Responsible Disclosure in Cryptocurrencies
Published: August 29th, 2017 at Medium.
Ethical dilemmas and economic problems surrounding the disclosure of vulnerabilities in cryptocurrencies.
Any complicated piece of software is likely to contain bugs, some of which can be weaponized into harmful exploits and potentially even monetized to yield financial gains to attackers. Cryptocurrencies are complex systems themselves so it isn’t very surprising by now that many exploits, hacks, and attacks are found on a regular basis. This often results in theft and other damages that can cost millions of dollars.
Responsible Disclosure
Suppose you stumble upon a vulnerability in a software system. Being the responsible law abiding nice guy that you are, you want to tell people about the problem rather than use it to attack the system. The practice of “Responsible disclosure” evolved for that very reason. It usually entails telling the company or organization that produced the software about the problem, giving them sufficient time to evaluate the vulnerability and issue a patch. This is usually followed by a public disclosure of the vulnerability once the system has been fixed.
Vulnerabilities in Cryptocurrencies are Harder!
Now, let’s suppose that you discover some vulnerability within a cryptocurrency system such as Bitcoin, Ethereum, ZCash, or an ICO token running inside one of these systems. The situation is much more complex. Let me mention a few issues that immediately come to mind:
-
The existence of the bug may directly impact the market value of tokens or coins. While it is possible that a software bug in some conventional software will affect its stock price, it isn’t very likely (The stocks of small companies aren’t usually traded publicly, and large companies are usually quite robust). In cryptocurrencies such an effect is much more likely. This means that the group of affected individuals may be large: all those who hold the relevant tokens.
In fact, you yourself may be holding tokens. What is the ethical thing to do? Sell? Hold? - The vulnerability is easily monetized. In other systems, it’s not that easy to benefit from a vulnerability. If, for example, you could make someone else’s machine crash every time they open their browser, you might not be able to find a way to profit yourself. There isn’t always a clear path to monetization. With cryptoccurencies things are easier for attackers. You could always short the cryptocurrency. This makes information about the exploit very sensitive.
- Who to disclose to? There isn’t a clear entity that is in charge of development, no clear decision maker and no one to negotiate responsible disclosure with. The CEO of Bitcoin cannot ask you to delay publication of the exploit for one month and that he guarantees that a patch will be pushed out by then (mostly because this person does not exist). How do you choose which developers to contact? How do you keep information about the vulnerability contained?
- Sometimes the original developers can’t help. The bug may exist within some smart contract that cannot be rolled back easily (think of the DAO once money is already locked inside, outside of any single person’s reach). Do you publicly disclose? How do you do it? Individuals learning of the exploit earlier will be hurt less (if they sell tokens) or may in fact use the exploit themselves.
- Insider trading. Even if there is a company that is behind the system, the developers themselves often have a stake in the system (from the founder’s reward or premined coins) that they can often liquidate. What if they think the bug is too hard to fix and decide to dump all of their coins before others become aware of the problem?
- The vulnerability can exist in many systems. Most of the code in the cryptocurrency world is open-source, and code / ideas are often used across many projects. This implies that the vulnerability can potentially affect multiple platforms. Ideally, disclosure should be to a small number of individuals that can effectively fix the problem.
I’m afraid I’m going to leave you with more questions than answers. It’s possible that easy answers don’t exist at all. But let us not despair! We’ve seen cases in the past in which vulnerabilities were successfully disclosed to small groups of developers and successfully fixed, and also many occurrences of attacks that were handled with more extreme (some would say controversial) measures. For example, white hat groups that attempted to block attackers during the DAO hack, and the Parity multi-sig wallet hack.
My guess is that we are going to see many more cases that test the ethical boundaries of security research, as well as the economic incentives for disclosure (are bounty programs sufficient to defend us?). I hope that we find clear and ethical practices that promote more secure and stable systems.