Responsible Vulnerability Disclosures in Cryptocurrencies

Tyler Moore discusses "Responsible Vulnerability Disclosure in Cryptocurrencies" (https://cacm.acm.org/magazines/2020/10/247597), a Review Article in the October 2020 CACM.

By Rainer Böhme, Lisa Eckey, Tyler Moore, Neha Narula, Tim Ruffing, Aviv Zohar 
Communications of the ACM, October 2020, Vol. 63 No. 10, Pages 62-71
10.1145/3372115

Despite the focus on operating in adversarial environments, cryptocurrencies have suffered a litany of security and privacy problems. Sometimes, these issues are resolved without much fanfare following a disclosure by the individual who found the hole. In other cases, they result in costly losses due to theft, exploits, unauthorized coin creation, and destruction. These experiences provide regular fodder for outrageous news headlines. In this article, we focus on the disclosure process itself, which presents unique challenges compared to other software projects.15 To illustrate, we examine some recent disclosures and discuss difficulties that have arisen.

Key Insights:

  • Cryptocurrency software is complex and vulnerabilities can be readily, and anonymously, monetized.

  • Responsible vulnerability disclosure in cryptocurrencies is hard because decentralized systems, by design, give no single party authority to push code updates.

  • This review of case studies informs recommendations for preventing catastrophic cryptocurrency failures.


DCI Researchers and Collaborators