On Thursday, August 9, a developer and researcher in the crypto industry detailed the difficulties he had communicating a vulnerability in the Bitcoin Cash protocol to their dev team. Cory Fields from the Digital Currency Initiative at MIT Media Lab in Massachusetts outlined the issue in a post on his Medium blog. The bug was successfully resolved only after a lot of trouble on Fields’ part, which he wanted to address publicly with the intention of raising awareness about the importance of open and speedy bug reporting avenues for every cryptocurrency.
Fields explained that “a portion of the transaction signature verification code was rewritten, but the new code omitted a critical check of a specific bit in the signature type. I refer to that bit in the disclosure as SIGHASH_BUG. This omission would have allowed a specially crafted transaction to split the Bitcoin Cash blockchain into two incompatible chains.”
“There were no keys listed for any of the lead developers on the public PGP key servers where they would usually be found, and there were none present in their code repository either. At that point, I had no option other than to request keys anonymously through different online channels, using Tor to mask my identity as much as possible.”
He wanted to submit the vulnerability anonymously since identifying oneself leaves the possibility of being accused of any exploits that might occur. He tried to announce it to the Bitcoin Cash devs on GitHub to no avail and had extreme difficulty finding a public key for any of the devs to notify them with an encrypted message (since any open communication could be seized upon by attackers).
Eventually, the bug was addressed:
“On April 27, after waiting roughly 48 hours for a response to the disclosure, a pull request was opened to covertly fixed the issue in Bitcoin ABC.”
The issue draws attention to the sometimes disorganized nature of the crypto community at a time when increasing regulatory spotlight is being shone on the industry. Furthermore, the Bitcoin Cash project has come under fire for suspect and hostile working methods, which this episode is likely to compound in the eyes of the wider public.