Due to a bug in Blockstream's Liquid Network sidechain solution, its employees had access to other people's funds for 18 month...
Due to a bug in Blockstream's Liquid Network sidechain solution, its employees had access to other people's funds for 18 months. Management was aware of the problem but did not report it. On June 25, the vulnerability was accidentally discovered by blockchain developer James Prestwich, who noticed that Liquid Network operators had access to 870 BTC frozen on the network. In this situation, the crypto community accuses Blockstream of being too centralized and possible fraud. The company's management says the funds were safe, no satoshi was stolen and the bug will be fixed soon. What is the reason for the vulnerability, why Blockstream was in no hurry to fix it and how much the company's reputation was damaged, we understand the material.
How the Liquid Network protocol works
To better understand what happened, let's briefly recall how the Liquid Network protocol works.
Liquid Network is a private, centralized sidechain of the Bitcoin blockchain that acts as a settlement and payment network for exchanges, traders, market makers and brokers. Liquid Network is developed and controlled by the Canadian company Blockstream and was launched for mainstream use in October 2018.
Liquid Network has 44 partners in total, including Atlantic Financial, OKCoin, Xapo, Bitfinex, Bitmax, BitME, BitMEX, Ledger, Tether, and Xapo among others. Since March of this year, the protocol has overtaken another Blockstream product in terms of the number of circulating bitcoins - a second-level Lightning Network solution. On the day the article was published, 2161 BTC were blocked on the Liquid Network - about $ 19.7 million.
Liquid Network is a separate additional blockchain built on top of the main Bitcoin network. It allows you to make instant transactions in large volumes, while maintaining confidentiality and keeping funds off the exchange.
Transactions are made using Liquid Bitcoin (L-BTC), special tokens pegged to Bitcoin in a 1: 1 ratio. A Bitcoin mainnet user first sends coins to the outgoing address of the swap wallet, which acts as a bridge between the sidechain and the mainnet. In it, coins are “frozen” by a group of validators - this excludes the possibility of spending coins elsewhere. Validators also ensure that each BTC in the sidechain has a matching BTC frozen in the wallet. After that, the amount of L-BTC equivalent to the sent bitcoins is transferred to the sidechain, and when sending from the sidechain to the main blockchain, everything happens in the opposite order.
How James Prestwich found the missing 870 BTC
On June 25, blockchain developer and founder of Summa startup James Prestwich noticed that Blockstream operators gained access to 870 BTC (≈ $ 7.9 million), which were stuck in the queue for processing a transaction on June 11. This came as a surprise to the developer and the crypto community. It was assumed that such an opportunity would be used by Blockstream employees only as a last resort.
Bitcoins sent to the Liquid network as L-BTC are frozen in a multi-signature wallet. To unlock coins, you need to confirm the authenticity of the transaction 11 out of 15 key holders (controlling nodes), selected at random.
An important condition, spelled out in the technical documentation of Liquid Network, is that if 30% of the nodes leave the network, for example, in a hacker attack, the funds held will be blocked forever. To prevent this from happening, all funds held by the Liquid Network are also available via a set of three emergency keys.
The emergency mechanism is triggered every time the processing of one transaction exceeds 2015 blocks - approximately 14 days. On June 25, that is, two weeks from June 11, the waiting period for confirmation of a transaction with 870 BTC expired. In order not to lose funds, 870 MTC within half an hour were available for spending by the emergency operators of Blockstream. However, they transferred them to a new unspent transaction output (UTXO), which allowed them to reset the emergency smart contract counter and not lose funds forever.
“It looks like Liquid's emergency operators, using two of the three keys, could steal 870 BTC as the confirmation of this transaction exceeded 2015 blocks,” James Prestwich tweeted.
Prestwich states that he discovered Blockstream's activities entirely by accident. On Twitter, he asked, “ How often could this have happened before? ”And accused the company of violating the security model. He also raised the issue that the protocol code "is not completely open source, so we cannot verify how it works ."
A few hours later, the head of Blockstream, Adam Back, responded to Prestwich's message , saying that the company is aware of the problem and is working on solving it. The message did not reassure the crypto community - it turns out that emergency operators of the Liquid Network gain access to users' funds every two weeks. And if the developers were silent about this vulnerability, then what other problems did they not talk about? The comments went as far as accusations that Liquid Network is not a real sidechain.
“We are aware of this problem. Coins are automatically moved further as part of the HSM [Hardware Security Modules] binding process. All funds are safe as the keys are offline and geographically distributed. We planned to fix the problem by updating the HSM, which is done manually for security purposes, but the quarantine due to COVID-19 made it difficult for us to do this, ”said Adam Back to Prestwich.
