Bitcoin’s crisis playbook: Lessons from the Heartbleed bug
11 years ago, the Bitcoin world scrambled mitigate Heartbleed
Bitcoin and Oskar Orsag/Shutterstock and Adobe, modified by Blockworks
This is a segment from the Supply Shock newsletter. To read full editions, subscribe.
Heartbleed was a tiny but critical flaw in the “heartbeat” extension of OpenSSL, the widely-used open source cryptography library. OpenSSL powers both Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryptions meant to protect sensitive data when using websites and other online services.
OpenSSL’s heartbeat is a type of ping — a tiny message passed back and forth between the user’s machine and the server they’re connected to — which proves the connection is alive.
A missing check for the length of that message meant that whatever was sitting in the target’s RAM could be siphoned, in plaintext, without a trace: usernames, passwords, cookies, or even bitcoin private keys.
As cryptographer Matt Blaze put it, Heartbleed “leaks data beyond what it’s protecting. So [it’s] worse than no [cryptography] at all.”
Heartbleed actually went undiscovered for two years. Initial estimates suggested that two-thirds of the internet was relying on OpenSSL at the time (2014), but not all of it was running vulnerable versions.
More specific calculations pointed to half a million affected websites, equivalent to around 17% of all SSL web servers globally, including Instagram, Tumblr, Google, DropBox and GitHub, as well as routers, VPNs, some Android devices, and perhaps most importantly for Bitcoiners, crypto platforms.
Anyone who ran software containing the Heartbleed bug, or otherwise interacted with sites or services which did, was technically at risk of attack, even if the exploit required them to be active at the time.
So, as admins around the world rushed to patch their systems (95 out of the top 100 sites on Alexa were patched within 24 hours), the Bitcoin ecosystem ran its own crisis playbook.
Bitstamp briefly took itself offline, and Bitfinex suspended withdrawals as Coinbase and BitPay confirmed their stacks were free of the flaw. Cybersecurity researchers and industry figures urged users to change their credentials as soon as possible, while others independently compiled lists of sites and services still running the vulnerable versions of OpenSSL.
Bitcoin Core developers, meanwhile, pushed through an emergency patch within a day.
The consensus software itself did not rely on OpenSSL (network messages are unencrypted by default), but other parts of the client did — particularly relevant for those directly interacting with nodes and the now-depreciated BIP-70 payment requests, which enabled payments by clicking a “bitcoin:” link.
Amazingly, the most severe known case of a bitcoin-related Heartbleed exploit was the matter of 28 BTC ($6,500 then, $2.5 million now) stolen from 12 customers of early lending platform BTCJam. The platform quickly refunded the lost coins.
That Heartbleed wasn’t worse for Bitcoin is down to the fast and effective response from the ecosystem as it was in 2014. Bitcoin Core developers would go on to shed the software’s dependencies on OpenSSL over the following years, and by June 2020 it was completely free of it.
We all know bitcoin is backed by Bitcoin. It’s valuable partly due to the energy that miners spend in pursuit of the protocol’s longevity, amplified by external demand for the coins they earn in return.
More critically, however, is that bitcoin is backed by those who’ve contributed to its evolution and safety — and they’ve become exceedingly efficient at it over the past decade and a half, even if they’re only human.
— David Canellis
Rizzo’s take, the Bitcoin Historian
In an era where Bitcoin upgrades appear ever-gridlocked, the Heartbleed bug may seem like a dusty relic of Bitcoin’s reckless past, a callback to a time when the project’s developers moved at the speed of more traditional software projects. (Think: “Move fast and break things.”)
In other ways, the Heartbleed bug is a timeless reminder of the risks Bitcoin developers must consider on behalf of users, and how, despite our proclivity to dismiss their recognition as a special class of project contributor, they retain distinctive responsibilities and privileges.
I recall Jameson Lopp’s excellent new essay, “Against Allowing Quantum Recovery of Bitcoin,” on how Bitcoin might respond to a potential quantum computing threat.
In many ways, the arrival of quantum computers and their deployment on the Bitcoin network would be reminiscent of the Heartbleed bug. Developers would have to act, and those actions will have an effect not just on users, but on the wider network.
Lopp’s work raises more questions than answers, but it’s a solid reminder that while some populist Bitcoin evangelists like Michael Saylor are touting the technology as ready for centuries in Washington DC, there remain scenarios where Bitcoin might need human maintenance, and that may invite new opportunities for human error.
— Rizzo
Get the news in your inbox. Explore Blockworks newsletters:
- Blockworks Daily: Unpacking crypto and the markets.
- Empire: Crypto news and analysis to start your day.
- Forward Guidance: The intersection of crypto, macro and policy.
- 0xResearch: Alpha directly in your inbox.
- Lightspeed: All things Solana.
- The Drop: Apps, games, memes and more.
- Supply Shock: Bitcoin, bitcoin, bitcoin.
