A bug in Blockstream’s Liquid Network could have allowed employees to steal Bitcoin with minimal authorization
Blockstream has implemented a workaround and is currently developing a permanent solution
No funds have actually been stolen during the 18 months that the account was compromised
Share this article
Blockstream’s Liquid Network contained a vulnerability until today that could have allowed millions in BTC to get stolen. The bug was disclosed by James Prestwich, a Bitcoin developer and founder of the crypto startup Summa One.
How the Bug Works
The security vulnerability affected an essential account on the Liquid Network due to inconsistent timelocks.
That inconsistency could have allowed employees to withdraw Bitcoin from through an emergency recovery process that requires 2 of 3 keyholders to sign a transaction. This bug would bypass the proper multisig process, which requires 11 of 15 keyholders to sign a transaction.
According to Prestwitch, the vulnerable account controlled 870 BTC ($8 million) for over an hour this week. However, the bug could have compromised millions of dollars before the last transaction: the potential exploit has existed for 18 months and affected more than 2,000 UTXOs.
Blockstream CEO Adam Back has responded and admitted that the bug was a “known issue.”
Back says that a complete fix has been underway for some time, but has been delayed for several reasons. He added that developers are currently working with the Liquid Federation to create and deploy a final patch. Right now, a workaround is in place that will solve the problem in a temporary and limited way.
Adam Back noted that Blockstream’s handling of the situation “is not up to [its] usual standard of trust-minimization.” To Blockstream’s credit, no funds have actually been stolen. Furthermore, the bug only opens the possibility of internal theft by employees—not an outside attack.
Why Blockstream Is Controversial
Blockstream and the Liquid Network are somewhat controversial among the crypto community, especially among the Bitcoin community.
While Blockstream funds development of Bitcoin itself, the company’s Liquid Network is a federated sidechain that stores BTC outside of the main Bitcoin blockchain. That means that the company maintains significant control over the funds of users who trust it—typically enterprises and exchanges that rely on it for transfers and settlement.
Liquid’s bug is unlikely to affect general crypto holders. Regardless, the news is a reminder that investors who wish to maintain maximum control over their Bitcoin should do so by holding it in their own non-custodial wallet.
Share this article
The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.
You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.
See full terms and conditions.
What Does The Liquid Network Mean For Bitcoin?
Balancer Pool Exploited, Over $500,000 of Funds Lost
$5 Million ETH Transaction Sender Identified, Go Ethereum Offers Solut…