Inside money, markets, and big tech

Bitcoin dev finds potentially crippling security flaw in Bitcoin Cash

Hackers could have split its blockchain in two

Another massive security vulnerability in a major cryptocurrency has been discovered, just sitting there, waiting to be exploited – and this time around it’s Bitcoin Cash.

Its blockchain was open to being jammed with a toxic block that would have caused complete consensus failure. The bad block would have split the cryptocurrency in two, halting transactions and crippling its utility and price.

Cory Fields, who discovered the bug, reflected on its impact. Fields is a Bitcoin Core developer for the Digital Currency Initiative at the MIT Media Lab. He detailed the entire process, from discovery to anonymous submission, in a blog titled Responsible disclosure in the era of cryptocurrencies.

“Working through this bug, which certainly had the potential for catastrophe, has reaffirmed my belief that the threat of software bugs is severely underestimated in the cryptocurrency world,” writes Fields. ”[This] is a real-world example of how much work is still required to reach the sophisticated level of engineering that cryptocurrencies require, and as a wake-up call to companies who have not adequately prepared for this type of scenario.”

Cryptocurrency engineer Eric Wall took to Twitter, lambasting the project for having missed such a glaring vulnerability. Although it has since been patched, it does call the possible reality of a market dominated by Bitcoin Cash BCH into question. After all, it wants to be the real Bitcoin.



If anything, 2018 is being defined by its security vulnerabilities. Cryptocurrency is software – sure, there’s going to be bugs. Indeed, it’s a fact of life – but disclosures, once potentially earth-shattering, are now having less impact. They’re a dime a dozen and we have just accepted that no blockchain really works as it should.

EOS, in particular, has found its best to attract hackers with honey, lots of honey. Their bug bounty has distributed $417,000 since May – two-thirds of all HackerOne bounties claimed this year.

So, until Elon Musk creates a blockchain programming AI that fixes up all the code, we’re stuck with a system built on trust. We do know that hackers are exploiting bad code regularly, but we trust that the majority would rather fix a project than destroy it – however naive it may be.

Published August 10, 2018 — 14:49 UTC