AnChain’s Analysis: BitPay’s Open Source Copay Wallet Discovers Security Vulnerabilities


  • On September 9th, a normal “flatmap-stream” was merged into the code base in the “event-stream” NodeJS module with 2 million downloads per week.
  • On October 5th, the “flatmap-steam” code was updated with entrapped malicious code. Code reviewers merged them into the code base without careful inspection.
  • On November 26th, California college students discovered that the confusing malicious code in the “event-stream” used by BitPay’s Copay wallet was triggered in the environment, stealing bitcoin in the wallet. (The malicious code has now been fixed)

This attack is similar to the Stuxnet virus that was specifically designed for the Iranian nuclear power plant in 2010. Stuxnet will trigger a specific Siemens PLC control chip, which can lead to serious consequences; including nuclear power plant explosions.

BitPay officially stated that users using Copay wallet versions 5.0.2 to 5.1.0 were affected by the back door. Users using these versions should assume that their private key has been stolen and need to upgrade to version 5.2.0 as soon as possible.

The malicious code was buried in the mine, well hidden since October!

Former FireEye senior engineer, AnChain.ai architect Dr. Richard Lai commented,

This is an issue with open source. The person who maintains a library has to be trustworthy.

This is a real case of “code security” in the three eternal themes of the AnChain.ai’s Philosophy. As the code becomes more complex, the open source community is more negligent.

The AnChain.AI team has been fighting on the front line of blockchain security. In August, the Ethereum BAPT-FOMO3D hacker army was exposed. In November, the world’s top 5 EOS DApp design security architecture was re-safely launched after continuously monitoring their transactions. We aim to continue to focus on comprehensive security, as detailed by our three eternal themes of blockchain security: transaction, code, and infrastructure.


About AnChain.ai

AnChain.ai is an AI-powered blockchain ecosystem security startup based in Silicon Valley. The team has extensive experiences in cyber security, artificial intelligence, cloud, big data.

AnChain.ai offers two products:

  • Situational Awareness Platform (SAP) proactively protects crypto assets. It provides proprietary Artificial Intelligence, Knowledge Graph and Threat Intel to secure blockchain transactions for DApps, Exchanges. AnChain.ai SAP detected Blockchain APT (BAPT) for the 1st time in history.
  • Smart Contract Auditing Platform (CAP) democratizes FREE smart contract auditing and executes a scan to identify all known vulnerabilities, e.g. re-entrancy (DAO 2016), overflow (BEC 2018). The CAP is fully automated, fast scanning, accessible in the cloud, and connects to professional auditing experts.

If you enjoyed the read, please make sure to:

  1. Clap for the article 👏
  2. Share the article with your friends 😎
  3. Follow us 👍