Review Articles

Home , Augur (software), Fork (blockchain), Zerocoin protocol

review articles

DOI:10.1145/3372115 system is designed to achieve common Software weaknesses in cryptocurrencies security goals: transaction integrity and availability in a highly distributed sys- create unique challenges in responsible tem whose participants are incentiv- revelations. ized to cooperate.38 Users interact with the cryptocurrency system via software BY RAINER BÖHME, LISA ECKEY, TYLER MOORE, “wallets” that manage the cryptograph- NEHA NARULA, TIM RUFFING, AND AVIV ZOHAR ic keys associated with the coins of the user. These wallets can reside on a local client machine or be managed by an online service provider. In these applications, authenticating users and Responsible maintaining confidentiality of cryptographic key material are the central security goals. Exchanges facilitate trade Vulnerability between cryptocurrencies and between cryptocurrencies and traditional forms of money. Wallets broadcast cryptocur- Disclosure in rency transactions to a network of nodes, which then relay transactions to miners, who in turn validate and group Cryptocurrencies them together into blocks that are ap- pended to the blockchain. Not all cryptocurrency applications revolve around payments. Some cryptocurrencies, most notably Ethereum, support “smart contracts” in which general-purpose code can be executed with integrity assurances and recorded DESPITE THE FOCUS on operating in adversarial on the distributed ledger. An explosion of token systems has appeared, in environments, cryptocurrencies have suffered a litany which particular functionality is ex- of security and privacy problems. Sometimes, these pressed and run on top of a cryptocurrency.12 Here, the promise is that busi- issues are resolved without much fanfare following ness logic can be specified in the smart a disclosure by the individual who found the hole. In contract and confidently executed in a other cases, they result in costly losses due to theft, distributed fashion. The emergence of a vibrant ecosys- exploits, unauthorized coin creation, and destruction. tem of decentralized cryptocurrencies These experiences provide regular fodder for has prompted proposals that leverage outrageous news headlines. In this article, we focus on the underlying technology to construct new central bank currency2 and corpo- the disclosure process itself, which presents unique challenges compared to other software projects.15 To key insights illustrate, we examine some recent disclosures and ˽ Cryptocurrency software is complex and vulnerabilities can be readily, and discuss difficulties that have arisen. anonymously, monetized. While Bitcoin is the best known, more than 2,000 ˽ Responsible vulnerability disclosure in cryptocurrencies is hard because cryptocurrencies are in circulation, collectively decentralized systems, by design, 6 give no single party authority to push valued at $350 billion as of August 2020. Figure 1 code updates. conceptualizes the landscape as a stack. While the ˽ This review of case studies informs recommendations for preventing

details differ, at the lowest level, each cryptocurrency catastrophic cryptocurrency failures. FOUNDATION THE IMAGE BY ILLUSTRATION

62 COMMUNICATIONS OF THE ACM | OCTOBER 2020 | VOL. 63 | NO. 10 OCTOBER 2020 | VOL. 63 | NO. 10 | COMMUNICATIONS OF THE ACM 63 review articles

rate electronic money, such as Face- is potentially viewable on shared led- ventions adopted for general software book’s asset-linked Libra. This article gers in the blockchain systems on products in several ways. Two funda- focuses on existing decentralized cryp- which they transact. Some cryptocur- mental differences arise from the very tocurrencies. Some lessons discussed rencies employ advanced cryptograph- nature of cryptocurrencies. here could also inform the design and ic techniques to protect user privacy, First, the decentralized nature of operation of these prospective forms of but their added complexity often intro- cryptocurrencies, which must continu- digital money issued by public or pri- duces new flaws that threaten such pro- ously reach system-wide consensus on a vate legal entities. tections. single history of valid transactions, de- Bugs in cryptocurrencies. The crypto- Disclosures. Disclosures in crypto- mands coordination among a large ma- currency realm itself is a virtual “wild currencies have occurred in varying cir- jority of the ecosystem. While an indi- west,” giving rise to myriad protocols cumstances, from accidental discover- vidual can unilaterally decide whether each facing a high risk of bugs. Projects ies, through analysis by expert and how to apply patches to her client rely on complex distributed systems developers and academics, to observ- software, the safe activation of a patch with deep cryptographic tools, often ing successful exploits in the wild. In that changes the rules for validating adopting protocols from the research the rest of this article, we highlight the transactions requires the participation frontier that have not been widely vet- difficulties and subtleties that arise in of a large majority of system clients. Ab- ted. They are developed by individuals each case. The root causes of most of sent coordination, users who apply with varying level of competence (from the difficulties lie in the special nature patches risk having their transactions enthusiastic amateurs to credentialed of cryptocurrencies: they are based on ignored by the unpatched majority. experts), some of whom have not devel- distributed systems that were designed Consequently, design decisions oped or managed production-quality to be difficult to change in order to pro- such as which protocol to implement or software before. Fierce competition be- vide strong guarantees on their future how to fix a vulnerability must get sup- tween projects and companies in this behavior. In order to change these port from most stakeholders to take ef- area spurs rapid development, which rules, the consent of many participants fect. Yet no developer or maintainer often pushes developers to skip impor- is needed—participants who are often naturally holds the role of coordinating tant steps necessary to secure their co- anonymous, and who are organized bug fixing, let alone commands the au- debase. Applications are complex as loosely in communities without gov- thority to roll out updates against the they require the interaction between erning bodies or regulatory oversight. will of other participants. Instead, multiple software components (for ex- Here, we briefly highlight the differ- loosely defined groups of maintainers ample, wallets, exchanges, mining ences between conventional software usually assume this role informally. pools). The high prevalence of bugs is development and cryptocurrencies This coordination challenge is ag- exacerbated by them being so readily with regard to vulnerability disclosure, gravated by the fact that unlike “cre- monetizable. With market capitaliza- we identify key issues in the disclosure ative” competition often observed in tions often measured in the billions of process for cryptocurrency systems, the open source community (for exam- dollars, exploits that steal coins are si- and we formulate recommendations ple, Emacs versus vi), competition be- multaneously lucrative to cybercrimi- and pose open questions. tween cryptocurrency projects is often nals and damaging to users and other hostile. Presumably, this can be ex- stakeholders. Another dimension of How Is Disclosure Different? plained by the direct and measurable importance in cryptocurrencies is the Responsible vulnerability disclosure in connection to the supporters’ financial privacy of users, whose transaction data cryptocurrencies differs from the con- wealth and the often minor technical differences between coins. The latter is Figure 1. Components of the cryptocurrency architecture covered in this article. a result of widespread code reuse,28 which puts disclosers into the delicate User position of deciding which among Main security goals: many competing projects to inform re- Key management sponsibly. Due to the lack of formally Client software Online wallets • Conﬁdentiality defined roles and responsibilities, it is e.g., Wallets And exchanges • Authentication moreover often difficult to identify who to notify within each project. Further- Business logic more, even once a disclosure is made, Smart contracts • Integrity one cannot assume the receiving side e.g., Token systems • Authorization will act responsibly: information about vulnerabilities has reportedly been • Integrity (Safety) used to attack competing projects,18 in- Cryptocurrency systems • Availability (Liveness) fluence investors, and can even be used • Incentives (Fairness) by maintainers against their own users. Miner Miner Miner The second fundamental difference emerges from the widespread design Developer goal of “code is law,” that is, making code the final authority over the shared

