Bitcoin dev finds potentially crippling security flaw in Bitcoin Cash

Another massive security vulnerability in a major cryptocurrency has been discovered, just sitting there, waiting to be exploited – and this time around it’s Bitcoin Cash.

Its blockchain was open to being jammed with a toxic block that would have caused complete consensus failure. The bad block would have split the cryptocurrency in two, halting transactions and crippling its utility and price.

Cory Fields, who discovered the bug, reflected on its impact. Fields is a Bitcoin Core developer for the Digital Currency Initiative at the MIT Media Lab. He detailed the entire process, from discovery to anonymous submission, in a blog titled Responsible disclosure in the era of cryptocurrencies.

“Working through this bug, which certainly had the potential for catastrophe, has reaffirmed my belief that the threat of software bugs is severely underestimated in the cryptocurrency world,” writes Fields. ”[This] is a real-world example of how much work is still required to reach the sophisticated level of engineering that cryptocurrencies require, and as a wake-up call to companies who have not adequately prepared for this type of scenario.”

Cryptocurrency engineer Eric Wall took to Twitter, lambasting the project for having missed such a glaring vulnerability. Although it has since been patched, it does call the possible reality of a market dominated by Bitcoin Cash into question. After all, it wants to be the real Bitcoin.

If anything, 2018 is being defined by its securit y vulnerabilities . Cryptocurrency is software – sure, there’s going to be bugs. Indeed, it’s a fact of life – but disclosures, once potentially earth-shattering, are now having less impact. They’re a dime a dozen and we have just accepted that no blockchain really works as it should.

EOS, in particular, has found its best to attract hackers with honey, lots of honey . Their bug bounty has distributed $4 17,000 since May – two-thirds of all HackerOne bounties claimed this year.

So, until Elon Musk creates a blockchain programming AI that fixes up all the code, we’re stuck with a system built on trust. We do know that hackers are exploiting bad code regularly, but we trust that the majority would rather fix a project than destroy it – however naive it may be.

Railway workers caught mining Bitcoin with state electricity in Ukraine

Employees at the Ukranian Railways have been caught red-handed secretly running a Bitcoin mining farm , costing the state more than $40,000 in power .

According to an announcement by Ukrzaliznytsia, the country’s state-owned rail transport provider, the surreptitious cryptocurrency mining operation was reported by Oleg Nazaruk, the company ‘s director of the department of economic and information security .

“During the inspection of the premises where the so-called farm was located, more than 100 pieces of computer equipment were identified that were generating Bitcoins . The aforementioned equipment was connected to the Ukrzaliznytsia power grid. The estimated amount of losses since the beginning of the year is UAH 1 million [$40,000],” a loosely translated version of the statement reads.

In its notice, Ukrzaliznytsia highlighted that devising and circulating cryptocurrency is prohibited by the country’s central bank .

Illegal cryptocurrency miners have been causing trouble for some time and Ukraine is no stranger to the problem.

In August, RT reported that an individual with high-level access to parts of the South Ukraine Nuclear Power Plant placed mining machines at one of its administrative buildings and siphoned electricity from the local grid.

Later that month, an ex- Amazon Web Services employee, thought to have orchestrated the data breach of Capital One bank earlier in the year, appeared to have also used the infiltrated cloud servers to surreptitiously mine cryptocurrency .

I’m not quite sure why employees would think that using company resources to secretly mine cryptocurrency is a good idea , but it’s obvious that the temptation is one that they’re not quite willing to fight.

MyEtherWallet users report stolen funds after an Amazon DNS attack [Update]

It seems popular cryptocurrency wallet MyEtherWallet is having issues. A litany of concerned users are reporting their wallets have suddenly been drained out – without any notification or action on their side.

The unexpected withdrawals have caused many netizens to suspect that MyEtherWallet has been hacked. Despite speculation though, the issue might have to do with with a glitch in Google’s Domain Name System (DNS) protocol.

Speaking to Hard Fork, MyEtherWallets reps clarified that the popular app “is not hacked.” Instead, the company claims that the unusual activity “was a DNS attack on Google DNS servers.”

It remains unclear how widely spread the attack is, but the malicious agent has already made off with more than 215 ETH, according to stats from Ethereum blockchain explorer Etherscan .

The issue was first brought to light after a Reddit user reported their funds missing after using MyEtherWallet – despite taking every measure to ensure they were indeed using the real thing.

We asked MyEtherWallet for further clarification on whether users’ funds are safe, but the company did not provide a conclusive response. “It depends on which DNS servers users were using at that point in time,” a spokesperson told Hard Fork.

This is merely our interpretation, but chances are it will be impossible to recover stolen funds.

A DNS attack occurs when attackers change the DNS registrations of the company commandeering the company’s desktop and mobile website domains in order to take users to phishing sites, where they can steal users’ login credentials

The good thing is that as long as you do not use your keys to login into your wallet, the funds should be safe.

MyEtherWallet team has assured that they are looking into the issue.

Meanwhile, your best chances of staying safe might be to wait until MyEtherWallet has confirmed the issue has been resolved.

Update : MyEtherWallet has confirmed the hijacking of a few of its DNS servers.

Update 2 (12:26pm PST): MyEtherWallet attributed the hijack this morning first on Google DNS but has since shifted blame to Amazon Web Services.