Bitcoin Forum

I would be interested in funding this. And, Gavin thinks it is a good idea.


Who has experience with white-hat security firms?  Who should we approach?  How much would it cost?

There are challenges in organizing an audit as the commons, but I imagine high net worth bitcoiners, who have a vested interest in the security of the protocol, could be convinced.

I'll put 10BTC towards this, personally.  Who else is in?

Here I'll save you the trouble.

BlahBlah security crypto consultants inc. has found the following weaknesses in bitcoin:

1. blah blah hash collision blah blah birthday attack gives us a one-in-one-quadblahdrillionzillion chance of double spending coins when it was previously thought to be one-in-onequadblahbilliondrillion
2. people can walk into your house when you are not home, log onto your laptop and steal your coins
3. any criminal/bank/govt with enough financial resources can easily DDoS the largest pools and execute one of many 51% attacks RIGHT NOW if they wanted


Mitigation summary:

1. encrypt and backup your wallet in the client by default and add multi-sig transactions to the protocol
2. decentralize mining ASAP (encourage use of p2pool, integrate p2p mining in client, etc)

Put bounties for proven exploits in a test environment chainblock, under the condition of not making them public until fixed.

+1  There is essentially a bounty out there in the form of reward for theft for problems related to both the client and protocol.  The main areas that need tightening are the pools because they concentrate so much power.  Most all of the possible attacks would REQUIRE a pool  or more money (in hardware) then the attack would capture. 

There is a bounty for blackhats. Some people wouldn't just steal a bunch of coins from an unsuspecting user. So there should be bounties for successful attacks on the test network (not consisting of 50%+ hashing rates).

coretechs, I think believing that bitcoin is already bullet proof is incredibly foolish.

What if there are more bugs like the encryption bug in 0.4?  People trusted that their wallets were secure, but OOPS they weren't.

Having someone paid to look for holes is a good thing.

I support this idea.

I don't believe it's bullet proof at all; I listed 2 of the biggest flaws that NEED to be addressed right away.  A [block]chain is only as strong as its weakest link.

I agree that having someone paid to look for holes is a good thing but I think that is better achieved by paying bounties for exploits to anyone who finds them.  I don't see the point in trying to raise tens or hundreds of thousands of dollars to pay some hardcore commercial netcode/crypto analysts to spend months auditing bitcoin for flaws, and I doubt they would accept BTC as payment.  I'm not trying to be negative, just realistic on what would be more effective.  I'll gladly contribute to bounties for finding exploits.

Any govt with $20 million spare change could bring the network to it's knees. If senator Shumer and co-horts wanted to fund that via back channels it would be more effective and cheaper than years of legislative maneuvering.

As said earlier, create a fund with a bounty which any new proven attacks will get if they contact gavin and keep them secret for atleast 6 month?

This kind of things will get easier when we can have multiple adresses needed to control an account. This means that Gavin and some others Casascius etc can hold the different keys for this account.

Having it even discussed in the Senate would skyrocket the popularity of bitcoin and the strength of the network.

Isn't it a bit too early for this?  The protocol is still undergoing significant changes and every modification introduces new bugs.
 

I think in these months the whole system has been already attacked by pretty much everyone trying to steal money. And they almost always failed (yeah except for wallet stealer virus and connecting to the RPC interface with fail password and stealing everything)

The blockchain itself is its own incentive. There are millions of dollars right there, available for the taking. That's far larger than any bounty you will every collect. All you have to do is to find an exploit. You don't think people have already tried?

Effectively there are not "millions of dollars" for the taking. If you manage to expropriate a good chunk of the coins in the whole market, automatically they become worth a lot less. This actually happened once when they hacked MtGox. The size of the current market is right now, you would be very lucky to cash out 100K. This is because are not "good currency" for themselves as is, and must be converted in scale.

Moreover, for some reason we only seem to care about the security of the whole blockchain, when that's not by any means all there is to it. There's individual wallet security, punctual double-spending, etc and all that needs proving.

edit

Who said you need to cash them all out at once? If coins can be stolen, they can be traded, cashed in, saved, etc.


Let's look at mtgox order book:
You can cash more than $1,000,000 worth of bitcoins right this moment, and only drop the price to $2.70. There is plenty of money available for the taking in the blockchain.

If such coins would be stolen it would be very visible in the blockchain, and speculators would firesale anticipating a crash in confidence in the whole bitcoin system. Speculators and basically anyone who'd get wind of the news.

Most white hats are corporate parasites or lamers who are not smart enough to be black ones.

Bitcoin is in wild. It is looked over and over again by some really smart people. The Satoshi client is still standing. Is there a need for any more proof?

Often, but not always. You lose nothing by having a bounty on the test network, so people who really mean no harm can try stuff.


Yep, strongest reason why bitcoins are worth something right now.

Agreed. And the condition is very important.

And damaging testnet instead of main blockchain is as much fun as having sex with inflatable doll instead of real women.

Which is precisely why bounties are needed.