This post is also available in: Deutsch
A twitter user pointed out a Litecoin bug he discovered almost a year ago and remains unresolved, which highlights the necessity of self-funded development programs.
@oasace points out that on March 11 2018, he discovered a stack trace disclosure bug in the “Litecoin litecore implementation (insight-lite-api)”, which is maintained by the Litecoin development team. Thus far, the error has not been corrected and can still be exploited according to the github description.
03/11/18, I disclosed a vulnerability in the Litecoin litecore implementation (insight-lite-api) maintained by the LTC dev team. NOT patched, can exploit it TODAY.— Edin Jusupovic (@oasace) February 11, 2019
There are serious exploits, you will hear about them from news articles next time. ⚓️⚓️https://t.co/2nX24O16MG
“Sending a POST request to a number of different API endpoints is incorrectly dumping the stack trace, this information might help an attacker gain more information and potentially focus on the development of further attacks for the target system or leverage the incorrect error handling to create a new attack.”
A quick duckduckgo search reveals that “in simple terms, a stack trace is a list of the method calls that the application was in the middle of when an Exception was thrown”. Thus, the bug is not too major in terms of security concerns when compared to other bugs, which might be why this bug did not get the attention of the LTC development team. However, it still highlights a lack of incentives for the bug not to be fix after almost a year.
Incentivized to find and fix bugs
As with any software, cryptocurrencies suffer from bugs that crop up periodically, the positive of open-source software is that anyone can review the code and post any potential errors and get the community’s help to patch the bug. Many do this for free in the open-source software space due to ideological reasons, but many within cryptocurrency also have an investment incentive to ensure the code of coins their invested in are very secure. However, to take it a step further is to place a bug bounty on the code to attract even more coders from a wider demographic to ensure any potentially bad code is discovered and fixed quickly.
Dash has furthered the confidence in its codebase by funding a bug bounty program through Bugcrowd with funds from the Dash DAO Treasury. They recently released a case study after a year of the program and have revealed that “Bugcrowd researchers identified 11 valid unique bugs in Dash digital cash applications” by “filtering through 66 vulnerabilities submissions, saving Dash numerous hours of work”. One of these bugs was found in the now discontinued Dash Copay wallet, which would have leaked sensitive data. Luckily, the bug was found while the wallet was still on testnet. The bug was also a carryover from the Bitcoin version of the wallet, which brings back memories of the very old and quickly fixed bug that caused abnormally fast Dash mining and was a carryover from the Litecoin codebase.
As #cryptocurrencies become more mainstream, identifying and fixing vulnerabilities is imperative. But demand for security professionals outweighs the supply. Learn how @Dashpay works with @Bugcrowd to alleviate that pain point: https://t.co/Cmypigafva #OuthackThemAll pic.twitter.com/dor3WGIjaj— bugcrowd (@Bugcrowd) January 2, 2019
Dash incentivized for proper code management
Dash is committed to being everyday digital cash, which requires the cultivation of the utmost trust from consumers and merchants. Dash is able to accomplish this by writing and reviewing excellent code. While this is a top priority of all top coins, Dash is able to economically incentivize the activities by funding the Dash Core Group, other developers, and bug checkers to ensure the code is excellent. Voluntary-based work is great, but usually forces a trade-off since developers also have to focus on income generating jobs. Then third party funding is risky since it can abruptly stop or cause a conflict of interest. Dash avoids these issues by internalizing the code writing and review process to ensure it is a completed economic incentive loop.