In a recent blog post, Cory Fields, bitcoin core developer for the digital currency initiative at the MIT Media Lab, revealed that he was the person who had anonymously revealed a bug in the system of the cryptocurrency Bitcoin Cash. Bitcoin Cash is entirely different from bitcoin itself. This malevolent bug which he named SIGHASH_BUG was reported anonymously and privately on April 25th, 2018 was subsequently fixed the first week of the next month. He told,
I’m often asked at conferences and workshops what I consider to be Bitcoin’s greatest challenge in the future. My answer is always the same: avoiding catastrophic software bugs.
It was due to this discovery that the developers were able to alleviate the threat by fixing the vulnerability in no time.
Fields told that these numerous software bugs have the potential to unleash trouble for the cryptocurrencies. He said that it was often underestimated how even a small bug could make the whole system of cryptocurrencies extremely vulnerable. In addition, he mentioned that the blockchain technology being new has to go a long way before a sophisticated model of these cryptocurrencies can be produced.
Moving on to how the bug came to be, certain updates were made to the system that involved the omitting of a certain signature check. Without that check, the Bitcoin Cash blockchain would have been split into two incompatible chains. It means that if an update is made to a system that allows a specific set of rules to be executed, whereas in the previous version no such action was allowed, then the blockchain is split because it presents different kind of rules. Fields elaborated that he was able to target the bug only after 50% of the people on the network had updated to the newer version.
This bug did not threaten the existence of Bitcoin Cash only as there as multiple startups emerging every day, who use the core of Bitcoin. The downside is that, where you can profit from the already open source software you also inherit the bugs and errors etched into it.
Cory also explained why he chose to omit his real identity while reporting the bug that existed. If he had revealed his identity and a breach was made subsequently, it would have all been attributed to him. Such a large network involves assets worth over billions and he could have been incriminated for that. He lay emphasis on this saying that “people have killed for less.” He also said,
While trying to figure out whether a completely anonymous disclosure was possible, I began to question whether it was worth the trouble at all. I had no obligation to report anything, after all. But if someone had discovered an equally nasty bug in Bitcoin Core, I would hope that person would bring it to our attention as discreetly and securely as possible. So I decided to do exactly that: create the report I would want to read, and deliver it as I would want to receive it.
After the disclosure of the error, Bitcoin ABC took to fixing it and released a statement,
After analysis of the vulnerability and possible responses, Bitcoin-ABC developers prepared a patch for the vulnerability, and a private release, to distribute directly to mining pool operators. Due to the decentralized nature of the mining community it was not possible to reach everyone directly. This release was provided to verified Bitcoin Cash miners to forward to trusted miners once they had upgraded.
The bug which existed in Bitcoin-ABC 0.17.0 were instructed to upgrade to the Bitcoin-ABC 0.17.1 in which the threat was dealt with. They also ensured that they would be mindful of letting such a vulnerability exist. They added on,
Bitcoin ABC will be taking several actions in order to prevent such an event from occurring again, as well as reduce the overall response time in the case of emergent issues in the future.
They also said that they would offer incentives to the people who would be eager to hunt down such vulnerabilities. They would be offered a generous reward saying,
Additionally, Bitcoin ABC is in discussions with industry participants to establish a formal bug bounty system.
In conclusion, Field also lay emphasis on the fact that blockchain is a relatively newer technology and it would be a long time before they are able to introduce a fool proof system. But in the meantime, developers can re-evaluate the situation by looking at the errors that have been discovered so far and avoid such situations from arising in the future.