The BSV blockchain (BSV) community is committed to the “Satoshi Vision” for delivering a secure and scalable Bitcoin network that supports the world’s new money and use as the global enterprise blockchain. As part of its commitment to professionalise the Bitcoin development process, the BSV Node implementation team engaged the services of Trail of Bits, a leading cybersecurity research company with expertise in blockchain technologies, to perform a security audit of the BSV Node implementation source code. The security audit revealed multiple vulnerabilities that BSV did not itself cause but likely inherited from the Bitcoin Core (BTC) and thus Bitcoin ABC software for Bitcoin Cash (BCH) from which the BSV were forked. However, BSV’s audit and professionalised approached to security has now helped all these major blockchains resolve the vulnerabilities.
A full security audit requires significant time and cost to perform, but the BSV Node implementation team did so (with financial support from its partners at CoinGeek) as a critical step to bring more professionalism to the Bitcoin ecosystem. We believe this is the first time any Bitcoin node implementation has ever been security audited in the 10-year history of Bitcoin.
After conducting its security audit, Trail of Bits reported numerous findings. The BSV Node implementation team considered three of these findings to be significant enough to warrant responsible and confidential disclosure to other potentially affected Bitcoin implementations – specifically to implementations for the Bitcoin Core (BTC) and Bitcoin Cash (BCH) chains which compete against BSV.
The three vulnerabilities have been rated as medium severity with low difficulty to exploit and expose the Bitcoin node software to Denial of Service attacks resulting in a high overall risk rating. The BSV Node implementation team disclosed the details of these vulnerabilities to other Bitcoin implementations (for Bitcoin Core and Bitcoin Cash) on 10 January 2019, requesting full confidentially until 11 February 2019 and that detailed information about the vulnerabilities be kept confidential until 1 March 2019. This process follows industry best practice by providing sufficient time for development teams to release and deploy updated software before the details of the vulnerabilities become public knowledge.
The details of the vulnerabilities were disclosed to the software development teams of Bitcoin Unlimited, Bitcoin XT, Bitcoin ABC, and Bitcoin Core. An analysis of the vulnerable portions of the source code indicated that these software implementations may be affected by these vulnerabilities – most likely because the vulnerabilities first existed in the Bitcoin Core software before it was forked by Bitcoin ABC to create ABC (an implementation for Bitcoin Cash), and before BSV thus inherited these vulnerabilities from Bitcoin ABC.
1) The first vulnerability, CVE-2018-1000891, would enable an attacker to send specially crafted network packets to the target node which would needlessly consume large amounts of processor and network resources. The attack could result in a Denial of Service by exhausting processor and network resources and would not be detected or prevented by the software.
2) The second vulnerability, CVE-2018-1000892, would similarly enable an attacker to send specially crafted network packets which would needlessly consume large amounts of processor and network resources. The attack could result in a Denial of Service by exhausting processor and network resources and would not be detected or prevented by the software.
3) The third vulnerability, CVE-2018-1000893, would also enable an attacker to send specially crafted network packets which would needlessly consume large amounts of memory resources. The attack could result in a Denial of Service by exhausting memory resources and causing system failure. The attack would not be detected or prevented by the software.
For BSV blockchain, these vulnerabilities were addressed in release 0.1.1 of the BSV Node implementation which was released on 11 February 2019.
BSV Node Lead Developer Daniel Connolly remarked:
“By organising this security audit (with funding by CoinGeek) and by sharing the results in a responsible and secure manner, the BSV Node team, nChain and our partners at CoinGeek demonstrate our commitment to increase the quality of Bitcoin software and professionalise the engineering process.”
Even though the BSV Node implementation team did not create these vulnerabilities and likely inherited them from Bitcoin Core and Bitcoin ABC, its groundbreaking approach to apply software industry best practices to Bitcoin node development has now also benefited the competing Bitcoin Core and Bitcoin Cash ecosystems.
The BSV Node reference implementation is a project of the Bitcoin Association. The Bitcoin Association’s Founding President Jimmy Nguyen observed:
“As I’ve said before, it’s time for Bitcoin to grow up and professionalise. This security audit is a big step in that direction, because no other Bitcoin project is taking such a comprehensive approach to security. The results and improvements exemplify how the BSV Node team is taking steps to prepare BSV to have the reliability needed to become the world’s new money and the global enterprise blockchain. It also demonstrates that BSV blockchain is now leading the Bitcoin industry, even helping other projects that deviated from the Satoshi Vision for Bitcoin.”