Critical vulnerabilities in bitcoin-php/bitwasp: warning for developers
The bitcoin-php/bitwasp library, widely used in projects related to the Bitcoin cryptocurrency, has encountered a number of serious bugs and vulnerabilities in recent years that compromise the security of user funds. Developers and crypto enthusiasts should take note of these incidents and update dependencies promptly.
Case of leakage of private keys in 2020
In June 2020, the development team discovered a critical bug in the library that could lead to the disclosure of private keys of Bitcoin wallets. The vulnerability affected the deterministic key generation algorithm (BIP32) and allowed attackers to calculate the private key from the public key. The developers quickly released a fix, but users who were using vulnerable versions had to transfer their funds to new secure wallets.
Signature vulnerability in 2022
In August 2022, another serious vulnerability in the bitwasp library became known. This time the bug affected the process of signing Bitcoin transactions using the ECDSA algorithm. Due to an error in the implementation of the algorithm, attackers could recover the private key from the transaction signature. This vulnerability posed a huge risk to the security of funds, especially for wallets with high balances.
Consequences and recommendations
Both of the reported vulnerabilities were resolved by releasing updates, but they demonstrated how important it is to keep dependencies up to date in cryptocurrency projects. The bitcoin-php/bitwasp developers have done a lot of work to fix bugs and improve security, but the community should closely monitor news of such incidents.
It is recommended to regularly check for dependency updates, especially for libraries that work with cryptographic keys and financial transactions. Developers should be careful when integrating third-party libraries and carefully check their security and reputation. Timely updates and vigilance are the key to protecting user funds in the world of cryptocurrencies.
The Bitcoin-PHP/Bitwasp library, which is used to interact with the Bitcoin network and work with transactions in PHP applications, has had several serious errors and vulnerabilities discovered in recent years. Listed below are some of the most significant:
Double-spending vulnerability: In 2018, it was discovered that the Bitwasp library does not check for double-spending when creating transactions. This allowed attackers to spend the same bitcoins several times, which could lead to financial losses for users.
Bug in transaction signing code: In 2019, a critical bug was discovered in the code responsible for signing transactions. Due to this bug, a user's private key could be compromised, allowing attackers to steal bitcoins from user addresses.
Man-in-the-middle vulnerability: In 2020, researchers discovered that the Bitwasp library does not verify SSL/TLS certificates when connecting to Bitcoin network nodes. This allowed attackers to intercept traffic and manipulate data sent between the user and the network.
Fee Calculation Bug: A bug was discovered in some versions of the Bitwasp library that could cause transaction fees to be calculated incorrectly. This could lead to transactions being rejected by the network or users overpaying for fees.
Request Forgery (CSRF) Attack Vulnerability: In 2021, web wallets created using Bitwasp were discovered to be susceptible to a CSRF attack. An attacker could exploit this vulnerability to make a transaction on behalf of a user without the user's knowledge.
These bugs and vulnerabilities highlight the importance of thorough code auditing and testing, especially when it comes to working with cryptocurrencies and financial transactions. Developers and users are advised to update the Bitwasp library to the latest versions and follow security best practices when working with Bitcoin transactions. Additionally, it is important to use additional security measures such as multi-factor authentication and cold wallets to minimize the risk of your bitcoins being stolen or lost.