$16 Million in BTC Stolen by Blockstream Employees on Liquid

The Liquid Network, a network from Blockstream, has been revealed to have contained a vulnerability within it. This vulnerability allowed certain individuals to steal millions in Bitcoin (BTC) in the process. The big itself was revealed by one James Prestwich, the founder of the Summa One crypto startup and a Bitcoin developer.

Exploiting Faulty Timelocks

This security vulnerability has subsequently affected an essential account within the Liquid network, caused by an inconsistent timelock. With this inconsistency, employees were capable of withdrawing Bitcoin through the use of an emergency recovery process, which only required two of the usual three keyholders to sign on the transaction. With this bug, a proper multisig process gets bypassed, the same process that mandates 11 of the 15 keyholders to sign on a transaction to get it adequately verified.

As Prestwitch explained it, this vulnerable account controls 870 BTC, which amounts to approximately $8 million in value. This amount was held only for an hour this week, but this bug could have compromised potentially millions of USD in value before the last transaction. This potential exploit has currently existed for approximately 18 months and has affected over 2,000 UTXOs, in the process.

Working ON The Problem For Some Time

The CEO of Blockstream, Adam Back, gave an official response to the matter at large, and openly admitted that the issue was known to the firm.

According to Back, a complete fix for this issue has been in development for some time now, but has suffered delays due to an array of reasons. He went further, stating that developers are currently at work with the Liquid Federation to help create and deploy a final patch to fix it. In the meantime, however, there was a workaround put in place, one that offered a temporary, limited solution to the problem at large.

A Controversial Subject Matter

Back took further notice of the way Blockstream had handled the situation. He made it a point in saying that this wasn’t up to the group’s usual standard of trust-minimization. Luckily for Blockstream, no funds were ultimately stolen, and the bug itself only opened the network up to internal thefts from its employees. It may not sound like much, but this means that an outsider wasn’t capable of attacking the network, as well.

Blockstream and Liquid have already been subject to some controversy, as is, within the crypto community. This is especially true in the Bitcoin community, as well.  This is due to how the Liquid network operates: As a federated sidechain that can store BTC outside of the main Bitcoin blockchain. What this means, is the company has a significant level of control over the user’s BTC, typically those users are exchanges and enterprises, relying on it for settlement and transfers.