Free self-service BSV – While what follows may sound mind-boggling in terms of development errors, it’s actually true.
A bug in a multi-signature script specific to the Bitcoin SV project (the fork of Bitcoin Cash) allows anyone to retrieve the BSVs, which are supposed to be protected by this type of script requiring multiple keys, even from those who don’t have any of the keys.
A huge error exploited to empty BSV wallets
The programming error and its exploitation were reported on November 8 by Blockstream co-founder Gregory Maxwell (aka „u/nullc“ on Reddit).
The „Pay to script hash 0187“ (or „P2SH“) function was added on the Bitcoin (BTC) network in April 2012. It allows to send Bitcoins to an address that could be multi-signature, i.e. that requires several keys/signatures of different people to spend these Bitcoins.
During an update of Bitcoin SV (BSV) in February 2020, the P2SH function was purely removed. The developers of this project took it very hard, since the homemade multi-signature (multisig) function they created as a replacement has a huge programming error.
Gregory Maxwell points out that these BSV multi-sig scripts actually have „no security“.
Open bar for everyone!
As Adam Back, co-founder and CEO of Blockstream, explains on Twitter :
„Due to [the programming] of an equal or lower number of signatures required (rather than an equal or higher number than the minimum expected), anyone can set it to 0 valid signatures and take any crypto in the format of this BSV homemade multi-signature. (…). »
So… Due to less than or equal number of signatures (rather than intended greater than or equal) anyone can set it to 0 valid signatures and take any of the corners in the home-brew BSV multi-sig format. Oops. Needed adversarial testing.
– Adam Back (@adam3us) November 8, 2020
Gregory Maxwell also indicates that the rift has been exploited and that „ASBs have been taken“. He also points out that :
„… this situation could have been avoided entirely if the BSV project had not removed the time-tested and highly peer reviewed mechanisms of Bitcoin’s multisig feature in favor of a much less efficient home-made script. »
With these words full of reason, let’s hope for the BSV community that other experiments in modifying the Bitcoin source code will not be as dangerous. In any case, as Gregory Maxwell says: „I’m not going to risk finding out.