Bitcoin has a toxic culture of NOT taking security and cryptography questions seriously ever. Being able to withstand expert criticism, champion best practices and anticipate the risks is crucial for any open source project.
Unhappily we observe that:
- There isn’t a single academic or scientist at the bitcoin foundation and they don’t like being criticized on security.
- It lacks preventive security engineering and serious consideration of attacks and threats such as 51%. Official bitcoin sources are negligent, use highly misleading vocabulary and are full of security blunders some of which go back to Satoshi. More such issues are discussed in Section 6.1 and 13 of this paper.
- It lacks a cryptographer to tell us elementary truths about which elliptic curves are mainstream (P-256 and not many more!) and which ones are dodgy, with a collapse of bitcoin looming if bitcoin cryptography is broken some day.
- Bitcoin developers are now developing a new library for secp256k1. This will make it even harder to convince them to migrate to a different curve, with potentially catastrophic consequences for our bitcoins.
- In spite of benefiting from vast amounts of public discussion and voluntary security advice, bitcoin is not trying to improve.
- Bitcoin software is chronically under-developed.
- The state of the art in security is not applied ever. For example important security patches such as RFC 6979 which allow to mitigate important attacks have NOT been applied for some 18 months in the bitcoin core software and nobody seems to care. These patches are related to a wave of new powerful attacks which potentially allow to steal lots of bitcoins from large numbers of accounts.
- Most of these attacks rely on bad random events in bitcoin, which have been in existence since 2012.
- However in late 2014 there was another massive outbreak of such events in the bitcoin blockchain.
- These vulnerabilities could have been very easily fixed in bitcoin code by applying RFC 6979.
- It was utterly irresponsible NOT to fix this vulnerability known since January 2013. The fix was already applied by many companies such as Trezor, but not yet by bitcoin core client. Why? A patch apparently was apparently already submitted to bitcoin code in January 2013, according to these slides and it is still not applied by the bitcoin core software client.
- We can also remark that bitcoin core client relies on OpenSSL for random number generation. It is difficult to imagine worse.
- Not trying to do the job correctly, with a strict minimum of diligence and applying best practices, is what probably makes today’s bitcoin more likely to be considered as a pump and dump investment scheme.
Other crypto currencies, though smaller than bitcoin, seem to do much better:
- For example Stellar has a head of Secure Computer Systems Group at Stanford University on board, and they do care about security: they decided to go for a so called “safe” elliptic curve Curve25519.
- Ethereum has two superstar cryptographers Merkle and Koblitz, which are actually the people who have invented the very cryptographic technology which underpins bitcoin.