Responsible Vulnerability Disclosures in Cryptocurrencies
By Rainer Böhme, Lisa Eckey, Tyler Moore, Neha Narula, Tim Ruffing, Aviv Zohar
Communications of the ACM, October 2020, Vol. 63 No. 10, Pages 62-71
10.1145/3372115
Despite the focus on operating in adversarial environments, cryptocurrencies have suffered a litany of security and privacy problems. Sometimes, these issues are resolved without much fanfare following a disclosure by the individual who found the hole. In other cases, they result in costly losses due to theft, exploits, unauthorized coin creation, and destruction. These experiences provide regular fodder for outrageous news headlines. In this article, we focus on the disclosure process itself, which presents unique challenges compared to other software projects.15 To illustrate, we examine some recent disclosures and discuss difficulties that have arisen.
Key Insights:
Cryptocurrency software is complex and vulnerabilities can be readily, and anonymously, monetized.
Responsible vulnerability disclosure in cryptocurrencies is hard because decentralized systems, by design, give no single party authority to push code updates.
This review of case studies informs recommendations for preventing catastrophic cryptocurrency failures.