Liquid Sidechain Security Issue Hypothetically Allows Blockstream Employees to Steal Bitcoin
It appears that a Liquid sidechain security issue has been discovered. Cryptocurrency trader James Prestwich exposed a previously unknown vulnerability.
In a tweet, he accused Liquid owner Blockstream of deliberately writing a bug into the Liquid code. James went further to allude that Blockstream and its employees had ignored the bug and refused to answer any questions concerning it.
The Liquid sidechain is a settlement system that has been developed by Blockstream. According to Blockstream’s technical documentation, Liquid is a “settlement” platform for different exchanges and “other institutions”. Liquid was developed using the elements framework. Elements is an open-source sidechain codebase derived from the Bitcoin codebase.
Social Media Platforms Go on Fire as a result of the Revelations
Which is to say
— James Prestwich (@_prestwich) June 28, 2020
- Blockstream wrote a bug
- the bug allows Blockstream (or coordinated employees) to steal hundreds of BTC
- the bug has persisted for 18 months
- the bug was known to blockstream, but never fixed
- they aren't answering basic questions about it
This set crypto twitter and other social media platforms on fire. The responses varied from disbelief to shock.
At the deep end of the responses, there were a few conspiracy theories as well. Reddit user @logicordie said that "Good old CIA backdoor... It's a surprise tool that will help us later!"
Another user @cryptoguruboss said that " Not your keys not your coins... simple af... use second layers or LN for coffee not savings.... I sometimes give the poor man at turn signal that much...." He spoke concerning the security of the keys of the sidechain and their storage.
@Kneli spoke concerning the sidechain audit. He asserted that
"If audited correctly, why would a second layer be more risky than the original blockchain? They are both non-custodial, at least the second layer solutions I know are. I assume the blockstream second layer Liquid was non-custodial as well? Just read up on Liquid and it is indeed not non-custodial so for this particular case, not your keys not your coins. That problem is not inherent to all second layer solutions though, thats a misconception you might be creating here".
Adam Black Finally Responds
In response to the flurry of queries, Bitcoin and Blockstream co-founder Adam Back indicated there were problems but that the problems were being resolved.
He said in a tweet
"..this is a known issue. the coins are auto-swept forward as part of the HSM peg process. funds are safe as keys are offline and geo-distributed. we were planning to address via HSM upgrade, which is a manual hands on process for security, but covid lock-downs made that difficult".
this is a known issue. the coins are auto-swept forward as part of the HSM peg process. funds are safe as keys are offline and geo-distributed. we were planning to address via HSM upgrade, which is a manual hands on process for security, but covid lock-downs made that difficult.
— Adam Back (@adam3us) June 26, 2020
Sidechains Have Issues
There have been many issues that involve sidechains. They have been seen as another level of evolution for the cryptospace. The mechanisms of implementation as far as side-chain governance is concerned has been tricky at best.
The Liquid sidechain implementation before now has been one of the paragons of efficiency. The fact that a fault-tolerant system is having such issues doesn't mean that the entire ecosystem should be thrown to the dogs.
The wallet keys are all stored offline and an upgrade will resolve the issue. For now, it seems that danger has been averted.
It brings to question Blockstreams' policies regarding regular audits of their code. This is important because audits enable the good guys to catch the flaws before the bad guys can.
That is something that Adam back and his team of miracle workers must do consistently and efficiently.
