Bitcoin Cash ‘Chain-Splitting’ Bug was Detected by Bitcoin Core Dev.
It has emerged that the “unknown person” who notified Bitcoin ABC developers of a vulnerability in Bitcoin Cash which would have resulted in the unintended split of the altcoin’s network is actually a Bitcoin Core (bitcoin’s primary software implementation) developer.
In a Medium blog post, Corey Fields revealed that he was responsible for anonymously and privately informing Bitcoin ABC of the SIGHASH_BUG in Bitcoin
Cash on April 25 this year. According to Fields, who works for MIT Media Lab’s Digital Currency Initiative, if the vulnerability had been successfully exploited it would have resulted in making bitcoin cash transactions unsafe, thus undermining the fourth-largest cryptocurrency by market capitalization. As CCN reported, the flaw was fixed early the following month.
In the same post, Fields warned that the greatest threat facing bitcoin is related to software development.
“I’m often asked at conferences and workshops what I consider to be Bitcoin’s greatest challenge in the future. My answer is always the same: avoiding catastrophic software bugs,” he wrote.
According to Fields, the threat posed by software bugs with regards to cryptocurrencies is underestimated and companies in the space must make adequate preparations for these kinds of threats. As an example, Fields narrated the hoops and loops he had to jump through before he could inform Bitcoin ABC of the vulnerability.
Part of the problem was that Bitcoin ABC did not have a responsible disclosure policy. Additionally, Fields could not find publicly available encryption keys for the lead developers at Bitcoin ABC to whom he could send encrypted message informing them of the vulnerability without risking it being viewed by others.
According to Fields, it was also important to remain anonymous for personal safety reasons just in case a malicious actor discovered the vulnerability and went on to exploit it before a fix could be rolled out. This would be problematic as suspicions could fall on Fields.
“Because I used my name for the disclosure, hard proof would exist that I had the knowledge and means to attack the network. I would have no way to prove that I was not the attacker. Then consider that, collectively, billions of dollars could have been lost as a result of this exploit. People have been killed for much less,” wrote Fields.
At the time when Bitcoin ABC announced that the vulnerability had been fixed, it was revealed that a reward would be given to the then-anonymous tipster once they went public. In his blog post, Fields did not disclose whether he has claimed the reward.