Bitcoin Private Premine Blamed On Bug Exploit
Share this article
While most of the market is on its way to recovery, one cryptocurrency is still struggling. Bitcoin Private (BTCP), an anonymity-protecting protocol which launched last March, is battling against allegations that developers may have secretly premined two million coins, giving themselves control of nearly ten percent of the total supply.
The extra coins were first reported in an investigation by CoinMetrics.
Bitcoin Private, which was created as a “merge fork” between Bitcoin and ZClassic (ZCL), is intended to combine the strength of Bitcoin’s decentralized network with privacy-protecting zk-SNARKs. It was originally intended to have a maximum supply of 21 million coins, representing the sum of all existing BTC and ZCL coins as well as future mining rewards. At the time of writing, there should be about 20.5 million BTCP coins available.
However, according CoinMetrics:
2.04m additional units were covertly minted during the import of the Bitcoin UTXOs and sent to the BTCP shielded pool, bringing the initial supply to 22.6 million, contradicting the whitepaper and all of the materials published by the team. Three hundred thousand units of the covert premine were moved out of the shielded pool towards what appear to be exchanges.
Assuming these tokens were sold at market prices shortly after being moved, CoinMetrics estimates total profits between $3 and $10 million.
Since only 15% of all possible BTCP have been “claimed” – a risky process which can potentially endanger a users’ private keys— that meant that the premine may account for up to 40% of all BTCP. Because the extra coins were stored in shielded addresses—taking advantage of BTCP’s privacy features—the counterfeits remained undiscovered.
The extra coins are not reflected in CoinMarketCap or similar tools, which use block height to estimate total numbers. In order to complete the investigation, CoinMetrics ran a full node on the BTCP chain and searched the blockchain for the sum of all unspent transactions.
Former Lead Developer Denies Blame
While Coinmetrics stopped short of accusing the developers of fraud, the online community has been less understanding. Rhett, the mononymous former lead developer for the project, denied any involvement and has begun banning his accusers from his Twitter account:
I have not been involved with the Bitcoin Private project for many months.
I never wrote any software for it.
I was never paid or given any BTCP for free
I have no knowledge of who may or may not have been involved in the inflation hack.
— Rhett (@HeyRhett) December 23, 2018
“If we think every bug is intentional, we will never find a dev”
Members of the Bitcoin Private team confirmed the numbers behind the Coinmetrics report, but denied the existence of an intentional premine, suggesting instead that someone had exploited a bug to award themselves extra tokens. “We think that we are in front of a bug related with pull 27,” said Manuel Ascoli, an administrator for the official BTCP Telegram Group.
“We have a 5 Jan code, and 2 months later someone use it to mine fraudulent BTCP during the fork mining,” Ascoli said. “I don’t think we can accuse someone. Code were there for 2 months.”
Mr. Ascoli is not a developer, and was not part of the team at the time the code was written. However, according to his understanding, there was nothing in the code or commit to suggest that the bug had been placed intentionally. “If we start to think that every bug is intentional,” he said, “we will never find a dev.”
Intentional or not, the discovery revives questions about the ethics and wisdom of Bitcoin forks, which typically centralize influence around a small core of developers. As the past few months have shown, forking is a convenient way for crypto developers to skip the queue of market development by hijacking the most well-known name in crypto.
It also re-raises serious questions about the ethics of premines and instamines, Another fork, Bitcoin Gold, awarded its developers an extra 100,000 coins in what was widely considered a cash-grab outside the BTG community.
Even if the premine and associated bugs were not intentional on the part of BTCP developers, the discovery of millions of unknown coins is a stark reminder that there’s no such thing as a “trustless system.” Every cryptocurrency requires quite a bit of trust – in this case, in the probity and reliability of code writers. As the Coinmetrics report concludes:
This case study should be a reminder to audit the supply by running fully validating nodes and auditing the data produced by those nodes, rather than trusting developer teams or data sources who naively compute supply with the height formula.
The author is invested in digital assets, including Bitcoin, which is mentioned in this article.