Estimating Patch Propagation Times across (Blockchain) Forks

TL;DR

This paper analyzes how quickly security patches from Bitcoin are adopted by altcoins, revealing delays and vulnerabilities in forked cryptocurrencies due to less rigorous patching practices.

Contribution

It introduces a method to estimate patch propagation times across blockchain forks using GitHub data, highlighting security risks in altcoins.

Findings

Altcoins often delay patching critical vulnerabilities inherited from Bitcoin.

Bitcoin developers rapidly fix security issues, unlike altcoins.

Some altcoins take tens of months to address known vulnerabilities.

Abstract

The wide success of Bitcoin has led to a huge surge of alternative cryptocurrencies (altcoins). Most altcoins essentially fork Bitcoin's code with minor modifications, such as the number of coins to be minted, the block size, and the block generation time. As such, they are often deemed identical to Bitcoin in terms of security, robustness, and maturity. In this paper, we show that this common conception is misleading. By mining data retrieved from the GitHub repositories of various altcoin projects, we estimate the time it took to propagate relevant patches from Bitcoin to the altcoins. We find that, while the Bitcoin development community is quite active in fixing security flaws of Bitcoin's code base, forked cryptocurrencies are not as rigorous in patching the same vulnerabilities (inherited from Bitcoin). In some cases, we observe that even critical vulnerabilities, discovered and fixed within the Bitcoin community, have been addressed by the altcoins tens of months after disclosure. Besides raising awareness of this problem, our work aims to motivate the need for a proper responsible disclosure of vulnerabilities to all forked chains prior to reporting them publicly.