As the competition for CryptoTulip of the year contest enters the final stretch, we now hear from the arch, patriarch of all Tulips: Bitcoin.
This month we learned that there was a huge, massive, bug in the oldest, stablest, “most secure” cryptocurrency of them all, Bitcoin (There are also an unknown number of copycats who use code from the Bitcoin source base, so the bugs may affect other systems, too.)
Actually, there were two bugs, one a possible denial of service attack, and another that could allow double spending. Nothing major, just a potential for a crippling shutdown and/or counterfeit coinage! The bugs were accidentally introduced two years ago!
The bugs themselves aren’t especially notable. All software has bugs. Bitcoin is software. Ergo, Bitcoin has bugs.
The interesting and Tulip-y thing is how it was handled.
Notably the “open source”, “transparent” development team took it upon themselves to keep quiet about most serious part of the problem until there was a patc . This is, of course, perfectly standard and reasonable behavior for proprietary code. The developers took responsibility for the welfare of the code and its users, and tried to get the patch out before the details of the flaw were explained to potential attackers.
This is a sensible process, but it is not exactly a Nakamotoan process. Bearing in mind that many enthusiasts advocate the principle that “the code is the law”, which means that, for a while, it was perfectly proper, even “intended” that people might be able to ravage Bitcoin through these loopholes in “the law”. And the unelected developers in fact took it upon themselves, without consultation or notice, to change “the law” to preclude these highly profitable moves.
Naturally, this being cryptoland, the unannounced bug was, in fact, soon unofficially leaked by non-cooperative folks. (Thanks for helping, guys.) And even according the official announcement, only half the affected systems had been patched so far- probably. The bug notice itself essentially begs people to update with the bug fix. And no one can do more.
Apparently, many Bitcoinistas believed their own propaganda about how ‘secure’ this stuff is, and about how invincible ‘open source’ code is. So some people were “shocked” by this bug.  In response, there have been naïve calls for more and better testing, as if any software ever has enough and good enough testing. (And, by the way, decentralized, asynchronous, network protocols are really, really hard to test.)
There have also been calls for multiple implementations, which is a good idea until it isn’t a good idea.
As Alyssa Hertig reports, “developers don’t necessarily agree on exactly what needs to be done.”
At this point, we might ask, “Is this bug really patched?” Who knows?
Not exactly a ringing assurance.
This episode shows just how vulnerable this technology really is. There can and surely will be huge bugs, but they can be patched only through the indirect and voluntary cooperation of many anonymous operators. And, as we have seen with Ethereum and the DAO, a bug can be exploited in seconds, but may take years to fix.
The CryptoTulip award will surely have to consider this episode.
Bitcoin was lucky this time (as far as we know). With billions on the line, it’s only a matter of time before this CryptoTulip explodes.
- BitcoinCORE, CVE-2018-17144 Full Disclosure. Bitcoin Core Notice, 2018. https://bitcoincore.org/en/2018/09/20/notice/
- Alyssa Hertig (2018) In Wake of ‘Major Failure,’ Bitcoin Code Review Comes Under Scrutiny. Coindesk, https://www.coindesk.com/in-wake-of-major-failure-bitcoin-code-review-comes-under-scrutiny/
- Alyssa Hertig (2018) The Latest Bitcoin Bug Was So Bad, Developers Kept Its Full Details a Secret. Coindesk, https://www.coindesk.com/the-latest-bitcoin-bug-was-so-bad-developers-kept-its-full-details-a-secret/