🗞 NewsFallout and discussion continued in the wake of "CVE-2018-17144", the Bitcoin vulnerability which was revealed and patched last week. One noteworthy detail to emerge was that the bug was discovered and reported by a developer working on Bitcoin Cash. The developer, who goes by Awemany, wrote a medium post detailing the disclosure, but also descending into lengthy, and at times ranting, criticism of Bitcoin Core. Link.
Meanwhile, the Bitcoin test network was disrupted when someone mined and broadcast a block which took advantage of the vulnerability. While a chainsplit on the testnet is not ultimately a big deal, it does demonstrate how damaging this bug could have been if it had been exploited before the network had been patched. Link.
This week saw developers from another major cryptocurrency scrambling to distribute a patch for a critical issue. The Monero development team furtively pushed an update to their wallet software out to major exchanges and merchants after a vulnerability was discovered. The bug allowed an attacker to send funds to a party that would become burned-- that is locked for good-- once received, without the receiver realizing this. Such an attacker could have sent funds, received goods or other cryptocurrencies in exchange for them, but left the receiver with un-spendable coins. Link.
Finally, the Steem network was down for a prolonged stretch for the second times in as many weeks, this time after a botched hardfork caused unexpected behavior for the majority of users. As the network limped back to health, some users were able to post only by connecting to specific nodes. The Delegated Proof-of-Stake network, which rewards creators with newly minted coins, has 50,000 daily users and a market cap of $250 Million. Link.
In one sense, it's been a rough couple of weeks for Bitcoin and the broader cryptocurrency ecosystem. Though not exploited, the presence of this vulnerability in Bitcoin has caused what some might describe as "handwringing" about developer incentives, security practicers, code review standards, and other considerations. In another sense, though, this vulnerability might be a blessing in disguise. My hope is that it will serve as wakeup call to the very real risk of a software flaw causing severe damage to Bitcoin, or any other prominent crypto network. As I said last week, I believe this risk remains under-appreciated.
I hope it also leads to broader discussion around the Bitcoin development, which I continue to see as woefully under-provisioned considering the enormity of whats at stake. If we don't have these conversations now, we'll be having them at some point in the future, after a serious bug actually disrupts Bitcoin or another major network.