Keeping up with our theme of cryptocurrency blog posts, especially given all of the hoopla about digital currencies these days, we decided to do a little digging into the relative security of cryptocurrency related open source projects.

Wow. Just wow.

The names have been changed to protect the guilty, but even we were surprised at the results. In total, we scanned the top five projects with active development, each having dozens of commits in the past week. We didn't want to just focus on a single currency or even only wallets, but projects that were likely to be used in commercial applications or purpose-built for commercial use. The results were astonishing.

Outdated Libraries

As you can see from the graphic below, in just these five examples there were 46 libraries alone with old libraries indicating a lack of visibility by the developers into the version creep in their software.

Security Vulnerabilities in cryptocurrency related open source projects


On the vulnerability front, the count is lower, but the severity is most definitely not.

  • 1 Remote Code Execution flaw
  • 2 Cross-Site Scripting vulns
  • 14 Denial Of Service flaws

The list goes on.

Over 70 Percent Only Visible With Premium

Now here's the kicker: Of the 26 vulnerabilities found, just six of them have been reported. You'll only see the remaining (verified) security flaws if you have access to SourceClear premium data.

With the rise in popularity of cryptocurrency, and especially the proliferation of new coin types, wallets, and exchanges it's time we pay attention to where our money is stored or we may find some missing.

Mark Curphey, Vice President, Strategy Mark Curphey is the Vice President of Strategy at CA Veracode. Mark is the founder and CEO of SourceClear, a software composition analysis solution designed for DevSecOps, which was acquired by CA Technologies in 2018. In 2001, he founded the Open Web Application Security Project (OWASP), a non-profit organization known for its Top 10 list of Most Critical Web Application Security Risks. Mark moved to the U.S. in 2000 to join Internet Security Systems (acquired by IBM), and later held roles including director of information security at Charles Schwab, vice president of professional services at Foundstone (acquired by McAfee), and principal group program manager, developer division, at Microsoft. Born in the UK, Mark received his B.Eng, Mechanical Engineering from the University of Brighton, and his Masters in Information Security from Royal Holloway, University of London. In his spare time, he enjoys traveling, and cycling.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu