Learn how Cobalt’s Pentest as a Service (PtaaS) model makes you faster, better, and more efficient.

How to Measure the Security of a Bitcoin Application

These days anyone regularly tuning into r/bitcoin read stories about individuals getting their wallet.dat stolen and bitcoin businesses...

These days anyone regularly tuning into r/bitcoin read stories about individuals getting their wallet.dat stolen and bitcoin businesses closing operations after a security breach. Yesterday, Security Researcher Egor Homakov disclosed how Mt.Gox was vulnerable to an account hijacking attack caused by a XSS flaw combined with improper session management. The issue has been since fixed, and while it’s great to see security researchers take on the challenge of bitcoin security, sometimes it seems like something overall is broken when looking at security in the bitcoin ecosystem.

Ironically these security breaches are a marker of bitcoin’s overall success. As bitcoin continues to grow and flourish, and we can expect criminals to target more and more bitcoin businesses as its value increases. For bitcoin, this list of thefts and heists is only the beginning.

Improving Application Security

As a protocol, Bitcoin itself is secure. Most bitcoin security issues are not related to the bitcoin protocol, they are due to improper handling of bitcoins or insufficient security built into applications dealing with bitcoin. At protocol level there are some interesting developments in progress like multi-signature transactions which, when implemented by applications, will make compromises of bitcoin applications less harmful. The current bounty for a compromising bug in the bitcoin protocol is around $, and so far no vulnerabilities have been disclosed or exploited. In addition to this bounty, we have also seen initiatives like the Bitcoin Security Project raise awareness about security to the bitcoin community.

In terms of improving the overall security of bitcoin web applications, we believe that as the bitcoin ecosystem matures, bitcoin businesses will increasingly compete on application security to attract customers. More and more businesses will follow the example of wallet providers Coinbase and, who are leaders in bitcoin because of their transparent, open writeup of their security practices.

Transparent Security

Despite the inherent values presented in security transparency, many bitcoin businesses do not advertise their security practices. For those who do, how do users know that these practices are being followed by the business? Clearly there is an incentive for a dubious bitcoin website to attract users by advertising higher levels of security than they actually have implemented in their products. This is a classical asymmetric information problem, as the website has more information about their application security than they might reveal to users.

Bug Bounty Programs as A Benchmark

The best way to solve the problem of misinformation about bitcoin security is to give users need a reliable metric to determine the security level of a bitcoin application. Bug bounty programs like those run by Google and other large technology companies clearly communicate reward sizes proportionate to the seriousness of a vulnerability a security researcher might discover, and open important channels of communication with the security community. The existence of a bug bounty program could be the first of many metrics to help build trust with users. By offering large reward sizes, bitcoin businesses could easily to signal their web application security level to their users. The higher the reward sizes, the more engaged and incentivized the security community is to investigate and discover vulnerabilities in a secure application.

Over the past few months, there has been a huge increase in the adoption of bug bounty programs by businesses in the bitcoin space. Bitcoin businesses like Coinbase, Kraken, QuickBT, Coinkite and Vault of Satoshi are leading the way with their disclosure policies and bug bounty programs. We expect this trend to continue (to the moon, perhaps?) as end-users increasingly demand stronger security from bitcoin applications.

Read a more recent overview of crypto cybersecurity or hacking solidity contracts with expert insights from the Cobalt team.

Back to Blog
About Jacob Hansen
Jacob Hansen is Co-founder and Chief Executive Officer at Cobalt. Jacob and his team are on a mission to evolve the traditional pentesting model by engaging the best cybersecurity talent, via Cobalt’s PtaaS platform, and allowing customers to move from a static pentest to platform-driven pentest programs that drive better security and improve ROI. More By Jacob Hansen
Partner Spotlight: Allianz F200
More and more companies handle sensitive data every single day. Allianz F200 protects them with cyber insurance in case anything goes wrong.
Jan 18, 2022