The Bitcoin SV (BSV) community is committed to the “Satoshi Vision” for delivering a secure and scalable Bitcoin network that supports the world’s new money and use as the global enterprise blockchain. As part of its commitment to professionalise the Bitcoin development process, the Bitcoin SV Node implementation team engaged the services of Trail of Bits, a leading cybersecurity research company with expertise in blockchain technologies, to perform a security audit of the Bitcoin SV Node implementation source code. The security audit revealed multiple vulnerabilities that Bitcoin SV did not itself cause but likely inherited from the Bitcoin Core (BTC) and thus Bitcoin ABC software for Bitcoin Cash (BCH) from which the Bitcoin SV were forked. However, Bitcoin SV’s audit and professionalised approached to security has now helped all these major blockchains resolve the vulnerabilities.
A full security audit requires significant time and cost to perform, but the Bitcoin SV Node implementation team did so (with financial support from its partners at CoinGeek) as a critical step to bring more professionalism to the Bitcoin ecosystem. We believe this is the first time any Bitcoin node implementation has ever been security audited in the 10-year history of Bitcoin.
After conducting its security audit, Trail of Bits reported numerous findings. The Bitcoin SV Node implementation team considered three of these findings to be significant enough to warrant responsible and confidential disclosure to other potentially affected Bitcoin implementations – specifically to implementations for the Bitcoin Core (BTC) and Bitcoin Cash (BCH) chains which compete against BSV.
The three vulnerabilities have been rated as medium severity with low difficulty to exploit and expose the Bitcoin node software to Denial of Service attacks resulting in a high overall risk rating. The Bitcoin SV Node implementation team disclosed the details of these vulnerabilities to other Bitcoin implementations (for Bitcoin Core and Bitcoin Cash) on 10 January 2019, requesting full confidentially until 11 February 2019 and that detailed information about the vulnerabilities be kept confidential until 1 March 2019. This process follows industry best practice by providing sufficient time for development teams to release and deploy updated software before the details of the vulnerabilities become public knowledge.
The details of the vulnerabilities were disclosed to the software development teams of Bitcoin Unlimited, Bitcoin XT, Bitcoin ABC, and Bitcoin Core. An analysis of the vulnerable portions of the source code indicated that these software implementations may be affected by these vulnerabilities – most likely because the vulnerabilities first existed in the Bitcoin Core software before it was forked by Bitcoin ABC to create ABC (an implementation for Bitcoin Cash), and before Bitcoin SV thus inherited these vulnerabilities from Bitcoin ABC.
1) The first vulnerability, CVE-2018-1000891, would enable an attacker to send specially crafted network packets to the target node which would needlessly consume large amounts of processor and network resources. The attack could result in a Denial of Service by exhausting processor and network resources and would not be detected or prevented by the software.
2) The second vulnerability, CVE-2018-1000892, would similarly enable an attacker to send specially crafted network packets which would needlessly consume large amounts of processor and network resources. The attack could result in a Denial of Service by exhausting processor and network resources and would not be detected or prevented by the software.
3) The third vulnerability, CVE-2018-1000893, would also enable an attacker to send specially crafted network packets which would needlessly consume large amounts of memory resources. The attack could result in a Denial of Service by exhausting memory resources and causing system failure. The attack would not be detected or prevented by the software.
For Bitcoin SV, these vulnerabilities were addressed in release 0.1.1 of the Bitcoin SV Node implementation which was released on 11 February 2019.
Bitcoin SV Node Lead Developer Daniel Connolly remarked:
“By organising this security audit (with funding by CoinGeek) and by sharing the results in a responsible and secure manner, the Bitcoin SV Node team, nChain and our partners at CoinGeek demonstrate our commitment to increase the quality of Bitcoin software and professionalise the engineering process.”
Even though the Bitcoin SV Node implementation team did not create these vulnerabilities and likely inherited them from Bitcoin Core and Bitcoin ABC, its groundbreaking approach to apply software industry best practices to Bitcoin node development has now also benefited the competing Bitcoin Core and Bitcoin Cash ecosystems.
The Bitcoin SV Node reference implementation is a project of the Bitcoin Association. The Bitcoin Association’s Founding President Jimmy Nguyen observed:
“As I’ve said before, it’s time for Bitcoin to grow up and professionalise. This security audit is a big step in that direction, because no other Bitcoin project is taking such a comprehensive approach to security. The results and improvements exemplify how the Bitcoin SV Node team is taking steps to prepare Bitcoin SV to have the reliability needed to become the world’s new money and the global enterprise blockchain. It also demonstrates that Bitcoin SV is now leading the Bitcoin industry, even helping other projects that deviated from the Satoshi Vision for Bitcoin.”