🗞 NewsLast week, it was revealed hackers used a sophisticated attack vector to sneak malicious code into open source Bitcoin wallets developed by the company Copay. The multi-step attack involved first updating a package used by the wallet to include a new dependency, then taking control of that newly added dependency by simply asking its creator if they could become maintainer. Once in control, they snuck obfuscated code into the module specifically aimed at stealing private keys from Copay users. The tainted code did eventually make it into a production release, but as of now, it's unclear if any user funds were stolen. Link.
The issue was reported on the GitHub repo of the developer behind the compromised module. In the course of the conversation, it became clear the developer-- who singlehandedly created and released the package for free-- had relinquished control of the module because he no longer had the time to maintain it himself and was no longer using it. In other words, because he was not funded or incentivized to maintain the package, it became an attack vector for a malicious third party to exploit. The revelation set off a heated debate on the level of responsibility open source creators have towards third parties who use their code without contributing. Link.
I first learned about this incident before it had been discovered that the malicious code was targeting Bitcoin wallets. Regardless, my initial reaction was that the crypto community should pay attention to it for multiple reasons.
First, it demonstrates that funding and incentivizing the sustainable development of open source software is far from a solved problem. Some in crypto community broadly, and the Bitcoin community in particular, have asserted that the open source model is sufficient for incentivizing development in the ecosystem. In other words, they believe the community can rely on intrinsically motivated developers, willing to work for less than their market value, to advance protocol and project development. Not only will this not work for the crypto ecosystem, it isn't even working for the open source ecosystem in general right now.
"All these issues bring up a deeper question: Is the web the right platform for blockchain apps? Part of why web apps are great is because they allow code injection and reloading across the network. But when priceless private keys are on the line-- is that a feature or a bug?"
After this attack, the answer to that question becomes even murkier.