64 COMMUNICATIONS OF THE ACM | OCTOBER 2020 | VOL. 63 | NO. 10 review articles system state in order to avoid (presum- tocurrencies is characterized by specif- ably fallible) human intervention. To ic features of the domain. The proponents, this approach should interpretation of system state as mon- eliminate ambiguity about intention, ey, with many exchanges linking it me- but it inherently assumes bug-free chanically to the conventional financial code. When bugs are inevitably found, The decentralized system, makes it easier and faster to fixing them (or not) almost guarantees nature of monetize bugs than for conventional at least someone will be unhappy with software, where vulnerability markets the resolution. This is perhaps best ex- cryptocurrencies, may exist but are known to be friction- emplified by the controversy around which must prone.23 Moreover, the cryptocurrency the DAO, an Ethereum smart contract ecosystem reflects conflicting world- with a reentrance bug that was exploit- continuously reach views, which prevent the establishment ed to steal coins worth around $50 mil- of basic norms of acceptable behavior. lion. After a community vote, the Ethe- system-wide For example, invalidating ransomware reum developers rolled out a patch to consensus on a payments via blacklisting has reignited reverse the heist, which (maybe surpris- the debate over censorship and the rule ingly) turned out to be controversial. single history of of law.26 While the patch was accepted by large valid transactions, Finally, we note a difference in em- parts of the ecosystem, it was strongly phasis over certain aspects of disclo- opposed by a minority of Ethereum us- demands sure. The conventional responsible dis- ers arguing that it is a direct violation of coordination among closure discussion has focused on the code-is-law principle, and the con- balancing users’ interests in defensive- troversy ultimately led to a split of the a large majority ly patching versus national security in- Ethereum system into two distinct of the ecosystem. terests of weaponizing vulnerabili- cryptocurrencies Ethereum and Ethe- ties,25,31 without regard to whether the reum Classic.1 Moreover, situations affected software is open or closed may arise where it is impossible to fix a source. By contrast, open source soft- bug without losing system state, possi- ware and code reuse are central to dis- bly resulting in the loss of users’ ac- closure issues in cryptocurrencies, count balances and consequently their whereas balancing national and indi- coins. For example, if a weakness is dis- vidual security considerations has so covered that allows anybody to effi- far not been widely discussed. ciently compute private keys from data Throughout the rest of the article, published on the blockchain,16 recovery we illustrate these differences with real becomes a race to move to new keys be- cases before we derive recommenda- cause the system can no longer tell au- tions and point to open problems. thorized users and attackers apart. This is a particularly harmful consequence Case Studies of building a system on cryptography We now review selected case studies of without any safety net. The safer ap- cryptocurrency vulnerability disclo- proach, taken by most commercial ap- sures, highlighting aspects that teach plications of cryptography but rejected us about the difficulties in response. in cryptocurrencies, places a third party We employ a multi-perspective method in charge of resetting credentials or in selecting and researching these cas- suspending the use of known weak cre- es, ranging from the authors’ direct ex- dentials. perience as disclosers, interviews with Ironically, these fundamental differ- developers and cryptocurrency design- ences stem from design decisions in- ers, and through public reports. Inter- tended to enhance security. Decentral- views with open-ended questions were ization is prized for eliminating single conducted by telephone, in-person or points of control, which could turn out by email. Attribution is given unless the to be single points of failure. Giving subject requested anonymity. The nov- code the final say is intended to pre- elty and heterogeneity of the problem serve the integrity of operations. How- precluded a more systematic approach, ever, what may benefit security at de- though we hope that those informed by sign time becomes a significant liability our findings can do so in future investi- after deployment once vulnerabilities gations. We investigate coins both are found. small and large, because even the top Besides these fundamental differ- coins have experienced severe bugs. ences, responsible disclosure for cryp- While the software development pro-

