In brief
- The only part of Bitcoin that can be described as centralized is its codebase.
- Only a handful of maintainers can make changes to Bitcoin's code.
- But what would happen if they were compromised?
What keeps the Bitcoin network running is a set of rules. Six hundred and forty six thousand lines of code—that decide how transactions are processed and set Bitcoin’s monetary cap—are stored in a single public repository on file hosting platform GitHub.
Only a select few have access.
While Bitcoin’s network is decentralized, this is arguably the most centralized element—and potentially its biggest weakness. What would happen if someone managed to infiltrate this code, and inserted a bug into the Bitcoin network itself? Could a government make a concerted effort to shut the whole system down?
We decided to run this thought experiment, to push it to its limits and analyze if there is a potential weakness here. We spoke to Bitcoin experts and developers to understand how the system works, and whether an attack could be carried out.
What we found is that there are many areas of possible attack but that the system is fairly robust in handling them. Here’s how an attack might go down.
Who are Bitcoin’s maintainers?
First, we need to understand how the system works.
Bitcoin Core’s maintainers are the only people who can make material changes to Bitcoin’s code in the GitHub repository. While its official website doesn’t specify exactly who has this responsibility, according to sleuths on bitcointalk.org, just six people have commit access. These are: Wladimir van der Laan, Jonas Schnelli, Marco Falke, Samuel Dobson, Michael Ford and Pieter Wuille.
Bitcoin is an open-source project, so maintainers don’t get formally appointed. Instead, the privilege is extended on an ad hoc basis by existing maintainers when someone demonstrates the right qualifications to get a seat at the table.
Gavin Anderson, founder of The Bitcoin Foundation, reportedly elected Van der Laan as Bitcoin’s lead maintainer—the person chiefly responsible for uploading changes to Bitcoin Core.
To update the Bitcoin codebase, Bitcoin’s team of maintainers will review code proposed by one of Bitcoin’s thousands of developers, and, if it’s good enough, that code will get approved.
This is where PGP keys come in.
Every Bitcoin maintainer has access to a PGP key, which stands for Pretty Good Privacy. These keys are used to sign, encrypt and decrypt texts, emails, files, and other forms of communications or information.
Since Bitcoin’s codebase is stored publicly on GitHub, anyone can propose a change to the Bitcoin codebase. To stop the codebase being edited ad infinitum by anyone, no changes are actually made unless a maintainer signs off on one with their PGP key.
Jameson Lopp, CTO of Bitcoin self-custody solution provider Casa, has said the maintainer’s role is not much of a key man risk. “While there are a handful of GitHib ‘maintainer’ accounts at the organization level that have the ability to merge code into the master branch, this is more of a janitorial function than a position of power.”
But he also is fond of the phrase: “don’t trust, verify.” So, let’s do just that.
Unauthorized access to Bitcoin Core
Whatever way we slice it, anyone attacking the system—even someone working for GitHub— is going to need access to one of the maintainers’ PGP keys.
“Someone who works for GitHub could maliciously change the code in the Bitcoin Core repository. That's why they sign releases with a PGP key. If the code on GitHub has been maliciously altered, then the signatures won't match,” Bitcoin researcher Andrew Yang told Decrypt.
But what if an attacker actually did get their hands on a PGP key?
“If one of those keys are leaked, an attacker could potentially modify the code in the repository,” Elias Strehle, researcher at Blockchain Research Lab, told Decrypt.
If that did happen, however, Bitcoin’s maintainers have an answer—at least theoretically.
“I assume the Bitcoin maintainers would quickly create a new repo with new PGP keys, upload the undamaged code and ask the community to use the new repo instead of the corrupted ‘Bitcoin Core’ repo,” Strehle added.
So that attack should fail, but an inside job could be more damaging.
What if a maintainer went rogue?
So far, we’ve learned who Bitcoin’s maintainers are, and that attacking Bitcoin Core by stealing a PGP key from a maintainer is unlikely to work. Now, let’s consider what would happen if one of Bitcoin’s very own maintainers was compromised, or even went rogue themselves.
Theoretically, a malevolent maintainer could upload malicious code, hide it in plain sight, and pray nobody realizes.
“Because of the diversity of actors that have to accept changes, it’s pretty hard to sneak a malicious change into Bitcoin Core, but perhaps it would be possible as part of an upgrade most people thought was good,” Harry Halpin, CEO of Nym Technologies—a team of programmers working on internet privacy—told Decrypt, adding, “A truly evil change would have to sneak into an upgrade most people like!”
