On December 23, 2018, CoinMetrics released an article purporting a recent discovery concerning the Bitcoin Private fork. Per the report, an independent third-party technical audit uncovered that a large quantity of Bitcoin Private coins (approximately 2 million BTCP) were allegedly created during the fork-mine. Upon public release of the article, our Core Team of developers immediately launched an investigation to ascertain whether or not the alleged findings of an additional amount of BTCP coins were true. It should be noted that the BTCP Contribution Team had no prior knowledge of these reports before they were released to the public.
After performing our own due diligence, Bitcoin Private can officially say with certainty that these findings are mathematically accurate. However, at this time, the source, purpose, and recipient of this exploit is currently unknown to the Bitcoin Private Contribution Team.
Per the findings of our internal audit, the following is an accurate timeline of events pertaining to the underlying issue set forth in the CoinMetrics report:
The fundamental benefit of open source development is that ability for contributors of the community to to view and help fix the code. This worked in favor of Bitcoin Private when a particular developer discovered an exploit in our code that would have allowed anyone to mine the SegWit coins, which we were able to patch within 24 hours. Unfortunately, however, open coursedevelopment has its negative attributes as well: the person who discovered the fork-mine vulnerability acted in bad faith and willfully opted not to report it. As the code was open source, and the fork-mine was announced on Twitter, anyone with sufficient blockchain development knowledge could have exploited it.
Bugs are something we dealt with significantly during the month of February leading up to the fork. Much of the code work performed in January was by open source developers who wrote their code, collected their bounty, and subsequently left the Bitcoin Private Development Team. After performing extensive code review in late January in preparation for the BTCP fork, a number of bugs were uncovered and rectified before the fork occurred in the best interests of protecting community members and the project itself. One such bug that was resolved was a serious issue found within the original 2-way replay protection code which took weeks to fix. While we regret that all the bugs in Bitcoin Private source code were not discovered prior to the fork, technological instances such as this are common in this space, and it is unfortunate that the bug was not remedied in time despite the diligent efforts put forth by the entire Bitcoin Private development community.
Unbeknownst to Bitcoin Private, approximately two (2) million BTCP coins that were never intended to exist on the blockchain chain were created and moved to a shielded address. According to CoinMetrics, as much as 300,000 illegitimate BTCP were deshielded, though it is unclear at this time if these coins were sent to an exchange or used/stored elsewhere.
While it is not beneficial for a bug such as this to exist, in the case of Bitcoin Private, this particular exploit could only be taken advantage of during the fork mine, which already occurred earlier this year. Therefore, it is impossible for this particular bug exploit to occur again, nor can it be further exploited.
Because the fork mine was public, anyone with a sophisticated working knowledge of blockchain development could have exploited the code bug. At this point, the only thing we can be sure of is that the BTCP Contribution Team did not know about the exploit until it was uncovered by CoinMetrics.
We have contacted HitBTC about the situation and are hopeful that the bad actor might be uncovered. The CoinMetrics team has been included in this email for full transparency. We are hopeful that with their forensic expertise in blockchain, we will be able to find the bad actor, expose them, and report them to the proper authorities. If suggested by CoinMetrics, we are willing to contact any and all exchanges as needed to uncover the truth of the matter.
While the coins exist, we do have options to fix this. We have come up with two potential plans and would like to hear community feedback on the options:
WE INTEND TO PROCEED WITH CODING OPTION #1 IMMEDIATELY. If we see consensus from the community on moving forward with this option, then the hard fork will be coordinated and initiated as soon as possible. It is possible that the bad actor could begin moving those coins out of the shielded pool to avoid their destruction. In a worst case scenario, we could use a snapshot of the chain just prior to deshielding the 1.7 million coins and roll the chain back in time. We hope we will not have to do this but will continue to monitor the chain. In the meantime, we request that all exchanges close deposits and withdrawals of BTCP to mitigate any damage that could be done to the network. WE ALSO SUGGEST THAT ALL USERS PROCEED WITH CAUTION NOW WHEN MOVING COINS.
Bitcoin Private wants to officially thank the CoinMetrics team for uncovering the exploit. We have opened a line of communication with CoinMetrics with the intentions of working in concert to uncover more about what transpired and how to we can prevent anything like this occurring in the future. Not just for Bitcoin Private, but for the cryptocurrency community as a whole.
We want to remind the community that the BTCP Contribution Team rewards users for finding bugs in the code and reporting them, with the reward reflective of the severity of the exploit. We encourage the Blockchain Community and the general public to report any potential bugs or exploits to email@example.com or through our GitHub repo: https://github.com/BTCPrivate.
My answer to What are your thoughts on Bitcoin private (https://t.co/UVMapJqlpt)? https://t.co/haXffEQaNm
My answer to What is premining in cryptocurrencies? https://t.co/5aKKT4O7uT
My answer to Why is Zcash a great coin? What are zk-SNARKs? How useful would it be? https://t.co/Oeaxbq6QkC
My answer to What is Bitcoin Private (BTCP)? How do I mine it? https://t.co/4RqmJAaN5Q