OCTOBER 2020 | VOL. 63 | NO. 10 | COMMUNICATIONS OF THE ACM 65 review articles

cesses for prominent coins are more culation by 37%. In principle, such at- Later in 2017, a team of researchers robust, the cases will show that all coins tacks can remain unnoticed due to the including author Ruffing found anoth- experience challenges to disclosure not zero-knowledge veil, but the sheer er vulnerability in Zcoin that allowed an seen in traditional software projects. number of coins created combined attacker to “burn” money in transit, Figure 2 presents a stylized timeline of with the attacker’s impatience eventu- that is, ensure no one, including the the cases presented. ally led to its discovery. Within hours, sender, recipient, and attacker, can fur- Cryptocurrency systems. Zcoin. We the Zcoin team demanded that trading ther spend the coins.30 Remarkably, the start with Zcoin, a relatively little halt at big exchanges, published a blog root cause of this vulnerability was an known cryptocurrency that has suf- post, and asked mining pools to sus- overlooked attack vector in the design fered from repeated disclosures. Zcoin pend processing zero-knowledge and security analysis of the underlying was the first to implement the Zerocoin transactions. A patch was released Zerocoin protocol. While money burn- protocol,22 which uses zero-knowledge within a day, but the zero-knowledge ing does not serve the attacker directly, proofs to enable untraceable transac- feature remained disabled, thereby the attacker could profit indirectly, for tions. In February 2017, an attacker ex- temporarily freezing all untraceable example, by betting on falling prices of ploited a typo in C++ code17 (using the funds. This issue was resolved after the affected cryptocurrency (short sell- equality operator ‘==’ instead of the as- four days when a “fork” altering the ing) and then publishing or exploiting signment operator ‘=’) to generate fundamental transaction validation the vulnerability. We have no evidence 403,050 coins out of thin air. The new rules was adopted by a majority of the that such short-selling activity did in- coins had a market value of $750,000 miners. Even so, the attacker was able deed take place. and inflated the currency supply in cir- to abscond with the loot. Having no cryptographer on its team, Zcoin hired Ruffing to provide Figure 2. Visualization of the vulnerabilities discussed in this article. advice and develop a patch. During the work, he identified two more vulnera- The blue bars represent the underlying coins and bilities,29 one enabling illegitimate coin their widths are proportional to their marketcap (for example, Coinmarketcap.org). The red bars visualize generation and one allowing theft of the discussed incidents from their introduction (flag) to money in transit. Both vulnerabilities their disclosure (wide bar) to their public announcement stemmed from bugs in libzerocoin, a (bell). The additional symbol is used whenever money was stolen, burnt or printed. prototype library written by the inven- tors of the Zerocoin protocol for the purpose of validating their research.

Money printed B Money stolen B Money burned Public notiﬁcation The Zcoin project had used that library as-is, despite the code’s prominent 2013 2014 2015 2016 2017 2018 2019 2020 warning that the authors “are releasing this dev version for the community to examine, test and (probably) break” network split and that there are things that they have Bitcoin Cash “inevitably done wrong.”21 shut Code reuse complicated the disclo- theft theft down sure process of the three vulnerabili- IOTA ties.29 Months after the initial notifica- B B tion, the discoverers found that more nd rd money burning (paper) 2 printing 3 printing than 1,600 public GitHub repositories money printing and theft (libzerocoin) Zcoin included verbatim copies of libzerocoin. Responsible and confidential money printing (paper) disclosure to so many recipients is in- Zcash feasible. Instead, the discoverers nar- rowed down the recipient set to less Parity wallet Smart contracts than 10 actual cryptocurrency projects, The DAO Ethereum B B four of which they deemed trustworthy B enough to be informed additionally. money printing None of the projects had a clearly de- money burning* * Monero fined contact point or process for han- dling vulnerabilities. network splitintroduced money printing Competition between projects pre- Bitcoin vented a coordinated response. For ex-

discovered ﬁxed ample, the notified project did not re- veal to the reporters which of their 2013 2014 2015 2016 2017 2018 2019 2020 competitors were also vulnerable. Co- ordination is essential because the first project to patch reveals the vulnerabili-

66 COMMUNICATIONS OF THE ACM | OCTOBER 2020 | VOL. 63 | NO. 10 review articles ty, leaving the others unprotected. One removed from websites and a cover sto- currency was actually exploited in this ry spun around the “loss” of this piece way, and ironically, Zcoin itself was tar- of information. The intention of this geted because the patch was not adopt- obscurity was to protect Zcash’s own in- ed quickly enough. Dealing with the terests and its users, as well as those of entire situation required tact and judg- Unlike bugs competing cryptocurrencies. On the ment by the discoverers, and the poten- in which downside, such long periods of obscu- tial for every mistake to be catastrophic rity may cast doubt on the trustworthi- furthers the discoverers’ burden. coins are created, ness of security claims in the future, As a result of the coin creation bugs, IOTA suffered and it remains unclear whether and to Zcoin improved continuous monitor- what extent the bug has been exploited. ing of aggregated balances, which led a vulnerability Monero. The opposite of internal to the discovery of another creation discovery is accidental public disclo- bug in April 2019. The project repeated that might have sure. This happened to Monero, the the notification process described ear- placed user funds most popular implementation of the lier, disabled the zero-knowledge fea- CryptoNote protocol.35 In September tures via an emergency fork, and in- at risk of theft. 2018, an interested user posted a formed three potentially affected seemingly innocuous question to an competitors. It took 10 days of investi- online forum: “What happens if some- gation before a project developer iden- body uses a one-time account twice?” tified the root cause in the design of the (paraphrased by the authors).7 Sur- Zerocoin protocol. Unlike a simple im- prisingly, there was no protection plementation bug, there was no obvi- against this action in the protocol. ous way to fix the problem. The proj- The revealed vulnerability allowed at- ect’s response was to migrate to an tackers to burn other people’s funds. entirely different zero-knowledge pro- The problem was fixed within 10 days tocol, suspending untraceable transac- without known incidents and publicly tions in the meantime and freezing the announced thereafter. affected funds until the new protocol A more serious vulnerability in the was deployed in July 2019.37 CryptoNote protocol affected all crypto- Zcash. Zcash, the commercial imple- currencies based on it. A post on a spe- mentation of the Zerocash protocol,3 cialized cryptography mailing list in improves on Zerocoin’s model for un- February 2017 revealed an issue, which traceable transactions. It too has suf- implied a coin generation vulnerability fered from similar issues.32 The propos- in CryptoNote’s basic cryptographic al for the used algorithm for generating scheme.20 The Monero team took note cryptographic material allowed a pa- and developed a patch within three rameter to be published that should days and shared it privately with pre- have remained secret. (Incidentally, a ferred parties, such as mining pools security proof was omitted because the and exchanges. The true purpose of the scheme was similar to a previous one patch was disguised in order to protect known to be secure.) The published the rest of the users who were running value could have been used to undetect- vulnerable clients. After a fork to the ably generate coins out of thin air. The validation rules that completely re- problem was discovered internally in solved the issue in Monero in April March 2018 and fixed after 240 days in 2017, the Monero team informed other conjunction with a scheduled upgrade CryptoNote coins privately. One such of the zero-knowledge protocol. Before coin, Bytecoin, was exploited immedi- and during the events the Zcash team ately afterward, resulting in the illegiti- had entered mutual disclosure agree- mate generation of 693 million coins.18 ments with the two largest competitors In a public disclosure that took place 15 who reuse Zcash code. These competi- days later, the Monero team described tors were notified two weeks after the the aforementioned process and fix with a schedule for public disclosure named unpatched competitors, includ- within a maximum of 90 days, which ing Bytecoin20 (though Bytecoin claims then took place in February 2019, al- that a patch had been issued to miners most one year after the discovery.32 Ob- immediately after the exploit18). Per- scurity played a key role in this event: versely, the public disclosure attracted not only was the fix hidden in a larger other investors to bid up the Bytecoin update, the critical parameter was also price. Its market capitalization grew