However, this is unlikely to work. For one, it is unlikely that the rest of Bitcoin’s maintainers—or any of Bitcoin’s thousands of developers—would fail to notice the malicious code. But even if that did happen, there is another defence.
“I reckon it gets caught by the verify signatures script the very next time someone submits a pull request or runs tests,” Bitcoin developer Thomas Kerin told Decrypt. In other words, if a rogue maintainer tried to bury some bad code into the codebase without being noticed, the next time an update comes along, it would result in a contradiction in the code.
“Every developer’s attention would at once turn to what happened,” Kerin added.
If a rogue maintainer is unlikely to succeed in his quest to damage Bitcoin, perhaps the maintainers are not as powerful—or important—as they first seem. To this point, Bitcoin seems relatively safe, but our thought experiment isn’t over just yet.
What if all maintainers were kidnapped?
Bear with us here, but let’s say every maintainer was kidnapped, word didn’t spread fast enough to the community, and a sizable chunk of Bitcoin node operators pulled in an attacker’s nefarious code.
Some of the world’s most powerful governments have a well-documented disdain for decentralized currencies, so it’s possible one of those powerful governments might try to hurt the Bitcoin network.
I am not a fan of Bitcoin and other Cryptocurrencies, which are not money, and whose value is highly volatile and based on thin air. Unregulated Crypto Assets can facilitate unlawful behavior, including drug trade and other illegal activity....
— Donald J. Trump (@realDonaldTrump) July 12, 2019
First, there could be an overt takeover of Bitcoin, where the bad actor lets the world see his or her actions.
All maintainers—including Van der Laan—would be arrested, and the bad actor would immediately start trying to force a damaging update onto Bitcoin Core. This approach would not be likely to succeed. “The community forks the repository, taking the last good commit, and starts over from there,” Kerin told Decrypt.
But there is a second, more devious approach: a covert takeover. Here, the protagonist might kidnap the maintainers, steal PGP keys, and release a secret backdoor source code that they have built onto Bitcoin Core. This scenario too, has its limitations.
“I don’t think you could do this in so many countries without the family getting the word out,” Kerin said.
Either way, if anything like this did happen, Bitcoin would likely fork.
“The manipulated nodes and the healthy nodes would probably be unable to reach consensus on the blockchain’s state, thus creating a fork where one branch is malicious and one is healthy,” Strehle also said.
Instead of being automatically deployed onto the vast network of Bitcoin nodes, each node operator can decide whether or not to accept the new update. This avoids forcing unwanted code on users that don’t agree with the update itself, and acts a great defence to this hypothetical situation.
“Code from the repo is not pushed to the nodes. The attacker’s code can only become active if node operators actively pull it from the repo,” Strehle said (emphasis added), adding that in the event of a hack, this might happen in the short term, but word would quickly spread in the community.
Bitcoin miners will protect themselves
A further safeguard is the way that Bitcoin miners are incentivized to check for malicious code—and steer clear of it.
Adam Back, CEO and co-founder of blockchain technology company Blockstream, told Decrypt that it is worth emphasizing how unlikely it is for a node operator to ever want to update to nefarious code. “I don't think it hurts people other than the node operators’ own financial protection,” Back said.
This is because every single node operator has the choice to pull updates from the GitHub repository. As Back added, “A node which forward invalid blocks will get disconnected by other nodes, and a node which sends old blocks will get ignored and overridden by other nodes sending more up to date blocks.”
In other words, it’s pretty unlikely the attacker’s code is going to be accepted by enough node operators to have any real pull. “It would be very clear the blockchain wouldn’t match and would therefore fail and be rejected,” Jason Deane, Bitcoin analyst at Quantum Economics, told Decrypt.
So if this government-led attack sounds unrealistic to you, it’s because it is.
Maintainers and secret keys make opponents of centralization a little squeamish, but ultimately, Bitcoin is out in the open, and anyone can pick up where the good work left off.
“If you’re a hacker and you get your hands on a PGP key for the Bitcoin Core repo, you have about the same options as a streaker running onto a football field,” Strehle concluded, adding, “You can draw a lot of attention, cause some confusion, maybe interrupt the game for a while, but that’s about it.”