Coindesk Logo

Team Behind Bitcoin-Backed Ethereum Token tBTC Explains Shutdown

Team Behind Bitcoin-Backed Ethereum Token tBTC Explains Shutdown

Team Behind Bitcoin-Backed Ethereum Token tBTC Explains Shutdown

A bug in tBTC meant the dapp couldn't tell different bitcoin addresses apart, the team has disclosed.

A bug in tBTC meant the dapp couldn't tell different bitcoin addresses apart, the team has disclosed.

A bug in tBTC meant the dapp couldn't tell different bitcoin addresses apart, the team has disclosed.

AccessTimeIconMay 20, 2020, 8:51 AM
Updated Aug 19, 2021, 2:09 AM

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

Keep Network says a flawed code addition forced the shutdown of its bitcoin-backed Ethereum token, tBTC, just two days after it launched.

On May 18, deposits of bitcoin into tBTC were paused for 10 days – a move prompted by a bug that was supposedly missed by a security audit and was later found by two of the network's contributors.

That bug, Keep Network revealed in a Medium blog post Wednesday, related to a flaw in the processing of deposit redemptions (when users try and pull bitcoin back out of the system), essentially due to the code's inability to tell different types of bitcoin addresses apart.

"The team triggered this pause after finding a significant issue in the redemption flow of deposit contracts that put signer bonds for open deposits at risk of liquidation when certain types of bitcoin addresses were used in redemption," Keep Network, which is behind the Thesis project that launched the token, said in the post.

The team noted that redemptions had originally been restricted to p2wpkh address outputs, but were later widened to include "any other output scripts." The issue arose if a user tried to redeem pay-to-scripthash (p2sh) addresses. This changed code had not been specifically tested, bar more generally on testnets at a later stage, the post concedes.

"[D]ue to a bug in the redemption dApp in use at the time, the proof step of the redemption flow never occurred," Keep Network wrote. "These p2sh addresses would have failed validation had the proof step occurred, but reliance on the dApp’s display of a completed state meant the team assumed the redemption had completed successfully, when it in fact had not."

A second bug was also found meaning that, even if the proof code had been free of issues, a "malicious redeemer" could have specified an output script that resulted in an invalid bitcoin transaction.

Community manager at Blockstream, Daniel Williams, who has an interest in bitcoin and goes by the handle, @Grubles, critically summed up the primary bug in a May 20 tweet, saying:

While the bug and subsequent pause have been a setback for the Thesis team, a new call out has been made to solicit help from code auditors to help track down any further issues.

"We're also in the market for BTC-focused auditors for round 3," the team said a Tweet on Wednesday.

In addition to technical and process changes, the Thesis team will be announcing how it plans on approaching a "redeploy of the tBTC system" and how that will impact existing plans around the KEEP token distribution.

"We’re looking forward to showing the world a stronger, more secure Bitcoin on Ethereum," the team said

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.