OCTOBER 2020 | VOL. 63 | NO. 10 | COMMUNICATIONS OF THE ACM 67 review articles

five-fold, briefly jumping into the top 10 change-logs of Bitcoin Cash’s main im- ther bug could be exploited before cryptocurrencies by value. It remains plementation in April 2018.10 There he making the disclosure public on the unclear who exploited the bug, but By- noticed that a sensitive piece of code bitcoin-dev mailing list. They did not tecoin holders certainly benefited from dealing with transaction validation had notify anyone of the inflation bug until the price rise. been improperly refactored, causing a the network had been upgraded. Third, IOTA. Unlike bugs in which coins are vulnerability. It would allow an attacker the disclosure involved deliberate de- created, IOTA suffered a vulnerability to split the Bitcoin Cash network, there- ception of users: the Bitcoin developers that might have placed user funds at by compromising the consistency re- published a patch describing it as only risk of theft. Contrary to the best prac- quired for a cryptocurrency to operate. fixing the denial-of-service issue. This tice of using standardized cryptograph- As Fields noted, bugs like this cause downplayed the severity of the bug, ic primitives, IOTA relied on a custom systemic risk: if exploited, they could while at the same time motivating a hash function that had a collision sink a cryptocurrency. The large prompt upgrade. This gave Bitcoin us- weakness.14 Author Narula and col- amounts of money at risk prompt dis- ers and other affected cryptocurrencies leagues disclosed the vulnerability to closers to take precautions. In this case, time to adopt the fix, albeit with grum- the developers in July 2017. The vulner- to protect his own safety, Fields chose to bling about the sudden public release. ability was patched by IOTA in August remain anonymous.10 The patching This highlights both a benefit and a 2017 and made public by the disclosers went smoothly, but we do not know if it downside to employing white lies in the in September 2017,13 offering several would have been more contentious had disclosure process. lessons about the disclosure process. he revealed his identity. Moreover, dis- Silence is an alternative to white lies. First, the vulnerability was fixed and coverers may want to demonstrate they The Bitcoin team took this option after deployed to the network quite quickly. behaved ethically, for example, that an internal discovery in 2014. Bitcoin On one hand, this is good because the they sent a report to the developers. One suffered from an inconsistency be- potential vulnerability window is small- possible mechanism is to encrypt the tween different versions of the OpenS- er. On the other hand, the speedy re- report with the developers’ public key SL library. The 32-bit version was more sponse was made possible due to the and publish the ciphertext and draw the tolerant in accepting variants of digital project’s high level of control over the developer’s attention to it. This would signatures than the 64-bit version, network, which runs contrary to the de- require developers to provide public which could cause a loss of consistency sign goals of decentralized cryptocur- keys along with their security contact if a signature is accepted only by the rencies. Such control further allowed and have internal processes to handle subset of nodes running on 32-bit. The the operators to shut down its network incoming messages. Surprisingly, at the mitigation turned into a year-long or- to prevent theft from a vulnerable wal- time Bitcoin Cash, a top-10 cryptocur- deal. Fixing OpenSSL was not an op- let for several weeks in early 2020. rency worth billions of dollars, did not tion, hence the stricter signature for- The second lesson is that organiza- (though now they do). In our interview, mat had to be enforced in the Bitcoin tions may not respond favorably to a Fields stressed he found it difficult to codebase. Changes were made subtly disclosure. Here, communications figure out what was the right thing to do. and gradually in order to avoid drawing were tense, the existence and risk of the What helped him was to imagine the attention on the relevant piece of code. vulnerability was denied and down- situation with swapped roles. Users upgraded organically over a peri- played, and the discoverers were threat- Bitcoin. A few months later, a devel- od of 10 months. The bug was made ened with lawsuits. The response oper from Bitcoin Cash disclosed a bug public when more than 95% of the min- echoes industry reactions to vulnerabil- to Bitcoin (and other projects) anony- ers had patched.36 ity disclosures related to digital rights mously. Prior to the Bitcoin Cash Smart contracts. Some cryptocur- management decades before.19 In the schism, an efficiency optimization in rencies, most prominently Ethereum, cryptocurrency case, there is a clear po- the Bitcoin codebase mistakenly support “smart contracts.” These are tential incentive conflict when the orga- dropped a necessary check. There were computer programs anyone can store nization holds a large share of the coins actually two issues: a denial-of-service on a shared blockchain, which then and reasonably worries that the news bug and potential money creation.8 It purports to guarantee correct execu- could devalue holdings or prevent part- was propagated into numerous crypto- tion. Contracts can receive, store, and nerships that might increase the value currencies and resided there for al- send coins to users or other contracts of holdings. Moreover, information most two years but was never exploited according to their programmed logic. about the bug could be exploited for in Bitcoin. Smart contracts pose two further chal- profit by those possessing inside infor- This case teaches us three lessons: lenges to disclosure and patching. mation about its existence prior to pub- First, even the most watched cryptocur- First, there is no club of miners whose lic disclosure. rencies are not exempt from critical incentives are aligned with the func- Bitcoin Cash. Not to be confused bugs. Second, not all cases should be tioning of a specific contract. There- with Bitcoin, “Bitcoin Cash” is derived communicated to everyone in the net- fore, relying on miners as allies to sup- from Bitcoin’s codebase and was creat- work at the same time. The Bitcoin de- port smooth disclosure is usually not ed due to disagreements within the eco- velopers notified the miners control- an option (though we will discuss an system. Cory Fields, a contributor to the ling the majority of Bitcoin’s hashrate exception). Second, the code is not up- predominant implementation of Bit- of the denial-of-service bug first, mak- dateable by design to demonstrate coin, Bitcoin Core, was examining ing sure they had upgraded so that nei- commitment to the rules of operation,

