What should you do if you find a potentially devastating blockchain bug? There's no good answer yet, and this was a hot discussion topic at the MIT Bitcoin Expo, which I attended in Cambridge last weekend.
The conference touched on many interesting and timely topics ranging from Bitcoin privacy research to the regulation of crypto-assets—I recommend you check out the videos. But the issue of responsible bug disclosure, and how it is uniquely challenging in a decentralized environment, came up several times during the two-day event.
In the traditional software world, there's an established process if you find a bug or a security hole. If a security researcher finds one in a popular website, she will disclose it to the website owner and give them a certain amount of time to fix it before publicizing the discovery. In the case of a blockchain network, to whom should the researcher report a bug? If it's really decentralized, no one is in charge. And don't forget that other big wrinkle: there is lots of other people's' money on the line.
Most cryptocurrencies have a group of lead developers to whom you should disclose bugs, said Bitcoin Core developer Corey Fields during a conference session on Saturday. Unfortunately, "The question of how gets a little bit tricky," he said.
Last year, Fields discovered a vulnerability that could have severely undermined the security of Bitcoin Cash. He decided to notify someone, but struggled to locate and contact the currency's developers. Finally, he managed to use an elaborate process to anonymously deliver them an encrypted message. Why anonymous? So his name wouldn't become connected with the bug. Fields said that if someone would have exploited it, he might have been blamed, and due to the anonymous nature of blockchain transactions he would have had no way to definitively prove he wasn't the attacker.
Questions about how to disclose bugs raise even bigger ones about how best to govern blockchain networks. Last month, the company that built and maintains the software underlying privacy-focused cryptocurrency Zcash revealed that it had secretly fixed a critical bug that it had discovered months prior. The move was controversial inside the Zcash community. Josh Cincinnati, executive director of the Zcash Foundation, a public charity that's supposed to counterbalance the power of the for-profit company, said at the MIT conference that he wished the disclosure had been handled differently. "We were surprised, and wished that we had more insight early on."
Increasing security risk, particularly in the form of unproven protocols and "latent" bugs, is a major challenge facing blockchain technology, said Neha Narula, director of MIT's Digital Currency Initiative. That standardized procedures don't yet exist for disclosing potentially catastrophic bugs is just one of a number of reasons "cryptocurrency is not ready for billions of users," she said.
(See "Once hailed as unhackable, blockchains are now getting hacked")
Renewable electricity doesn't look like the solution to Bitcoin's growing environmental problem. That's the conclusion of a new research paper published by economist Alex de Vries today.
In the paper published in Joule, de Vries, who has become known for his dire assessments of Bitcoin's electricity consumption and carbon footprint, updates the gloomy news. The network, which like many others relies on a resource intensive "mining" process to validate its distributed ledger, now uses at least as much electricity annually as does Hungary, he says.
A single transaction consumes somewhere between 491 and 766 kilowatt-hours, estimates de Vries, compared with 0.4 kilowatt-hours consumed by a non-cash transaction by the traditional banking industry. And he calculates that a Bitcoin transaction emits somewhere between 233 and 364 kilograms of carbon dioxide, compared with 0.4 grams for a VISA transaction and 0.8 grams for a Google search.
Some dispute the argument by de Vries and others that Bitcoin presents a dire environmental problem, citing evidence that many mining facilities are located in areas that offer cheap renewable power. For instance, it's been estimated that 48 percent of the world's mining capacity is in the province of Sichuan, China, where there is lots of surplus hydropower. But de Vries writes that Sichuan's hydro generating capacity is as much as three times higher during the wet season than it is when it's drier. Though miners may take advantage of excess hydro at times, they are adding to the absolute demand on the grid all year, and during the drier season that demand often must be met with coal, he writes.
Using renewable energy also won't solve the problem of Bitcoin-related electronic waste. According to de Vries, the pileup of obsolete mining chips promises to massively outpace e-waste creation by the banking sector. The network could make itself more sustainable by switching to a more resource-efficient process, like proof-of-stake, or by developing ways to execute more transactions without using the main blockchain, he concludes.
The methodology that de Vries uses to calculate Bitcoin's electricity footprint has been criticized, perhaps most notably by Jonathan Koomey, an energy researcher who has published a number of papers on the energy use of data centers. But as Koomey himself acknowledges, it's hard to know exactly how many mining rigs there are out there, where they are installed, and what kind of cooling systems they use. The dearth of data leaves us second-guessing the scale of the potential problem.
In 2017, blockchain technology was a revolution that was poised to disrupt the global financial system.
In 2018, it was a disappointment. Now that the mania has worn off, which projects and ideas have staying power? Join us at the Business of Blockchain conference this May to learn what industries beyond fintech still stand to benefit from blockchain technology. Purchase your ticket before they sell out.
Loose Change
Fill your pockets with these newsy tidbits.
- Coinbase has now added support for the currency Stellar Lumens. (Coinbase)
- China is home to the most blockchain-related patents in the world. (TheNextWeb)
- Samsung's new blockchain phone will apparently only be compatible with Ethereum-based tokens at first. (CoinDesk)
- What the hell is a blockchain phone—and do I need one? (TR)
- A highly-anticipated blockchain project called Cosmos, which is aimed at helping public blockchains interoperate, is live. (The Block)
