Estimating Patch Propagation Times across (Blockchain) Forks

The wide success of Bitcoin has led to a huge surge of alternative cryptocurrencies (altcoins). Most altcoins essentially fork Bitcoin's code with minor modifications, such as the number of coins to be minted, the block size, and the block generation time. As such, they are often deemed identical to Bitcoin in terms of security, robustness, and maturity. In this paper, we show that this common conception is misleading. By mining data retrieved from the GitHub repositories of various altcoin projects, we estimate the time it took to propagate relevant patches from Bitcoin to the altcoins. We find that, while the Bitcoin development community is quite active in fixing security flaws of Bitcoin's code base, forked cryptocurrencies are not as rigorous in patching the same vulnerabilities (inherited from Bitcoin). In some cases, we observe that even critical vulnerabilities, discovered and fixed within the Bitcoin community, have been addressed by the altcoins tens of months after disclosure. Besides raising awareness of this problem, our work aims to motivate the need for a proper responsible disclosure of vulnerabilities to all forked chains prior to reporting them publicly.

[1]  T. Berger,et al.  Reuse and maintenance practices among divergent forks in three software ecosystems , 2022, Empir. Softw. Eng..

[2]  Ethan Heilman,et al.  Cryptanalysis of Curl-P and Other Attacks on the IOTA Cryptocurrency , 2020, IACR Cryptol. ePrint Arch..

[3]  Jun Sun,et al.  CoinWatch: A Clone-Based Approach For Detecting Vulnerabilities in Cryptocurrencies , 2020, 2020 IEEE International Conference on Blockchain (Blockchain).

[4]  Xi Xu,et al.  From Innovations to Prospects: What Is Hidden Behind Cryptocurrencies? , 2020, 2020 IEEE/ACM 17th International Conference on Mining Software Repositories (MSR).

[5]  Andrew Miller,et al.  Short Paper: I Can't Believe It's Not Stake! Resource Exhaustion Attacks on PoS , 2019, Financial Cryptography.

[6]  Hubert Ritzdorf,et al.  On the Security and Performance of Proof of Work Blockchains , 2016, IACR Cryptol. ePrint Arch..

[7]  Laurent Vanbever,et al.  Hijacking Bitcoin: Routing Attacks on Cryptocurrencies , 2016, 2017 IEEE Symposium on Security and Privacy (SP).

[8]  Hubert Ritzdorf,et al.  Tampering with the Delivery of Blocks and Transactions in Bitcoin , 2015, IACR Cryptol. ePrint Arch..

[9]  Ethan Heilman,et al.  Eclipse Attacks on Bitcoin's Peer-to-Peer Network , 2015, USENIX Security Symposium.

[10]  Ghassan O. Karame,et al.  Double-spending fast payments in bitcoin , 2012, CCS.

[11]  S. Nakamoto,et al.  Bitcoin: A Peer-to-Peer Electronic Cash System , 2008 .