Keeping up with our theme of cryptocurrency blog posts, especially given all of the hoopla about digital currencies these days, we decided to do a little digging into the relative security of cryptocurrency related open source projects.

Wow. Just wow.

The names have been changed to protect the guilty, but even we were surprised at the results. In total, we scanned the top five projects with active development, each having dozens of commits in the past week. We didn't want to just focus on a single currency or even only wallets, but projects that were likely to be used in commercial applications or purpose-built for commercial use. The results were astonishing.

Outdated Libraries

As you can see from the graphic below, in just these five examples there were 46 libraries alone with old libraries indicating a lack of visibility by the developers into the version creep in their software.

Security Vulnerabilities in cryptocurrency related open source projects

Vulnerabilities

On the vulnerability front, the count is lower, but the severity is most definitely not.

  • 1 Remote Code Execution flaw
  • 2 Cross-Site Scripting vulns
  • 14 Denial Of Service flaws

The list goes on.

Over 70 Percent Only Visible With Premium

Now here's the kicker: Of the 26 vulnerabilities found, just six of them have been reported. You'll only see the remaining (verified) security flaws if you have access to SourceClear premium data.

With the rise in popularity of cryptocurrency, and especially the proliferation of new coin types, wallets, and exchanges it's time we pay attention to where our money is stored or we may find some missing.

Jet is a technical evanglist at CA Veracode. He likes talking to customers and helping them with their DevSecOps journey.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu