Vulnerability Disclosure and Cryptocurrencies
Introduction
The cryptocurrency ecosystem consists of blockchains, coins, tokens, smart contracts, exchanges and wallets. It is worth billions of dollars, and as such is a target for criminals. Notable incidents include:
- Mt Gox Exchange Hack
- CoinCheck Exchange Hack
- BitGrail Exchange Hack
- Parity Wallet Issue
- Ledger Wallet Vulnerability
- Verge Blockchain Vulnerability
Attackers exploit a vulnerability to perform an attack. A vulnerability is a flaw. Flaws can exist in hardware, software and an online service. Exploitation of vulnerabilities can impact the confidentiality, integrity and available of system of information. Exploitation of vulnerabilities in the cryptocurrency eco-system can have a serious financial impact as the above incidents show.
Vulnerability Disclosure and Handling
Developers should be able to receive vulnerability information, collaborate with the vulnerability finder, verify the vulnerability, fix it, and then disseminate the information. There are two International Standards which ideally should be followed: ISO/IEC 290147 and ISO/IEC 33011.
Analysis of the Crypto Eco-System
Some of the recommended practices of a mature vulnerability disclosure program are:
- publishing a vulnerability policy
- a means to contact the vendor
- publishing advisories
- a bug bounty program
Below is an analysis of how some of the major players in the crypto ecosystem compare against these recommendations.
Analysis of CryptoCurrencies
| Coin | Policy | Contact Details | Advisories | Bug Bounty |
|---|---|---|---|---|
| Bitcoin | No | Yes | Email only | No |
| Ethereum | No | No | No | No |
| Ripple | No | No | No | No |
| Bitcoin Cash | No | No | No | No |
| LiteCoin | No | No | No | No |
| Monero | Yes | Yes | No | Yes |
| Verge | No | No | No | No |
| Zcash | No | Yes | Yes | No |
| Electroneum | No | No | No | Yes |
| Zcoin | No | No | No | No |
As can be seen Monero and Zcash are the most mature in terms of following recommended practices. The main surprise is Verge, who even after a recent vulnerability exploit are still not following recommended practices.
Analysis of CryptoExchanges
| Exchange | Policy | Contact Details | Advisories | Bug Bounty |
|---|---|---|---|---|
| Kraken | Yes | Yes | No | Yes |
| Gemini | Yes | Yes | No | No |
| Coinbase | Yes | Yes | No | Yes |
| Binance | No | No | No | Yes |
| Bittrex | No | No | No | No |
| CEX.io | No | No | No | No |
| Bitfinex | No | No | No | No |
Given the successful hacks on exchanges it would have been expected that exchanges would be leading the way. However, this seems far from the case.
Analysis of CryptoWallets
| Wallet | Policy | Contact Details | Advisories | Bug Bounty |
|---|---|---|---|---|
| Parity | No | Yes | No | Yes |
| Ledger | No | Yes | Partial | Yes |
| Trezor | Yes | Yes | Yes | Yes |
| Coinomi | No | No | No | No |
| Jaxx | No | No | No | No |
Trezor seems to following all the recommended practices. Ledger has improved their practices after a recent vulnerability disclosure. The main software wallets (Jaxx and Coinomi) are lagging.
Summary
Given, the huge impact that exploiting vulnerabilities can have on the cryptocurrencies it is both surprisingly and worrying that the major players in the crypto ecosystem are not following recommended practices. Monero, Trezor, Kraken and Coinbase are leading the way, and others should follow suit.
Buyers and users of cryptocurrency should be pushing exchanges, wallet vendors and coin developers to improve their practices.
Donations
If you found this article please feel free to donate BTC to 3Qq8gGi9USjL78wW28KK8S45xwpfZcGnhS
Congratulations @apt99! You received a personal award!
You can view your badges on your Steem Board and compare to others on the Steem Ranking
Do not miss the last post from @steemitboard:
Vote for @Steemitboard as a witness to get one more award and increased upvotes!
Congratulations @apt99! You received a personal award!
Click here to view your Board