68 COMMUNICATIONS OF THE ACM | OCTOBER 2020 | VOL. 63 | NO. 10 review articles hence the contract analogy. This may 2017. The vulnerable contract imple- cases of responsible disclosures of vul- turn disastrous if the code contains mented a multi-signature wallet, a nerabilities in smart contracts. bugs because machines, unlike arbitra- mechanism that promises superior tors of real contracts, have no room for protection against theft compared to Recommendations interpretation. standard wallets. Intended uses in- and Open Questions The DAO. The most famous example clude “corporate” accounts storing While best practices in secure software of a buggy contract is the DAO (short for high value, such as the proceeds from engineering and responsible disclo- Decentralized Autonomous Organiza- initial coin offerings (ICOs). An anony- sure15 are increasingly adopted in the tion), the first code-controlled venture mous attacker observed a discrepancy cryptocurrency space, there always refund. Widely endorsed by an enthusias- between the published and reviewed mains a residual risk of damaging vul- tic Ethereum community, in spring source code and the binary code, which nerabilities. Therefore, norms and 2016 the DAO project collected user was deployed for each of 573 wallets eventually laws for responsible disclo- funds and stored them in a smart con- and omitted an essential access control sure must emerge. What follows is a tract. Its visible balance of $250 million step. This enabled a theft of coins worth first step toward that end. Our synthesis (15% of all available coins at the time) $30 million from three accounts. Parity of what can be learned from the cases is made it a highly attractive target. It discovered the attack as it was ongoing structured along three central issues of prompted scrutiny from security re- and published an alert. This would responsible disclosure: how to protect searchers who raised concerns,9 the have enabled attentive users to rescue users, who to contact, when and how; closest activity to disclosure in the their funds (exploiting the same vulner- and, how to reward the discoverer. The smart contract space we have seen. ability) in a race against the attacker accompanying table sums up the rec- Three weeks later, an anonymous at- and imitators. At this point, a total of ommendations outlined in this section. tacker managed to withdraw more than another $150 million was essentially How to protect users. Discoverer 3.5 million coins (about $50 million) il- free to be picked up by anyone.33 As ex- safety. If the vulnerability can make legitimately from the DAO smart con- pected, many users reacted slowly and parties who may operate beyond the tract.1 The attacker’s trick involved found their funds missing. It turned law substantially richer or poorer, the making a small investment in the DAO, out that a group of civic-minded indi- discoverer’s personal safety should be then withdrawing and thereby exploit- viduals has taken the funds in custody considered.10 Death threats are not un- ing a re-entrance vulnerability in the in order to protect users and return heard of. Confidentially sharing the refund mechanism. (The contract’s them in a safe way. This example raises vulnerability with others the discoverer bug was to not decrease the balance be- the question if protective appropriation trusts (professional colleagues, nota- fore sending coins, which in Ethereum of funds is legal or should even be ex- ries or the police) might reduce this passes control to the receiving party.) pected from discoverers. risk. Sealed envelopes, or their digital This exploit set off a vigorous debate Users who nevertheless continued variants such as time-locked encryp- over whether or not this behavior was to trust the Parity wallet software were tion or secret sharing schemes, lessen abusive, since the code technically al- less lucky following a second incident. the risk of unintended leakage. In addi- lowed the interaction. The Ethereum platform has a fuse tion, anonymous reporting may also The DAO incident could have been mechanism that irrevocably disables reduce stress and tension. However, an example of an irreversible change of code at a given address. In November note that if the vulnerability is exploit- system state. However, the exceptional 2017, a user (allegedly) inadvertently in- ed, any proof the discloser knew of the scale of the project and the involvement voked this mechanism on a library ref- vulnerability before its exploit could be of the Ethereum community triggered a erenced in 584 intentionally non-up- used as evidence the discloser was the historic vote between miners to sup- datable contracts of the next-generation attacker. port a fork of the underlying cryptocur- Parity wallet. A total of $152 million was Addressing vulnerable funds. If a vul- rency in order to “restore” the invest- burned.34 This time, no one intervened, nerability means that anyone can steal ments in the DAO contract. This presumably because the loss concerned money from an account, should civic- intervention was highly controversial only 0.5% of all coins. minded defenders proactively steal to as it thwarted the very idea of immuta- We close by noting that as of this protect funds, like in the Parity wallet ble transactions, causing a group of writing, we are not aware of any major case? This touches on unresolved legal purists to create a parallel instance, called Ethereum Classic, that was not Synthesis of recommendations. rolled back. In hindsight, the incident raised the alarm to the smart contract Provide point of contact including public key Dos community about the looming security Liaise with competitors who share code Single out vulnerable competitors issues. Today’s contracts cannot hope Don'ts Bug bounties in your own coin for miner-enforced rollbacks because Use obscurity and white lies during disclosure the uptake of the platform has diversi- Depends Notify all affected projects unless there is conflict fied interests. Built-in notification and feature “kill” switches Clarify right or obligation to preventively move vulnerable funds Need for action Parity wallet. Another example of a Establish clearinghouse and coordinator fund recovery, albeit partially successful, followed the Parity exploit in July

