Dealing With High Risk Bugs
Reflections on bitcoin’s major vulnerability revealed last week
A major bitcoin bug that could have crashed a significant part of the network was revealed on Tuesday September 18th 2018 when the core team released an urgent update to address a denial of service vulnerability that was introduced in March 2017.
Two days later, once all major mining pools had updated their software, a full disclosure was released revealing that the bug contained a second much bigger vulnerability that would have allowed an attacker to new mint bitcoin inflating supply beyond the 21 million hard cap. Whilst this may be one of bitcoin’s largest bugs to date, in 2010 an overflow bug was actually exploited where attackers created billions of new bitcoin. The issue was addressed with a hard fork and has become history.
Read full story here: The Latest Bitcoin Bug Was So Bad, Developers Kept Its Full Details a Secret (Coindesk).
A few throughs:
- We underestimate how long it’ll take for crypto-networks to be truly secure and thus considered established. Security products prove their value though resilience to hacks and vulnerabilities over time. Whilst bitcoin and ethereum are proving their worth, let’s not underestimate what this means for the new generation of networks (such as Tezos, EOS, and DFINITY) currently being launched.
- It highlights the benefits of checks & balances afforded by the distribution of power amongst community members. In this instance developers identified the bug but couldn’t exploit it whilst miners updated the code without necessarily knowing there was another major vulnerability being addressed. It also brings up the question of bitcoin having one client that exposes all to the same bug but where updates can easily be rolled out vs. ethereum having multiple clients where protocol design flaws and bug risks are identified faster due to multiple implementations but where updates are harder to roll out.
- It begs the question: what other risks are we exposing ourselves to as these networks become more powerful? It’s possible that governments or activist groups with resources have identified vulnerabilities that they’re keeping in their pocket for when they’ll want to exercise political power. For example, what happens when Estonia 2007 type of attacks get rolled out on a global network that’s supposed to automate trust? It may be a bit early for this but not to be discounted should these networks gain traction.
On that note, what are your takeaways?
From around the web
The untold history of Bitcoin: Enter the Cypherpunks (The Startup) — History of cypherpunks and early attempts to create cryptocurrencies. Easy short read.
A primer on Austrian economics (Token Daily) by Erik Torenberg — Simple intro and overview of Austrian economics. Austrian economics is less popular than other schools of thought such as Keynesian economics but thanks to bitcoin has recently gotten a lot of attention.
A Brief Study Of Cryptonetwork Forks (Phaceholder.vc blog) — Data driven analysis of hard forks. It concludes that child chains have trouble attracting developers from parent communities, their valuations (e.g. NVT ratio), however, trade at a premium compared to their parent chains.
ERC-1404: Simple Restricted Token Standard (Medium) by Mason — New standard “designed for security tokens, tokenized securities and other tokens that carry complex compliance requirements.” It has the benefits of an ERC-20 token but offers the possibility to enforce regulatory transfer restrictions.
Building blockchains for a better planet (PWC and Stanford Woods Institute for the World Economic Forum) — Report that dives into how blockchains can be used for addressing the world’s most pressing environmental challenges. Research identified 65 blockchain use cases, of which some of the more interesting include: incentivizing circular economies to unlock value from things currently wasted, transforming carbon and other environmental markets, and earth management platforms leveraging market mechanisms to protect the commons. Long read but the executive summary provides a good overview.
Data insights of the week 📈
Twitter thread by @hivedotone on influencer analytics & insights across BTC, ETH, and other communities.
If you enjoyed this post follow me on Twitter @clairebelmont.
The views expressed are my own and do not necessarily represent the views of my employer.