Blockstream explained the incident
On June 29, Blockstream CEO Adam Back published an official clarification of the incident, in which he explained in more detail the mechanism of the vulnerability. The problem was caused by a mismatch between the timing settings used by the host server running the protocol and the hardware security modules (HSMs) that store the emergency keys, he said. The error caused the reset of the temporary counter to occur after its expiration, and not "before", as was necessary.
Beck clarified that this problem had previously only happened with small transactions. But due to the rapid growth of the Liquid Network from 100 BTC in December last year to more than 2000 BTC now, an error occurred on a large transaction.
The growth of the number of BTC in the Liquid Network. Source .
Adam Back assured that all 870 BTC and other funds on the network were and remain safe - backup keys are not used in fixing the problem, and the time limits were updated by the network without any manual intervention. In addition, the error only opens up the possibility of internal theft by employees - it is impossible to steal coins "from the outside" in this way.
Blockstream is working to fix the vulnerability
Back admitted that the project team had been aware of the vulnerability for 18 months, but its fix was delayed due to " external problems in coordinating updates on functional servers serving the network ." The developers decided not to publicly disclose the problem until it is fixed.
Back revealed that the company is working on a solution to the problem and promised to fix the bug shortly. However, this is a complex process. The developers have updated the software of the servers, but the software of the hardware security modules has remained unchanged so far. These are physical devices geographically distributed across different countries, and coordinating their updates is difficult.
However, the code for their update has already been submitted to the Liquid Technology Commission and will be launched after approval. The developers are also working on a phased deployment of "dynamic update" (DynaFed), which should significantly change the protocol and make it more reliable. In comments to CoinDesk, Blockstream CMO Neil Woodfine clarified that these updates should be rolled out by the fourth quarter of 2020.
Why the crypto community doesn't trust Liquid Network
Blockstream makes a huge contribution to the development of Bitcoin infrastructure. Among her products:
- Lightning Network - a second layer protocol for conducting micropayments outside the main bitcoin blockchain;
- Blockstream Satellite - a satellite network that broadcasts the Bitcoin blockchain;
- Blockstream Green is a secure bitcoin wallet;
- Blockstream Explorer - Liquid Network-compatible Bitcoin block explorer
- The Elements project is a bitcoin platform that allows you to perform transactions with various types of assets;
- Blockstream Mining is a service for corporate miners;
- Cryptocurrency Data Feed is an information service that tracks 400 trading pairs and market conditions.
But despite this, Blockstream and Liquid Network enjoy an ambiguous reputation among the crypto community, especially among bitcoin owners: the company is reproached for its desire to monopolize the infrastructure, and the Liquid Network is accused of being too centralized and opaque.
The Liquid Network is a private network backed by trusted officials. By keeping the BTC outside the main Bitcoin blockchain, the company gains significant control over users' funds. It seems that these bitcoins belong mainly to exchanges and traders, but in fact they are coins of ordinary holders of the first cryptocurrency. The centralized security model contradicts the decentralized principle inherent in Bitcoin, and makes Blockstream little different from traditional payment systems like SWIFT or PayPal.
Blockstream itself has a tarnished reputation. The company was caught hacking and manipulating the vote on Reddit with the direct involvement of former CTO Gregory Maxwell, working with former intelligence officers, and also accused of trying to cash in on patents on SegWit.
In addition, a number of Liquid Network partners also have a certain fame and repeated cases of hacks on their account. So, the issuer of Bitfinex, iFinex, constantly faces questions from both the crypto community and law enforcement agencies - she is already accused of deceiving customers and using the dollar reserves of the Tether stablecoin, as well as manipulating prices. Against BitMex also put forward allegations of fraud, market manipulation and money laundering. The Liquid Network's security concept assumes that these are the organizations that network users should trust with their money.
This is what happens when you use a closed system that requires you to trust someone.Worked out this time, history tells us if it grows it will work out less and less often in the user's favor.Call it a perk for the central agency.- ⁿᵃᵐᵉ. 𓄿 (@name_elsewhere) June 27, 2020
“This is what happens when you use a closed system that requires you to trust someone. It worked this time, but history teaches us that as they grow, such systems work for the benefit of the user less and less. Let's call it the privilege of centralized control, "Twitter user @name_elsewhere summed up the incident with 870 BTC.
Although the incident with 870 BTC ended well, it clearly plays against Liquid Network and Blockstream. The company knew about the problem for a year and a half, but during all this time it did not find the resources to fix it and did not even notify the community.