Blockstream Bug Posed Serious Threat Of $16 Million BTC Theft
A long-standing Blockstream bug in the open liquid network could have allowed for an internal theft which could have ended up losing $16 million in BTC Theft as we are reading more in the latest Bitcoin news.
The Blockstream bug could have allowed employees to easily steal Bitcoin with almost no authorization. The platform implemented a workaround and is now trying to develop a permanent solution. No funds were actually stolen during the 18 open months that the account was compromised. Blockstream’s Liquid Network contained a vulnerability until today which could have allowed millions in BTC to get stolen. The bug was disclosed by James Prestwich who is a bitcoin developer and founder of Summa One.
— The Liquid Network (@Liquid_BTC) June 29, 2020
The security vulnerability affected a large part of the Liquid Network because of inconsistent timelocks. This way, the employees were able to withdraw Bitcoin thanks to the emergency recovery process that requires 2 or 3 keyholders to sign one transaction. This bug would bypass the multisig process which requires 11 of 15 keyholders to sign one transaction. According to Prestwich, the vulnerable account had about $8 million in bitcoin for over an hour this week. The bug could have compromised millions of dollars before the last transaction as the exploit lasted for 18 months, affecting more than 2000 UTXOs.
Blockstream’s CEO Adam Back responded and said that the bug as a known issue. Back says that a complete fix was underway for some time now but it was delayed a few times for multiple reasons. He added that the developers were working with the Liquid Federation in order to create a final patch but the workaround is now in a place that will solve the problem in a temporary way. Adam Back said that handling the situation is not up to the usual trust-minimization standard. No funds were stolen and the bug only opened the possibility of internal theft by employees, not outsiders.
Blockstream’s Liquid Network is somewhat controversial among the crypto community in the Bitcoin community. The Liquid Network is a federated sidechain that stores BTC outside of the main bitcoin blockchain which means that the company has huge control over the funds of the users who trust it, mainly enterprises and exchanges. The bug is unlikely to affect general crypto holders despite the news that investors who want to maintain maximum control over their Bitcoin should just hold it in their own non-custodial wallet.