Coinbugs: Enumerating Common Blockchain Implementation-Level Vulnerabilities

TL;DR

This paper systematically catalogs common implementation-level security vulnerabilities in basic PoW blockchain node software, highlighting ten bug categories and providing a reference for security testing and development.

Contribution

It fills a gap by enumerating blockchain implementation bugs, especially in Bitcoin-like systems, and links known examples to each bug category.

Findings

Identifies ten broad bug categories in blockchain node implementations.

Highlights novel bug classes introduced by Bitcoin's design.

Provides a reference for security testers and developers.

Abstract

A good amount of effort has been dedicated to surveying and systematizing Ethereum smart contract security bug classes. There is, however, a gap in literature when it comes to surveying implementation-level security bugs that commonly occur in basic PoW blockchain node implementations, discovered during the first decade of Bitcoin's existence. This paper attempts to fill this void. In particular, if software which participates in a network by validating and generating new blocks is developed from scratch, WCGW - What Could Go Wrong? Ten broad bug type categories are listed and for each category, known examples are linked. Blockchain, as designed by the Satoshi's paper is exciting and introduces several novel bug classes which are interesting to security researchers. The paper is aimed at security testers aiming to start out in blockchain security reviews and blockchain developers as a reference on common pitfalls.