Keeping up with our theme of cryptocurrency blog posts, especially given all of the hoopla about digital currencies these days, we decided to do a little digging into the relative security of cryptocurrency related open source projects.
Wow. Just wow.
The names have been changed to protect the guilty, but even we were surprised at the results. In total, we scanned the top five projects with active development, each having dozens of commits in the past week. We didn't want to just focus on a single currency or even only wallets, but projects that were likely to be used in commercial applications or purpose-built for commercial use. The results were astonishing.
As you can see from the graphic below, in just these five examples there were 46 libraries alone with old libraries indicating a lack of visibility by the developers into the version creep in their software.
On the vulnerability front, the count is lower, but the severity is most definitely not.
- 1 Remote Code Execution flaw
- 2 Cross-Site Scripting vulns
- 14 Denial Of Service flaws
The list goes on.
Over 70 Percent Only Visible With Premium
Now here's the kicker: Of the 26 vulnerabilities found, just six of them have been reported. You'll only see the remaining (verified) security flaws if you have access to SourceClear premium data.
With the rise in popularity of cryptocurrency, and especially the proliferation of new coin types, wallets, and exchanges it's time we pay attention to where our money is stored or we may find some missing.