OCTOBER 2020 | VOL. 63 | NO. 10 | COMMUNICATIONS OF THE ACM 69 review articles

questions. If “code is law” is the guid- the question of how to contact the transport of stolen funds. In other in- ing principle, moving vulnerable funds trusted party who takes the precaution stances, wallet developers must be noti- must be legal. But courts are bound to remains. fied first, in order to deploy patches to real-world norms which differ across Who to contact, when, and how. Pro- their software. It is good practice to jurisdictions and circumstances. For vide clear points of contact. Many crypto- publish an advisory detailing the course example, in many places only law en- currencies are designed to avoid relying of events and clarify any obfuscation or forcement can legally expropriate prop- on privileged parties with substantial lies after the risk is mitigated. This erty, including crypto coins. Elsewhere, control. Yet this is in effect required to transparency could mitigate the ero- disclosers could be obligated to inter- support responsible disclosure. It can sion of trust resulting from deception. vene rather than stand by and allow a be difficult to determine who is “in Coordination among multiple re- crime to take place. To give the discov- charge” (assuming anyone is) and who sponders. As illustrated in the cases ex- erer legal certainty, it is essential to set- can fix the bug. Best practices recom- plored here, vulnerabilities often affect tle the basic question whether the dis- mend that developers provide clear multiple projects. It is up to the discov- coverer could face legal consequences points of contact for reporting security erer to decide where to send the report. if she takes such precautions or break bugs, including long-term public keys.11 The reporter should be transparent the law if she has the power and does Developers who reuse code are advised about who has been informed. The dis- not. If opting to leave the matter to law to publish alongside their own contact coverer can work with the responders enforcement, other complications information that of the original code to to ensure that everyone affected has arise: Which law enforcement agency aid the search for affected projects. been notified. Coordination among re- has jurisdiction and sufficient authori- Identifying the responder. All commu- sponders is essential. Patches should ty and is allowed to act? Do all law en- nication by the discoverer should serve be deployed as simultaneously as pos- forcement agencies possess the techni- the end of fixing the bug. This means sible across affected projects, since the cal capability to intervene in time? the discoverer must notify the party patching and publication of vulnerabil- Preparing the system for disclosure. who is in the best position to solve the ity information would leave others ex- Given the inevitability of vulnerabili- problem. For example, if the vulnerabil- posed if no precautions were taken. In ties, one strategy is to implement fea- ity affects the cryptocurrency’s core im- some circumstances, the responders tures in the cryptocurrency itself to au- plementation, then the developers are are competitors, and their attitudes to- tomatically notify affected users of the natural responders. There is a long ward one another range from suspicion significant problems. In fact, Bitcoin history of bugs in exchanges,24 in which to hostility. used to have such an alert system, case they would respond. It is impor- Dealing with untrustworthy respond- which enabled trusted actors to dis- tant to note that once the responder ers. While in the traditional security seminate messages to all users and has taken responsibility, the discoverer world, it is considered not only com- even suspend transactions. Such alert should adopt a “need-to-know” prac- mon courtesy but professionally and systems prompt difficult questions of tice until the risk is mitigated. Some- ethically required to inform other proj- their own, like who can be trusted with times the natural choice for responder ects about vulnerabilities before dis- that authority in a decentralized sys- is missing or untrustworthy. In this closing their existence publicly. In the tem? Also, the alert system itself could case, the discoverer can also serve as re- cryptocurrency world, one must adopt a become the target of attack, in much sponder, or delegate the responsibility more adversarial mindset. If the discov- the same way that an Internet “kill to a third party. erer does not find a trustworthy re- switch” could create more security Responder communication with stake- sponder, she can take on that responsi- problems than it solves. Incidentally, holders. Given the decentralized nature bility. While one might not expect the Bitcoin itself abandoned the alert sys- of cryptocurrencies, the responder is discoverer to fix the bug, she could tem over such concerns.4 A similar idea usually not in a position to unilaterally nonetheless take steps to protect users. is to incorporate a mechanism to turn act to fix the bug. Instead, the respond- The situation is further complicated off particular features if significant vul- er must seek stakeholders’ support. when multiple projects share a prob- nerabilities are later found. Dash utiliz- This means communicating the right lem, and some are not trustworthy or es such a system that lets the holder of a messages at the right time. It could be are hostile toward each other. It is un- secret key turn features on and off at dangerous to tell the full truth right reasonably burdensome for a discover- will.27 PIVX supports a similar mecha- away, so the message may justifiably in- er to adjudicate such conflicts. Re- nism to disable zero-knowledge trans- clude obfuscation or even white lies. sponders can make a best effort to actions, which proved useful during the Different stakeholders might require identify affected parties (for example, Zerocoin disasters. varying levels of detail at particular searching for coins sharing common Despite the benefits such features points in time. For bugs that require codebases) and notify accordingly. This bring, they contradict the design phi- certain transactions to be mined for points to the need for developing a losophy of decentralization and might successful exploitation, the responder clearinghouse, à la CERT/CC. expose the privileged party to law en- might encourage miners to upgrade External authorities. Banks, payment forcement requests. Supposing a cryp- first in order to deploy a fix as fast as processors, and other key financial in- tocurrency could overcome these chal- possible. Exchanges can suspend trad- stitutions are often required to report lenges and develop mechanisms for ing in order to limit price shocks as bad vulnerabilities to banking regulators, disseminating protective instructions, news breaks, or aid in blocking the who can coordinate the response if

70 COMMUNICATIONS OF THE ACM | OCTOBER 2020 | VOL. 63 | NO. 10 review articles

needed. There is no current equivalent This work is partially funded by: Ar- Proceedings of the Workshop on the Economics of Information Security. Carnegie Mellon University, for cryptocurrencies, and it is unclear chimedes Privatstiftung, Innsbruck, Pittsburgh, PA, 2007. under which jurisdiction such a thing U.S. National Science Foundation 24. Moore, T., Christin, N. and Szurdi, J. Revisiting the risks of Bitcoin currency exchange closure. would reside. Should some global re- Award No.~ 1714291, ISF grant 1504/17, ACM Trans. Internet Technology 18, 4 (2018), porting agency of this nature be HUJI Cyber Security Research Center 50:1–50:18. 25. Moore, T., Friedman, A. and Procaccia, A. Would formed? If so, how might it successfully Grant, DFG grants FA 1320/1-1 (Emmy a ’cyber warrior’ protect us: Exploring trade-offs operate given a community whose com- Noether Program) and SFB 1119— between attack and defense of information systems. In Proceedings of the New Security Paradigms mon ground is removing the need for 236615297 (Crossing), and BMBF grant Workshop. A.D. Keromytis, S. Peisert, R. Ford and C. central parties? An external body mod- 16KIS0902 (iBlockchain). Gates, Eds. ACM, 2010, 85–94; https://tylermoore. utulsa.edu/nspw10.pdf eled on CERT/CC might serve as a use- 26. Möser, M. and Narayanan, A. Effective cryptocurrency regulation through blacklisting, 2019; https:// References ful starting point. A less formal and maltemoeser.de/paper/blacklisting-regulation.pdf. 1. Atzei, N., Bartoletti, M. and Cimoli, T. A survey of 27. Multi-Phased Fork. Glossary item in developer more decentralized example to consid- attacks on Ethereum smart contracts. In Proceedings documentation. Dash project, 2017; https://dash-docs. of the Principles of Security and Trust. M. Maffei and M. er is iamthecalvary.org, an initiative github.io/en/glossary/spork. Ryan, Eds. LNCS 10204 (2017), Springer, 164–186. 28. Reibel, P., Yousaf, H. and Meiklejohn, S. An exploration bringing together security researchers 2. Bech, M. and Garratt, R. Central bank of code diversity in the cryptocurrency landscape. In cryptocurrencies. BIS Quarterly Rev. 9 (2017), 55–70. with medical device manufacturers to Proceedings of the 2019 Financial Cryptography and 3. Ben-Sasson, E., Chiesa, A., Garman, C., Green, M., Data Security Conf. I. Goldberg and T. Moore, eds. promote responsible vulnerability dis- Miers, I. and Virza, M. Zerocash: Decentralized 29. Ruffing, T., Thyagarajan, S., Ronge, V. and Schröder, anonymous payments from Bitcoin. In Proceedings of closure and remediation. D. A cryptographic flaw in Zerocoin (and two critical the IEEE Symp. on Security and Privacy, 2014. coding issues). Blog post, 2018; https://bit.ly/2WAib2B How to reward the discoverer. The 4. Bishop, B. Alert key disclosure. Bitcoin development 30. Ruffing, T., Thyagarajan, S., Ronge, V. and Schröder, mailing list; https://lists.linuxfoundation.org/pipermail/ article has shown that disclosing a cryp- D. (Short Paper) Burning Zerocoins for fun and for bitcoin-dev/2018-July/ 016189.html. profit—A cryptographic denial-of-spending attack tocurrency vulnerability and reacting 5. Böhme, R. A comparison of market approaches to on the Zerocoin protocol. In Proceedings of the software vulnerability disclosure. Emerging Trends responsibly is very burdensome. Inter- Crypto Valley Conf. on Blockchain Technology, (Zug, in Information and Communication Security. G. Switzerland, June 20–22, 2018). IEEE, 116–119; viewees have reported sleepless nights Müller, Ed. LNCS 3995 (2006). Springer, Berlin https://doi.org/10.1109/CVCBT.2018.00023 Heidelberg, 298–311. and fears for their safety, which in turn 31. Schwartz, A. and Knake, R. Government’s Role in 6. CoinMarketCap. Global charts, 2019; Vulnerability Disclosure. Harvard Kennedy School has altered their professional collabo- https://coinmarketcap.com/charts/. discussion paper, 2016. 7. dEBRUYNE. A post mortem of the Burning Bug, 32. Swihart, J., Winston, B., and Bowe, S. Zcash rations and friendships. The alterna- 2018; https://web.getmonero.org/2018/09/25/a-post- counterfeiting vulnerability successfully remediated. mortum-of-the-burning-bug.html. tive to profit from the vulnerability, po- Blog post, 2019; https://bit.ly/2YDO790/. 8. Bitcoin Core Developers. CVE-2018-17144 Full 33. Parity Technologies. The multi-sig hack: A tentially anonymously, is tempting. Disclosure; https://bitcoincore.org/en/2018/09/20/ postmortem, 2017; https://www.parity.io/the-multi- notice/. This is why cryptocurrencies specifical- sig-hack-a-postmortem/. 9. Dino, M., Zamfir, V. and Sirer, G.E. A call for a 34. Parity Technologies. A postmortem on the parity ly cannot expect altruistic behavior and temporary moratorium on the DAO. Blog post; multi-sig library self-destruct, 2017; https://www. http://hackingdistributed.com/ 2016/05/27/ must instead incentivize responsible parity.io/ a-postmortem-on-the-parity-multi-sig- dao-call-for-moratorium/. 11 library-self-destruct/. disclosure. 10. Fields, C. Responsible disclosure in the era of 35. van Saberhagen, N. CryptoNote v 2.0. White Paper, cryptocurrencies. Blog post, 2018; https://bit.ly/3cgSdYs Bug bounties offer an established 2013; https://cryptonote.org/whitepaper.pdf. 11. Fields, C. and Narula, N. Reducing the risk of 5 36. Wuille, P. Disclosure: Consensus bug indirectly solved way to reward those who find bugs. It catastrophic cryptocurrency bugs. Blog post, 2018; by BIP66. Bitcoin development mailing list, 2015; https://bit.ly/2SKbd9Y. stands to reason they would be a natu- https://bit.ly/2zeC5rX. 12. Fröwis, M., Fuchs, A. and Böhme, R. Detecting token 37. Yap, R. Further disclosure on Zerocoin vulnerability. ral fit for cryptocurrencies, given they systems on Ethereum. In Proceedings of the Financial Blog post, 2019; https://zcoin.io/further-disclosure-on- Cryptography and Data Security. I. Goldberg and T. have a built-in payment mechanism. zerocoin-vulnerability/. Moore, Eds. 2019. 38. Zohar, A. Bitcoin: Under the hood. Commun. ACM 58, 9 However, denominating the reward in 13. Heilman, E., Narula, N., Dryja, T. and Virza, M. (Sept. 2015), 104–113. its own currency is problematic, since IOTA vulnerability report: Cryptanalysis of the curl hash function enabling practical signature forgery its value might diminish as a result of attacks on the IOTA cryptocurrency, 2017; https:// Rainer Böhme ([email protected]) is a professor github.com/mit-dci/tangled-curl/blob/master/ disclosing the vulnerability, and you of computer science at Universität Innsbruck, Austria. vuln-iota.md. are effectively rewarding the discloser 14. Heilman, E., Narula, N., Tanzer, G., Lovejoy, J., Colavita, Lisa Eckey ([email protected]) is a M., Virza, M. and Dryja, T. Cryptanalysis of curl-p and cryptographer at TU Darmstadt, Germany. in a currency which she just found to be other attacks on the IOTA cryptocurrency. IACR buggy. Other approaches are possible— Cryptology ePrint archive report 2019/344; https:// Tyler Moore ([email protected]) is the Tandy for example, Augur (a smart contract eprint.iacr.org/2019/344. Professor of Cyber Security and Information Assurance at 15. Householder, A., Wassermann, G., Manion, A. and The University of Tulsa, OK, USA. market platform) is experimenting King, C. The CERT Guide to Coordinated Vulnerability with exploit derivatives. It is not unrea- Disclosure. Special Report CMU/SEI-2017-SR-022. Neha Narula ([email protected]) is Director, Digital 16. Hutchinson, L. All Android-created Bitcoin wallets Currency Initiative, MIT, Cambridge, MA, USA. sonable to think that the cryptocurren- vulnerable to theft. Ars Technica, 2018; https://bit. ly/2SMHiy5 /. Tim Ruffing ([email protected]) is a cryptographer at cy community might innovate a solu- 17. Insom, P. Zcoin’s Zerocoin bug explained in detail. Blockstream. tion that could be a model for the Blog post, 2017; https://zcoin.io/zcoins-zerocoin-bug- explained-in-detail/. Aviv Zohar ([email protected]) is an associate professor broader software community. Never- 18. Juarez, A.M. Fraudulent transactions allowed by the of computer science at Hebrew University Jerusalem, theless, monetary rewards must com- CryptoNote key image bug remain valid. Archived Israel. version of Bytecoin GitHub; https://bit.ly/2WbYkrn. plement and cannot substitute for 19. Lok, C. Dispute over digital music muzzles academic. healthy norms and a culture that wel- Nature 411, 6833 (2001), 5. Copyright held by authors/owners. 20. luigi1111 and Riccardo “fluffypony” Spagni. Disclosure Publications rights licensed to ACM. comes vulnerability disclosure. of a major bug in CryptoNote based currencies. Blog post, 2017; https://bit.ly/2xHiTmb. Acknowledgments. This article is a 21. Miers, I. README of libzerocoin, 2013; https://bit. result of a breakout group at the Dag- ly/2L94ORJ. 22. Miers, I., Garman, C., Green, M. and Rubin, A. stuhl Seminar 18461, “Blockchain Se- Zerocoin: Anonymous distributed e-cash from Watch the authors discuss curity at Scale.” The authors thank C. Bitcoin. In Proceedings of the 2013 IEEE Symp. on this work in the exclusive Security and Privacy. Communications video. Fields, M. Fröwis, P. van Oorschot, and 23. Miller, D. The legitimate vulnerability market: https://cacm.acm.org/videos/ their interview partners. Inside the secretive world of 0-day exploit sales. In vulnerability-disclosure

OCTOBER 2020 | VOL. 63 | NO. 10 | COMMUNICATIONS OF THE ACM 71