Responsible Vulnerability Disclosures in Cryptocurrencies

Despite the focus on operating in adversarial environments, cryptocurrencies have suffered a litany of security and privacy problems. Sometimes, these issues are resolved without much fanfare following a disclosure by the individual who found the hole. In other cases, they result in costly losses due to theft, exploits, unauthorized coin creation, and destruction. These experiences provide regular fodder for outrageous news headlines. In this article, we focus on the disclosure process itself, which presents unique challenges compared to other software projects.15 To illustrate, we examine some recent disclosures and discuss difficulties that have arisen.

• Key Insights:

• Cryptocurrency software is complex and vulnerabilities can be readily, and anonymously, monetized.

• Responsible vulnerability disclosure in cryptocurrencies is hard because decentralized systems, by design, give no single party authority to push code updates.

• This review of case studies informs recommendations for preventing catastrophic cryptocurrency failures.

Published in Communications of the ACM, October 2020, Vol. 63 No. 10, Pages 62-71 10.1145/3372115

Authors:

Rainer Böhme, Universität Innsbruck
Lisa Eckey, TU Darmstadt
Tyler Moore, University of Tulsa
Neha Narula, MIT Digital Currency Initiative
Tim Ruffing, Blockstream
Aviv Zohar, Hebrew University Jerusalem