AnChain’s Analysis: BitPay’s Open Source Copay Wallet Discovers Security Vulnerabilities

  • On September 9th, a normal “flatmap-stream” was merged into the code base in the “event-stream” NodeJS module with 2 million downloads per week.
  • On October 5th, the “flatmap-steam” code was updated with entrapped malicious code. Code reviewers merged them into the code base without careful inspection.
  • On November 26th, California based university students discovered that the confusing malicious code in the “event-stream” used by BitPay’s Copay wallet was triggered in the environment, stealing bitcoin in the wallet.

The malicious code has since been fixed.

This attack is similar to the Stuxnet virus that was specifically designed for the Iranian nuclear power plant in 2010. Stuxnet triggered a specific Siemens PLC control chip, which led to serious consequences including nuclear power plant explosions.

BitPay officially stated that users using Copay wallet versions 5.0.2 to 5.1.0 were affected by the back door. Users using these versions should assume that their private key have been compromised and need to upgrade to version 5.2.0 as soon as possible.

The malicious code was buried internally since October!

Former FireEye senior engineer and AnChain.ai architect, Dr. Richard Lai, commented:

This is an issue with open source. The person who maintains a library has to be trustworthy.

This is a real case of code security in the three eternal themes of the AnChain.ai’s philosophy. As the code base becomes more complex and more substantial in quantity, the open source community needs to take more serious measures of securing and storing its repositories.

The AnChain.AI team has been fighting on the front line of blockchain security. In August, the Ethereum BAPT-FOMO3D hacker army was exposed. In November, the world’s top 5 EOS DApp design security architecture was re-safely launched after continuously monitoring their transactions. We aim to continue to focus on comprehensive security, as detailed by our three eternal themes of blockchain security: transaction, code, and infrastructure.

About AnChain.AI

A blockchain data analytics firm providing intelligence, indicators, and investigative resources for clients to enhance their security, risk, and compliance strategies.

Feel free to reach out to us directly at: info@anchain.ai

With extensive experience in cybersecurity, artificial intelligence, cloud computing, and big data AnChain is continuously securing top-tier crypto exchanges, protocols, investors, custodians, and enterprise with our Blockchain Ecosystem Intelligence.

Blockchain data analytics firm providing security, risk, and compliance solutions.

Blockchain data analytics firm providing security, risk, and compliance solutions.