Blockstream Bug Opened Liquid Network to $16 Million Bitcoin Theft
A long-standing bug in Blockstream's Liquid Network could have allowed for internal theft, jeopardizing millions in Bitcoin.
- A bug in Blockstream's Liquid Network could have allowed employees to steal Bitcoin with minimal authorization
- Blockstream has implemented a workaround and is currently developing a permanent solution
- No funds have actually been stolen during the 18 months that the account was compromised
Share this article
Blockstream’s Liquid Network contained a vulnerability until today that could have allowed millions in BTC to get stolen. The bug was disclosed by James Prestwich, a Bitcoin developer and founder of the crypto startup Summa One.
How the Bug Works
The security vulnerability affected an essential account on the Liquid Network due to inconsistent timelocks.
That inconsistency could have allowed employees to withdraw Bitcoin from through an emergency recovery process that requires 2 of 3 keyholders to sign a transaction. This bug would bypass the proper multisig process, which requires 11 of 15 keyholders to sign a transaction.
According to Prestwitch, the vulnerable account controlled 870 BTC ($8 million) for over an hour this week. However, the bug could have compromised millions of dollars before the last transaction: the potential exploit has existed for 18 months and affected more than 2,000 UTXOs.
Blockstream CEO Adam Back has responded and admitted that the bug was a “known issue.”
Back says that a complete fix has been underway for some time, but has been delayed for several reasons. He added that developers are currently working with the Liquid Federation to create and deploy a final patch. Right now, a workaround is in place that will solve the problem in a temporary and limited way.
Adam Back noted that Blockstream’s handling of the situation “is not up to [its] usual standard of trust-minimization.” To Blockstream’s credit, no funds have actually been stolen. Furthermore, the bug only opens the possibility of internal theft by employees—not an outside attack.
Why Blockstream Is Controversial
Blockstream and the Liquid Network are somewhat controversial among the crypto community, especially among the Bitcoin community.
While Blockstream funds development of Bitcoin itself, the company’s Liquid Network is a federated sidechain that stores BTC outside of the main Bitcoin blockchain. That means that the company maintains significant control over the funds of users who trust it—typically enterprises and exchanges that rely on it for transfers and settlement.
Liquid’s bug is unlikely to affect general crypto holders. Regardless, the news is a reminder that investors who wish to maintain maximum control over their Bitcoin should do so by holding it in their own non-custodial wallet.