Dash-sponsored bug bounty program Bugcrowd detected a critical vulnerability in the Bitcoin Copay wallet, which was inherited by the Dash version.
The Dash Bug Bounty program, aimed at discovering vulnerabilities in the Dash codebase and that of associated projects, uncovered a critical bug in the Dash version of the Copay wallet. The vulnerability, however, turned out to have been left over in the original Bitcoin version of the popular multisignature wallet, according to a press release by Bugcrowd:
“On January 17th the Dash Bug Bounty program received a report of what appeared to be a very serious vulnerability in the Dash Copay wallet. The report came from a security researcher through the Bugcrowd platform and indicated that sensitive data (including private keys) was being leaked into a log file, in plain text.
This report was immediately forwarded to the Dash Core Team for evaluation. On initial review, it was determined that, indeed, privates keys were being written to a log file upon wallet creation. Apparently a function had been inadvertently left in debug mode. The fix was very easy — simply switch the function out of debug mode. For Dash this was a minor issue since the Dash Copay wallet was not in production on mainnet.
However, after further review we discovered that this vulnerability was inherited from the Bitcoin Copay wallet, and that it existed in production code version from which Dash Copay was forked. We then asked the security researcher who originally found the vulnerability to submit a bug report to Bitcoin Copay, and members of the Core Team also reached out to Bitcoin Copay developers to alert them to the issue.”
While this presented an edge-case vulnerability (since most attackers would not have access to the log file, which would be deleted with a power cycle), the Bitcoin Copay team nonetheless pushed a fix immediately.
Dash’s treasury enables thorough and well-funded review programs
While bug bounty programs are relatively common in cryptocurrency, Bugcrowd runs on a different model, by using the Dash treasury for funded. The program submitted a proposal for funding before the Dash network, which was successful, providing funding without having to crowdfund or look to other outside sources. According to project director Jim Bursch, a program of this scope would not have been as easily enabled without Dash’s treasury system:
“Dash’s treasury system allows us to run a bounty program like no other and also because of Dash’s treasury, it is creating coins for the purpose. There is no cost to anybody to fund the bounty program and there is no opportunity cost. When a company or another cryptocurrency like Ether, funds a bounty program, they have to divert funds that may be used for other purposes. That is not the case with Dash. We do not have to sacrifice Peter to save Paul; we can fully fund both development and a bounty program.”
Bug bounties are a critical element of the still-experimental cryptospace
While nearly 10 years old, cryptocurrency is a nascent field that has yet to find wide public use, and as such may still have a rough experience with imperfections in the code to be worked out. According to Bursch, programs like Bugcrowd have a long-term positive effect for the entire cryptocurrency ecosystem:
“Both the long and near term benefit to the Dash ecosystem is more secure code and greater confidence that users can have when using Dash. The existence of a bug bounty program can go a long way to reassure users that they can safely transact with Dash, knowing that the code is thoroughly tested and there is a safe, responsible way for problems to be identified, reported, and resolved. This benefits not only Dash, but cryptocurrency in general because sometimes, the issues we find also exist with other currencies and wallets that share the same codebase. We all suffer when the news is dominated by a hack or theft of cryptocurrency, so it is in our long term interest to share information when problems are found, and improve the general perception of cryptocurrency.”
While offering great potential for revolutionizing a variety of industries, including payments, cryptocurrency is still far into the speculative and experimental stages, and as of yet remains difficult to use for everyday purposes. A key example of this is using cryptocurrency for purchases or transfers, which involves copying and pasting a long and non-intuitive public key, or scanning a QR code. Among other advances, Dash’s upcoming Evolution platform aims to streamline the process by employing usernames and contact lists in order to facilitate wide and everyday use.