Brink, the Bitcoin development organization, recently funded the first ever independent security audit of Bitcoin Core conducted by a third party (the full report is available here). The audit was conducted by Quarkslab, a software security firm, with the help of the Open Source Technology Improvement Fund (OSTIF) and collaboration with Bitcoin Core developers Niklas Gögge, from Brink, and Antoine Poinsot, from Chaincode Labs.
This security audit marks a milestone in the development history of Bitcoin Core, the most widely adopted and reference client of the Bitcoin network and protocol.
While Bitcoin Core security policies and practices have been steadily hardened and revised to be more thorough and comprehensive over the last few years, an external audit by a third party specialized in security review is a new bar to meet. It was met.
The audit involved manual code review, static and dynamic analysis with automated tools, and advanced fuzz testing, which takes automatically generated input and runs it through different code paths attempting to reveal unexpected or detrimental behavior.
No critical, high, or medium-severity bugs were discovered in the audit. Two low-severity issues were different, and thirteen other issues that are not classified as vulnerabilities under Bitcoin Core’s vulnerability classification criteria.
The entire process also resulted in improvements in Bitcoin Core’s testing infrastructure, including new fuzz testing infrastructure for block connection and chain reorganization scenarios, a new area to be covered by testing, file system improvements speeding up and improving fuzz testing in general, new utilities for testing back sliding code performance, and suggestions for improving code readability for reviewers and new developers.
Some of these improvements are already being worked on for eventual review and merging into the Bitcoin Core repository.
The results of this independent security audit have reinforced that Bitcoin Core’s improvements over recent years in security policy, testing, and overall quality review have had a meaningful impact on the project.