On this episode of the Unhashed Podcast: Blockstream’s liquid bridge is bugged, Lightning Network may be vulnerable to an easy attack, and Casa’s Jameson Lopp is shilling their wallet without being upfront about the 100% trust assumptions you must make with Casa to use it or even their 2-of-3 product. On top of this, there is no mnemonic…but at least google gets to hold your backup, right?!
Weekly News Wrap Up: A malfunction in Blockstream’s Liquid bridge for Bitcoin (BTC) resulted in a Blockstream-owned 2-of-3 multisig contract briefly controlling over 870 BTC, worth $8 million. This was discovered on June 26 by James Prestwich, founder of blockchain software development company Summa, which contributed to the tBTC project. According to his findings, the spending script for the transaction was configured so as to transfer control to a simple 2-of-3 multisig contract after 2,015 blocks, or about two weeks. While this is intended behavior, this is only meant to be triggered as a last resort if the Liquid network were to collapse, as explained by its documentation. Prestwich found the issue just as the waiting period expired, which created a window of about thirty minutes, or three Bitcoin blocks, during which the emergency multisig could have taken control of the money. This did not result in a loss of funds as the emergency multisig is held by Blockstream. [Blockstream post-mortem]
Two Bitcoin researchers claim to have found a way to steal funds on the Bitcoin Lightning Network. In a research paper, titled “Flood & Loot: A Systemic Attack On The Lightning Network,” researchers Jona Harris and Aviv Zohar, both of Israel’s Hebrew University, found that attackers can exploit a bottleneck in the system to drain wallets of funds. The researchers found that an attacker has to attack 85 channels simultaneously to make some money. They also show that it’s fairly easy for them to find unsuspecting victims. All vulnerable nodes must do is show a “willingness to open a channel” with an attacker. “We discover that a vast majority of active nodes (~95%) are willing to open a channel upon request, and are therefore susceptible to becoming victims in our attack,” wrote the researchers.
Casa has released their free version of the Casa Keymaster app. With it you can run a seedless wallet. The key will be backed up between your own cloud storage and the Casa server. Writing down words will not be needed. The free setup only allows for one key only, for multisig a subscription is required. “We’re excited about launching a free and simple bitcoin wallet that anyone can use,” said Nick Neuman, Casa’s CEO, in a statement shared with Bitcoin Magazine. “More people are turning to Bitcoin as a long-term investment, but they may not know how to store it safely… We want to offer this simple wallet for beginners for free, so they can start their Bitcoin journey safely.” “There is no location tracking, no data tracking and no invasive third-party analytics: users simply sign up with an email and an alias to start improving their Bitcoin security immediately,” according to a press release.
Variable amount chaumian coinjoin is one step closer to becoming a reality, thanks to WabiSabi. This new protocol for Wasabi wallet has just been announced on the Bitcoin mailing list, and it's something to be excited about. Users can come together and create a coinjoin with any inputs & outputs that they want, by communicating with a single server that learns nothing about the relation between inputs & outputs. While this does NOT address amount correlation by examining the transaction on the blockchain, it lays the foundation for future work in this direction. The protocol is quite versatile and also lends itself to e.g. Chaumian ecash, for which variable amounts can be extremely useful. In technical terms: the server essentially signs "blind" Pedersen commitments of which the owner can prove arbitrary statements in zero knowledge.
Hardware wallet Trezor released a firmware update, fixing a security bug that was purported to be new, but had actually been found back in 2017 by Greg Sanders. The general issue is that a hardware wallet can be tricked into signing a transaction with a very high fee, without realizing it. The fix caused quite a bit of a stir on Twitter, because it broke compatibility with certain software, among which were BTCPay and Wasabi Wallet.
Price Analysis: Number go up
One Final Note: Firstly, Support us on Patreon.
Make sure you are storing your crypto on something secure like a Ledger and backing it up on something sturdy like a Billfodl. If you buy these items through the links above, we do take a cut of the profits but it also helps support the show - a win/win for all involved.
And also...thanks for stopping by and listening. If you want to help us grow, there are several ways you can help out.
You can donate bitcoin to us at the address on the donate page on our website unhashedpodcast.com, you can also sponsor our show by getting in touch with us at [email protected], or there are a few other things you can do that will cost you nothing but a little time - you can rate our show on itunes or wherever you are listening to this, you can tell a friend about us, or most easily, you can retweet our tweets announcing each episode and follow us @unhashedpodcast or join our telegram channel at t.me/unhashedpodcast.
Again thanks for listening and helping us grow. See you on the other side.
Producers of the Show: It’s time to thank the people who are making this show happen:
A big thank you to our VIP patrons:
Scott Offord from Crypto Mining Tools
And Peter McCormack from the What Bitcoin Did Podcast
Thanks so much for your contributions.
If you want to help contribute, you can go to patreon.com/unhashedpodcast or send Bitcoin to the address on the about page of unhashedpodcast.com