Marco Falke’s Hunt for Bitcoin’s Vulnerabilities

OKCoin Independent Open-Source Developer Grant recipient Marco Falke hunts for Bitcoin's vulnerabilities

Marco Falke’s Hunt for Bitcoin’s Vulnerabilities

Working to keep the Bitcoin network secure, Marco Falke is a Bitcoin Core maintainer securing the code against errors and loopholes

Not many people may have heard of his name outside of the developers’ scene but, in recent years, Marco Falke, OKCoin’s most recent recipient of the Independent Developer Grant, has quietly become one of the most prolific contributors to Bitcoin. His role reminds one of a night watcher: he is a Bitcoin ‘maintainer’, a developer focused on making sure the Bitcoin source code remains strong and healthy.

Bitcoin is a high-profile target

The Bitcoin network secures (at the time of writing) a market capitalization of $201 billion, providing an alternative financial system designed to decentralize control of currency away from traditional authorities. It is therefore, out of all software projects, a particularly high-profile target, attracting hackers as well as state actors. Bitcoin Core, the software that a large number of people use to connect to the Bitcoin network is open-source. This means that there is no central authority to organize and reward the work of developers: it is all supported by passion-driven volunteers. This is a strength of the network because it safeguards the decentralized nature of the project. But, in terms of security, being volunteer-based can expose vulnerabilities.

The testing problem

Open-source projects carry with them some of the drawbacks of voluntary models. Since the contributors are involved in Bitcoin development by passion and not by obligation, they may prefer to suggest new, exciting changes and be less inclined to perform the more routine and seemingly less rewarding work of testing and reviewing pending proposals. In the long run, new proposals can pile up without being tested, and significant and substantial proposals can take much longer to be accepted and implemented because of the lack of testers and reviewers. Bitcoin Core therefore tends to have a structural testing problem: there are rarely enough developers focused on tracking the code’s vulnerabilities and preventing them from being exploited.

Automating stress tests

When Marco got into Bitcoin development back in 2015, he focused on addressing this problem head on. He started hunting for all the possible back doors and attack vectors that could derail Bitcoin. In April 2016, Marco became a Bitcoin Core test maintainer. In this role he particularly relies on fuzz-testing, a technique that automatically feeds random or invalid inputs into a program to find coding errors or security loopholes. Think of it as shooting randomly on an armored plate to see where it is vulnerable to impact. Technically, fuzz-testing works in two steps: first, a specific fuzzer program sends a large amount of data to the tested program (Bitcoin Core, in this case); second, if the tested program behaves differently than expected, the fuzzer program flags what caused the anomaly. Fuzz-testing is thus a way to automate software stress tests.

To each its own module

Fuzz-testing is not the only way to test the Bitcoin code however — human testers are very important too. One way to make the work of individual testers and reviewers easier is to break the code into modules, so that one doesn’t have to learn, digest, and review huge chunks of code in order to make a review. An important part of Marco’s work is devoted to just that: modularizing. Modularizing the Bitcoin code has advantages for the developers; it helps them focus on specific parts of the code and makes clearer who is in charge of what. But it also has advantages for users because modularity means that one can turn off some modules of Bitcoin Core to run it with lower computational resources.

Onboarding new recruits

Now, even with great automated testing tools and smaller bits of code for developers to review, it remains that there are not enough people to test the Bitcoin code. This is why Marco sees onboarding new developers as an important part of his role as a maintainer. This effort has two aspects. One is to make sure that all changes made to the code are actually improvements. This is what he has been doing by hosting, with John Newbery and other Bitcoin developers, some meetings of the Bitcoin Review Club — a weekly club to review and explain the latest proposed changes to the code.

The other aspect of Marco’s role as a Bitcoin mentor is to help new contributors join the project in a way that is both beneficial to their own learning and to the project itself. He does this by regularly flagging issues that are both solvable by a newcomer and useful for the project. These issues are listed as “Good First Issues” on Github and one can be updated about them by following the related Twitter account. Incidentally, Marco Falke and our other grantee, Amiti Uttarwar, are the authors of four of the five latest issues, thereby indicating their commitment to onboarding new contributors in the project. If you want to join them in their mission to protect the Bitcoin network, you should give these issues a look!

65

Leave a Reply

%d bloggers like this: