Uncharted Waters

Dec 10 2018   12:15PM GMT

Secure Cryptocurrency and other fine myths

Matt Heusser Matt Heusser Profile: Matt Heusser


Two months ago I started to take a course on Udemy building secure cryptocurrency. The course walks you through downloading the code for bitcoin, which is open source, then rolling your own network copy of it.

Then this showed up in my Github alerts:

Secure Cryptocurrency

This is a real vulnerability in the core bitcoin code that allowed the “contributor” to steal all the bitcoins from anyone using a bitcoin “wallet” called Copay.

It turns out, like the unsinkable titanic, my secure cryptocurrency isn’t.

What Happened

Bitcoin source code is stored in Github.  Anyone can contribute, as long as they allow their code to be reviewed. User right9ctrl noticed a conversation where a contributor suggested the use of flatmap to make a patch. Right9ctrl offered the patch, adding flatmap to the codebase. Eventually, he pulled out the code for flatmap into it’s own dependency, which was minified into a single combined file. Minification is compressing code by removing whitespace; it makes the code hard to read. Putting the code in a “tarball” adds an extra step for review. Instead of reading the code on the web, you have to download it an unpackage it.

Once those “fixes” were in, right9ctrl added code to transfer out bitcoins from the secure wallet Copay to his account.

It took half a month for someone to find the issue. Over a month later, the package was removed from the install npm. That meant no one could download it.

One more time: Contributor information on Github is anonymous. Anyone in the world can contribute.  Law enforcement agencies have problems when it comes to jurisdiction. Even if they figure out jurisdiction,  stealing bitcoin makes the sovereign US Dollar look better by comparison. Somehow I suspect law enforcement will find little energy to pursue these crimes.

The Aftermath

Secure CryptoCurrency Is Like The TitanicBitcoins own promotional material does not claim it is secure. Instead, their webpage says “Bitcoin can provide very high levels of security if used correctly. Always remember that it is your responsibility to adopt good practices in order to protect your money.”

Copay is still advertised as a “Secure, Shared Bitcoin Wallet.”  Copay claims they never upgraded to the dangerous version of event-stream. While this may be a near miss, it is not the first bitcoin compromise. Four years ago, over $473 Million US Dollars in bitcoin were stolen from the MtGox Exchange.

Bitcoin doesn’t claim to be perfect, and neither did the titanic. In both cases, it those with related business interests who used hyped up language for their benefit.

For the time being, consider this.

Most banks collect social security numbers and photo ID on depositors. Until the code library your currency is built on starts to do something similar, don’t invest more than you can afford to lose.




 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: