose the longest chain and ignore all the other transactions from the shortest chain. As a result, all transactions would be invalidated, and no coins would be exchanged.

Just like Bitcoin, Bitcoin Cash is a pseudo-anonymous system. With the right amount of knowledge and prudence, it’s possible for an attacker to create transactions that are very unlikely to be linked back to his identity.

In the case of Cory, if someone exploited the flaw, he would have no way to prove that he was not the attacker. Billions of dollars were at stake, as well as, quite possibly, his safety. Cory wanted to do the right thing by disclosing the finding to the competitor cryptocurrency, but to make matters worse, Bitcoin Cash had no responsible disclosure policy and no public PGP keys listed for the lead developers, which was needed to securely exchange the information.

Cory’s workaround was first to create a throwaway GitHub account using Tor and then to send a message to one of the core BCH developers asking for his PGP key. Eventually, the sensitive information was disclosed and the flaw was fixed.

Conclusion

Decentralized systems based on technologies such as Blockchain rely on voluntary upgrades and consensus to work. If exploited, validation flaws can break the consensus, resulting in invalid transactions that can undermine the trust in solutions based on this technology.

Because flaws are inevitable, companies working in this space must have a mature responsible disclosure policy — and the policy must take into consideration the safety of the security researcher who provides the ability to report findings anonymously.


About Cassio Goldschmidt

Cassio Goldschmidt is an internationally recognized information security leader with a strong background in both product and program-level security. His past leadership experience includes services at AON/Stroz Friedberg, NCR Corporation, Intuit, Syperplayer, Symantec Corporation, and Cisco Systems.

More About Cassio